5 Key Changes from NIS1 to NIS2

Since January 16, 2023, the NIS2 Directive has been in effect, requiring EU Member States to transpose the directive into national law by October 17, 2024.

However, by mid-2025, the European Commission reported that only a limited number of countries, Belgium, Croatia, Hungary, Italy, Latvia, and Lithuania, had fully transposed NIS2 into their national legislation. In major Member States such as France, Germany, the Netherlands, and Sweden, draft legislation remains unadopted or stuck in parliamentary procedures.

This has resulted in a fragmented implementation landscape across the EU, with varying levels of readiness and compliance depending on the country.

According to the European Commission’s official guidance, a directive does not automatically apply in national legal systems. Instead, each country must first pass a national law to implement it. Where this hasn't happened, there is currently no enforceable legal obligation for companies to follow NIS2's rules, including key cybersecurity and incident reporting provisions.

Despite the uneven rollout, businesses are urged to proactively prepare. The Commission has made it clear that enforcement will follow soon after national adoption, and organizations that delay may face compliance risks.

What Organizations Should Do Now

This additional time offers organizations a valuable opportunity to:

1. Understand the key differences between NIS1 and NIS2, including broader sector coverage and tougher penalties
2. Conduct risk assessments of their existing cybersecurity posture
3. Identify gaps in technical and organizational measures
4. Prepare for mandatory reporting timelines, such as notifying authorities of major incidents within 24 hours

With national laws expected to be finalized soon in remaining Member States, organizations should monitor local legislative updates closely and act now to align with the directive’s intent—even where legal enforcement hasn’t started.

1. Scope Expansion

The transition from NIS1 to NIS2 brings a significantly broader scope of entities covered under the directive. While NIS1 focused mainly on operators of essential services (OES) in sectors like energy, transport, health, and digital infrastructure, NIS2 expands this to include postal and courier services, food production, waste management, water supply, and space-related services, among others.

This scope is detailed in Annex I and II of the NIS2 Directive. The directive now classifies organizations into two categories:

• Essential Entities: those in sectors like energy, transport, healthcare, and digital infrastructure.
• Important Entities: such as food processing, chemicals, and postal services.

NIS2 also lowers the size threshold, meaning many small and medium enterprises (SMEs) are now in scope if they play a critical role in these sectors. This more inclusive approach aims to reduce cybersecurity blind spots in Europe’s digital ecosystem.

2. Risk Management and Cybersecurity Requirements

While NIS1 required basic risk management measures, NIS2 introduces much stricter security and governance obligations (Article 21 of the Directive).

Organizations are now required to:

• Use state-of-the-art encryption for sensitive data at rest and in transit.
• Maintain business continuity and disaster recovery plans, including regular backups and redundancy.
• Conduct regular cybersecurity risk assessments, including risks posed by third parties and suppliers.
• Roll out employee training and awareness programs to address human error, a leading cause of cyber incidents.

This shift reflects the growing complexity and scale of cyber threats, including supply chain attacks. NIS2 mandates a proactive and preventative cybersecurity posture.

3. Incident Reporting

Incident reporting obligations have become more detailed and time-sensitive. Under Article 23 of NIS2, organizations must now:

• Report significant incidents to the national CSIRT within 24 hours of becoming aware.
• Submit an intermediate report after 72 hours.
• Provide a final report within one month, including the root cause, impact, and mitigation steps.

These reports must follow standardized protocols and are submitted through a central EU platform designed to streamline reporting and improve coordination across member states.

4. Harmonization Across EU Member States

NIS1 allowed for national discretion in determining which organizations were subject to the rules. In contrast, NIS2 establishes harmonized criteria across all EU countries. This ensures a consistent level of cybersecurity and avoids regulatory fragmentation.

The directive also strengthens cross-border collaboration, including:

• Information exchange mechanisms between competent authorities.
• Joint crisis response exercises.
• A coordinated vulnerability registry, overseen by ENISA, the EU Agency for Cybersecurity.

5. Enforcement and Penalties

One of the most impactful updates under NIS2 is its enforcement model. Non-compliant organizations now face fines of up to €10 million or 2% of their global annual turnover, whichever is higher (Article 34).

Additionally, management bodies (e.g. board members and executives) are personally accountable for ensuring compliance. They must:

• Oversee cybersecurity implementation.
• Approve risk management strategies.
• Ensure timely incident reporting.

Failure to do so can result in personal liability, signaling a shift from IT-only responsibility to executive-level accountability.

Failing to comply with the NIS2 Directive can lead to serious consequences for organizations. Besides heavy financial penalties, non-compliance can damage a company’s reputation, reduce customer trust, and expose the organization to legal actions.

The main risks include:

1. Administrative Fines: Organizations can face fines up to €10 million or 2% of their global annual revenue, whichever is higher (NIS2 Directive, Article 34).
2. Enforcement Actions: Regulators have the power to investigate and audit companies that fail to comply. These investigations may uncover more security weaknesses, resulting in mandatory system upgrades or business interruptions.
3. Reputational Damage: Some companies might be required to publicly disclose their non-compliance, which can seriously harm their public image and customer confidence.
4. Operational Disruptions: Weak cybersecurity increases the risk of data breaches, leading to service outages and revenue losses.
5. Personal Sanctions: In cases of gross negligence, top executives can be held personally responsible. This can result in temporary bans from management roles and other penalties.

Organizations should treat NIS2 compliance as a priority to avoid these risks and protect their operations and reputation.

The transition from NIS1 to NIS2 is a necessary step to strengthen cybersecurity across the European Union (NIS2 Directive). The directive’s expanded scope and stricter requirements reflect the changing nature of cyber threats and the urgent need for a proactive approach to protect critical infrastructure and essential services.

Although many EU Member States have delayed implementing NIS2 into national law, organizations must act now to assess their current cybersecurity measures, identify any gaps, and implement strategies to comply with the directive.

Failing to comply can lead to serious consequences, including financial penalties and damage to reputation (European Commission on Enforcement).

To prepare for NIS2 compliance, organizations should begin by reviewing the directive’s requirements and seek expert guidance if needed.

Q: What is the main difference between NIS1 and NIS2?
A: NIS2 expands the scope to include more sectors and smaller organizations, and introduces stricter cybersecurity requirements and faster incident reporting.

Q: What happens if an organization does not comply with NIS2?
A: Organizations can face fines up to €10 million or 2% of global revenue, reputational damage, audits, and legal consequences.

Q: When must EU member states implement NIS2 into their national law?
A: EU member states must transpose the NIS2 directive into national law by October 17, 2024.