The NIS2 Directive is the European Union’s attempt to turn cybersecurity from a patchwork of national rules into a more coherent resilience regime. It broadens the number of sectors in scope, sharpens governance duties and gives regulators stronger enforcement tools at a moment when cyber risk has become inseparable from operational continuity.

The NIS2 Directive, formally Directive (EU) 2022/2555, is the EU’s revised framework for securing network and information systems across critical sectors. It entered into force in January 2023, with member states required to transpose it by 17 October 2024, and it repealed NIS1 from 18 October 2024. Its central purpose is to raise the common level of cybersecurity across the Union by setting clearer obligations for public and private entities whose disruption could have serious societal or economic consequences.

From first framework to harder edge

NIS1, adopted in 2016, was the EU’s first broad cybersecurity law. It established a baseline structure by requiring national cybersecurity strategies, competent authorities, single points of contact and CSIRTs, which are specialised Computer Security Incident Response Teams responsible for detecting, managing and coordinating responses to cyber incidents. Alongside this institutional framework, the directive imposed security and incident reporting duties on operators of essential services and certain digital service providers. In practice, however, it left significant room for national interpretation, especially over which organisations were designated as essential and how rules were supervised. That flexibility helped launch the regime, but it also produced fragmentation.

Close-up of a digital interface displaying the “Settings” menu with a hand-shaped cursor pointing to the configuration option.

NIS2 is the answer to those shortcomings. The new directive widens the scope, clarifies which entities fall in, tightens supervisory powers and places far more emphasis on management accountability. The European Commission describes the shift in simple terms: wider scope, clearer rules and stronger supervision tools. It is also a more explicitly operational law, bringing board-level responsibility, supply chain security and business continuity into the same compliance frame.

That change matters because NIS2 moves away from the narrower NIS1 distinction between operators of essential services and digital service providers. Instead, it uses the categories of essential and important entities, generally capturing medium-sized and large organisations in specified sectors. This produces a more automatic and harmonised approach, even though implementation at the national level still shapes the detail.

Who is covered and what they must do

The directive now spans 18 sectors. The highly critical group covers energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration and space. A further set of other critical sectors includes postal and courier services, waste management, chemicals, food, manufacturing, digital providers and research. Compared with NIS1, this is a marked expansion, especially into public administration, wastewater, space, postal services and a broader range of digital and industrial activity.

The obligations are also broader and more detailed. Essential and important entities must adopt appropriate and proportionate technical, operational and organisational measures to manage risk and reduce the impact of incidents. In practice, that means policies on risk analysis, incident handling, business continuity and crisis management, supply chain security, vulnerability handling and disclosure, access control, authentication, encryption and staff training. Management bodies must approve the measures, oversee their implementation and develop sufficient cybersecurity understanding to exercise that oversight properly. NIS2 therefore treats cyber resilience not as a technical add-on but as a matter of corporate governance.

Reporting duties are stricter too. The directive creates a more structured incident notification regime and is supported, for some digital sectors, by implementing rules at the EU level. Technical guidance published in June 2025 by ENISA, the European Union Agency for Cybersecurity responsible for supporting Member States, EU institutions and organisations in improving cybersecurity capabilities and cooperation, was designed to help covered entities translate the directive’s language into evidence, controls and operational practice. The publication itself reflected a consultation process with industry, suggesting that the implementation phase has already become a dialogue between lawmakers, regulators and operators.

Sanctions, delays and early feedback

On paper, NIS2 has real teeth. Member states must provide for administrative fines of at least €10 million or 2 per cent of worldwide annual turnover for essential entities, whichever is higher, and at least €7 million or 1.4 per cent of worldwide annual turnover for important entities. The regime also allows for non-financial measures, including compliance orders, audits and, in some circumstances, temporary bans affecting management responsibilities.

Since implementation, though, the most visible sanctions story has been directed not at companies but at states. Many member states missed the 17 October 2024 transposition deadline. The Commission first opened infringement procedures against late countries in late 2024, then sent reasoned opinions to 19 member states on 7 May 2025 for failing to notify full transposition. By March 2026, the transposition picture was still uneven, with the Commission continuing infringement action in at least one further case, Lithuania. In other words, enforcement has begun, but much of it has so far focused on the machinery of implementation rather than headline corporate penalties.

The feedback since rollout has been broadly supportive of the directive’s ambition but candid about the strain of compliance. ENISA’s Advisory Group warned in 2025 that divergence between member states and sectors was still creating unnecessary complexity. ENISA’s NIS Investments 2025 report also found that patching, business continuity and supply chain risk were among the most difficult areas for organisations, while many still lagged on regular assessments and remediation speed. Those findings help explain why the Commission proposed targeted amendments on 20 January 2026 to simplify jurisdictional rules, streamline ransomware-related data collection and reinforce ENISA’s coordinating role for cross-border supervision.

Implications for homeland security operations

For homeland security stakeholders, NIS2 translates cybersecurity from a supporting function into a core element of operational resilience. Public authorities, emergency services and operators of critical infrastructure are now more explicitly within scope, either as essential entities or as part of interdependent supply chains. This means that cyber risk is no longer treated in isolation but as a factor that can directly affect continuity of government, crisis response and public safety.

In practical terms, the directive requires homeland security organisations to formalise risk management in ways that align with operational planning. Incident response procedures must be integrated with crisis management frameworks, ensuring that cyber incidents are handled with the same level of coordination as physical emergencies.

Yellow cube placed on a computer keyboard with a risk gauge ranging from low to high, illustrating digital risk management.

This includes clearer escalation protocols, faster reporting timelines and closer interaction with national authorities and Computer Security Incident Response Teams. The emphasis on business continuity also pushes agencies to consider how digital disruption could affect command structures, communications and field operations.

Supply chain security is another significant shift. Many homeland security capabilities rely on external technology providers, from communications systems to data platforms. NIS2 places responsibility on organisations to assess and manage the cybersecurity posture of these suppliers, extending oversight beyond their immediate perimeter. This has implications for procurement, contract management and ongoing monitoring, particularly in environments where sensitive or mission-critical systems are involved.

At governance level, the directive introduces greater accountability for senior leadership. Management bodies are expected to approve cybersecurity measures and oversee their implementation, which effectively elevates cyber risk to a strategic concern. For homeland security institutions, this reinforces the need for coordination between technical experts and decision-makers, ensuring that cybersecurity considerations are embedded in policy, planning and operational doctrine.

NIS2 is an evolving operating model for European cyber resilience, one that is already reshaping how critical sectors govern digital risk, document resilience and prepare for scrutiny. For security professionals, regulators and industrial operators alike, that makes it more than a compliance topic. It is part of a wider strategic conversation about trust, continuity and sovereignty, a conversation that sits squarely within the agenda of Milipol Paris.

Image credits:

Pixabay - Pexels

Markus Spiske - Unsplash

Sasun Bughdaryan - Unsplash