NIS2 Enforcement Is Active — Are You Compliant?
NIS2 Compliance Guide 2026
Everything you need to understand your NIS2 obligations, assess your compliance, and avoid fines up to €10 million.
Free tools trusted by 2,400+ compliance officers across Europe.
Get NIS2 Compliant in 3 Steps
Our free tools walk you through the entire compliance journey — from determining scope to assessing risk.
1
Determine If You're in Scope
Use our free NIS2 Compliance Checker to find out if your organization is classified as an essential or important entity under the directive. Covers all 18 sectors.
2
Audit Your Current Compliance
Download our free 15-point NIS2 compliance checklist PDF. Covers risk management, incident reporting, security governance, supply chain security, and business continuity.
3
Assess Your Financial Risk
Calculate your potential cyber insurance costs and understand how NIS2 compliance affects your premiums. Get personalized estimates based on your risk profile.
NIS2 Compliance Requirements
The NIS2 Directive mandates four pillars of cybersecurity measures. Here's what your organization needs to implement.
Risk Management (Art. 21)
- Implement comprehensive information security policies and procedures
- Conduct regular cybersecurity risk assessments
- Establish incident handling and response procedures
- Maintain business continuity and crisis management plans
- Deploy multi-factor authentication and access controls
Incident Reporting (Art. 23)
- Early warning to CSIRT within 24 hours of significant incident
- Incident notification within 72 hours with initial assessment
- Final report within 1 month with root cause analysis
- Document cross-border impact and indicators of compromise
Governance & Training (Art. 20)
- Board-level accountability for cybersecurity measures
- Mandatory cybersecurity training for all staff
- Regular security audits and penetration testing
- Personal liability for management body non-compliance
Supply Chain Security (Art. 21.2.d)
- Assess third-party and supplier security practices
- Include cybersecurity clauses in vendor contracts
- Monitor supply chain vulnerabilities and patches
- Conduct regular supplier security audits
Full article references: Article 20 (Governance), Article 21 (Risk Management), Article 23 (Incident Reporting) of the NIS2 Directive (EU) 2022/2555.
NIS2 Non-Compliance Penalties
The cost of ignoring NIS2 is substantial. Fines are based on global turnover, not just EU revenue.
Essential Entities
Up to €10M or 2% of global turnover
Sectors:
Energy, Transport, Banking, Healthcare, Digital Infrastructure
Supervision:
Direct, proactive supervision by competent authorities
Important Entities
Up to €7M or 1.4% of global turnover
Sectors:
Postal, Waste, Chemicals, Food, Manufacturing, Digital Providers
Supervision:
Proportionate enforcement, ex-post supervision
NIS2 Timeline: Key Dates
January 2023
NIS2 Directive formally adopted by the EU
October 17, 2024
Transposition deadline — Member States must implement NIS2 into national law
2025
National implementations finalized across EU Member States. Enforcement begins.
2026
Full enforcement phase. Compliance audits, penalties for non-compliant organizations, and personal liability for management bodies.
Now
If you're not yet compliant, start immediately. Use our free tools below.
NIS vs NIS2: What Changed
NIS2 significantly expanded the scope, requirements, and penalties of the original NIS Directive.
| Aspect | NIS (Original) | NIS2 |
|---|---|---|
| Sectors | 7 sectors | 18 sectors |
| Entity Designation | By national designation | Automatic by size criteria |
| Incident Reporting | 72 hours | 24h / 72h / 1 month |
| Max Fines | ~€500K | €10M or 2% turnover |
| Management Liability | No | Yes — personal liability |
| Supply Chain | Limited | Comprehensive requirements |
Deep-Dive NIS2 Resources
Expert-written guides on NIS2 compliance, penalties, cyber insurance, and more.
NIS2 Penalties & Fines
Complete breakdown of fines, enforcement actions, and how penalties are calculated.
Cyber Insurance Comparison
How to evaluate and compare policies in 2026. EU provider landscape included.
NIS2 Underwriting Questions
Line 1, 2, and 3 questions every broker should ask NIS2-exposed clients.
Cyber Insurance Coverage Guide
What's covered, what's excluded, and how NIS2 affects your policy.
Small Business Cyber Insurance EU
Complete guide for European SMEs navigating cyber insurance and NIS2.
NIS2 Compliance Checklist
15-point checklist covering all Article 21 requirements. Free PDF download.
NIS2 Compliance FAQ
Common questions about NIS2 compliance, deadlines, penalties, and how to get started.
What is NIS2 compliance?
NIS2 compliance means meeting the cybersecurity requirements set out in the NIS2 Directive (EU) 2022/2555. Organizations in scope must implement risk management measures, incident reporting procedures, security governance, supply chain security, and business continuity plans. Non-compliance can result in fines up to €10M or 2% of global turnover.
How do I know if my organization needs to comply with NIS2?
NIS2 applies to essential entities (250+ employees or €50M turnover in critical sectors) and important entities (50-249 employees or €10M-50M turnover in broader sectors). Use our free NIS2 Compliance Checker to get an instant assessment based on your sector, size, and location.
When is the NIS2 compliance deadline?
EU Member States were required to transpose NIS2 into national law by October 17, 2024. Many countries are still finalizing their national implementations, but organizations should already be working toward compliance. Enforcement is ramping up across the EU in 2025-2026.
What are the penalties for NIS2 non-compliance?
Essential entities face fines up to €10M or 2% of global annual turnover. Important entities face fines up to €7M or 1.4% of global annual turnover. Management bodies can also be held personally liable for failing to implement required security measures.
How does NIS2 compliance affect cyber insurance?
NIS2 compliance can significantly reduce your cyber insurance premiums. Insurers view compliant organizations as lower risk. Non-compliance may result in higher premiums, coverage exclusions, or difficulty obtaining cyber insurance altogether.
What is the difference between NIS and NIS2?
NIS2 expands the scope from 7 to 18 sectors, removes the designation process (entities are automatically in scope based on size), introduces stricter 24h/72h/1month incident reporting, adds personal liability for management, and increases maximum fines from ~€500K to €10M+.
Does NIS2 apply to companies outside the EU?
NIS2 primarily targets EU-based organizations. However, non-EU companies providing services within the EU through subsidiaries or branches may fall under scope. Additionally, supply chain requirements mean EU entities must assess their non-EU vendors.
What tools does Resiliently offer for NIS2 compliance?
Resiliently offers three free tools: (1) NIS2 Compliance Checker — determine if you're in scope, (2) 15-Point Compliance Checklist PDF — audit your readiness against Article 21 requirements, and (3) Cyber Risk Calculator — estimate your cyber insurance costs and see how compliance affects premiums.
Free NIS2 Compliance Updates
Stay Ahead of NIS2 Enforcement
Weekly compliance tips, regulatory updates, and deadline reminders. Essential reading for security professionals and insurance brokers.
Want full compliance automation and AI-powered risk assessments?
€19 Founding Member
Become a Founding Member