NIS2 Directive
Mandatory cybersecurity risk management for 18 critical sectors. Fines of up to €10 million or 2% of global annual turnover.
EU Compliance Guide
NIS2 & CER Compliance: Simplified for European Businesses
Understand your obligations under the EU NIS2 Directive and the CER Directive. Protect your organisation from cyber threats, avoid six-figure fines, and meet the 2024 enforcement deadlines.
✅ Verified EU legal sources✅ Last updated: May 2026✅ GDPR compliant✅ No legal advice, facts only
Two Directives. One Compliance Framework.
NIS2 and CER are complementary frameworks. Understand how they interact and why many organisations fall under both.
CER Directive
Physical resilience requirements for critical entities in energy, transport, health, and digital infrastructure sectors.
EU AI Act
The world's first comprehensive legal framework for AI, imposing strict safety and transparency rules based on risk levels.
Overlap & Synergies
Many organisations fall under both directives. Understand how a unified compliance programme covers both frameworks efficiently.
Why NIS2 Compliance Matters Now
The NIS2 transposition deadline was 17 October 2024. Most EU member states have now enacted national implementing laws, and the first enforcement actions are expected in 2025 and 2026. There is no grace period left for in-scope entities.
Many organisations do not realise they are in scope. NIS2 extends far beyond energy utilities and hospitals: it covers mid-size managed service providers, chemical companies, food manufacturers, and research organisations. The thresholds are low — 50 employees or €10 million annual turnover is enough.
Transposition deadline passed: 17 October 2024
First enforcement cases expected from 2025 onward
Fines up to €10 million or 2% of global turnover
Senior management faces personal liability under Article 20
Supply chain risk: your suppliers may put you in scope
📊 Quick Test
Check NIS2 Scope →Find out if your company is in scope
Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?
NIS2 at a Glance
- Who is affected?
- Medium and large entities operating in 18 critical sectors across EU member states. Essential Entities (EEs) face stricter obligations than Important Entities (IEs).
- Core obligations
- Risk management measures, supply chain security, multi-factor authentication (MFA), encryption, incident reporting, and board-level accountability.
- Incident reporting
- The "24-72-1" rule: early warning within 24 hours, full notification within 72 hours, and a final incident report within 1 month.
- Maximum fines
- Essential Entities: up to €10 million or 2% of global annual turnover. Important Entities: up to €7 million or 1.4% of global turnover.
Affected Sectors (NIS2)
NIS2 covers 18 sectors split across two annexes. Annex I entities are classified as Essential Entities (EE) and face stricter obligations; Annex II entities are classified as Important Entities (IE).
Essential Entity — Annex IImportant Entity — Annex II
- EnergyEE
Electricity operators, gas transmission & distribution, oil pipelines, hydrogen infrastructure
- TransportEE
Airlines, airports, rail operators, shipping companies, port authorities, road traffic management
- BankingEE
Credit institutions and banks authorised under EU law
- Financial MarketsEE
Trading venues, central clearing counterparties (CCPs), trade repositories
- HealthEE
Hospitals, clinical laboratories, R&D pharmaceutical companies, medical device manufacturers
- Drinking WaterEE
Suppliers and distributors of water intended for human consumption
- WastewaterEE
Operators collecting or treating urban wastewater and industrial effluent
- Digital InfrastructureEE
DNS providers, TLD registries, IXPs, cloud providers, CDNs, data centres, telecom networks
- ICT Service ManagementEE
Managed service providers (MSPs), managed security service providers (MSSPs)
- Public AdministrationEE
Central government bodies; regional and local administrations where required by member state
- SpaceEE
Operators of ground-based infrastructure supporting space-based services (e.g., satellite navigation, earth observation)
- Postal ServicesIE
Postal and courier service operators including parcel delivery networks
- Waste ManagementIE
Operators handling hazardous and non-hazardous waste collection, transport, and disposal
- ChemicalsIE
Manufacturers and distributors of hazardous chemicals; SEVESO-tier sites
- Food ProductionIE
Large food processing companies and wholesale distributors
- ManufacturingIE
Medical devices, computers & electronics, machinery, motor vehicles, transport equipment manufacturers
- Digital ProvidersIE
Online marketplaces, online search engines, social networking platforms
- ResearchIE
Research organisations and universities conducting security-relevant or critical research
Who This Site Is For
NIS2Dir.eu is built for professionals who need clear, factual answers about EU cybersecurity obligations without jargon or marketing spin.
Compliance Officers
In energy, transport, finance, health, and digital infrastructure sectors navigating Article 21 obligations.
IT Managers
In medium and large enterprises responsible for security operations, incident response, and risk management programmes.
MSPs & MSSPs
Managed service and security providers helping clients achieve and maintain NIS2 compliance across multiple sectors.
Board Members & Executives
Senior leaders who need to understand personal liability under Article 20 and the board's legal responsibilities.
Latest Guides & Updates
We publish practical, in-depth guides on NIS2 and CER. Here are our most recent articles:
NIS2 vs GDPR
When both laws apply to the same incident and how to build a combined incident response that satisfies both regulators.
Read article →NIS2 Incident Reporting: The 24-72-1 Guide
Step-by-step guide to Article 23 notification timelines, what each report must contain, and country reporting portals.
Read article →NIS2 Management Liability
What Article 20 means for board members and CEOs: training obligations, personal liability, and when suspension applies.
Read article →Trusted Sources
All information on this site is sourced from the Official Journal of the European Union, ENISA guidelines, and national competent authority publications. We do not cite third-party summaries as primary sources.
- ↗NIS2 Directive (EU 2022/2555) — Full text in the Official Journal of the EU
- ↗CER Directive (EU 2022/2557) — Directive on the resilience of critical entities
- ↗Implementing Regulation (EU) 2024/2690 — Technical and methodological requirements for cybersecurity measures
- ↗AI Act (Regulation EU 2024/1689) — The European AI Regulation in the Official Journal of the EU
- ↗ENISA: NIS2 Resources — Guidelines and resources from the EU Agency for Cybersecurity
Is Your Business NIS2-Compliant?
Learn which specific Article 21 measures apply to your business and how to meet the enforcement deadline.
Read NIS2 Requirements →