How does NIS2 interact with DORA for financial entities?

DORA operates as lex specialis for the financial sector. Where DORA applies, its specific requirements take precedence over the more general NIS2 provisions. However, entities in the financial sector not covered by DORA may still fall under NIS2.

What constitutes a "significant incident" requiring notification?

A significant incident is one that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other persons by causing considerable material or non-material damage. ENISA guidelines provide quantitative thresholds by sector.

Are SMEs in scope of NIS2?

Generally, NIS2 applies to medium and large enterprises (50+ employees or EUR 10M+ turnover). However, Member States may extend NIS2 obligations to smaller entities in critical sectors, and certain entities like DNS service providers and trust service providers are covered regardless of size.

TOPICS·CYBERSECURITY·EU DIRECTIVE 2022/2555

NIS2 Directive

The EU's landmark cybersecurity directive requiring essential and important entities across 18 sectors to implement risk management, incident reporting, and supply chain security measures -- with board-level accountability and fines up to EUR 10 million or 2% of global turnover.

EUDIRECTIVE37 regulations tracked24/27 member states transposedUpdated April 2026

THE ESSENTIALS

The NIS2 Directive is an EU law that forces companies running critical services -- from hospitals and power grids to cloud providers and food distributors -- to take cybersecurity seriously. If your organisation has more than 50 employees or turns over more than EUR 10 million and operates in one of 18 listed sectors, this law almost certainly applies to you.

Before NIS2, each EU country could decide for itself which companies had to follow cybersecurity rules, and enforcement was inconsistent. NIS2 replaces that patchwork with a single set of obligations that apply across all 27 member states: you must manage cyber risks, report serious incidents quickly, and secure your supply chain. The directive also makes company boards personally responsible for ensuring these measures are in place.

Most member states have now written NIS2 into their own national laws, meaning the obligations are legally binding and enforceable today. The penalties are significant -- up to EUR 10 million or 2% of worldwide revenue for the most critical organisations. Supervisory authorities are already conducting compliance assessments in countries that transposed early.

In short: if your company keeps essential services running or handles sensitive digital infrastructure, NIS2 sets the baseline for how you must protect it -- and your board is on the hook if you do not.

Switzerland is not an EU member state and is not required to transpose NIS2 into national law. However, Swiss companies that provide services to customers in the EU, operate subsidiaries in EU member states, or form part of the supply chain of an EU-regulated entity may fall within NIS2's scope indirectly. EU-based clients will increasingly require contractual cybersecurity commitments aligned with NIS2 from their Swiss suppliers.

Switzerland's own cybersecurity framework -- anchored in the revised Information Security Act (ISG) and the National Cyber Strategy 2025 -- covers some of the same ground but does not match NIS2's incident reporting timelines or its sector-specific scope thresholds. Swiss organisations serving EU markets should conduct a gap analysis between their current posture and NIS2 requirements, particularly around the 24-hour early warning obligation and supply chain due diligence.

What

EU directive strengthening cybersecurity requirements for essential and important entities across critical sectors. Replaces the 2016 NIS Directive with dramatically expanded scope and stricter enforcement.

Who

Medium and large organisations (50+ employees or EUR 10M+ turnover) in 18 sectors including energy, transport, health, digital infrastructure, manufacturing, and public administration.

When

Member States were required to transpose by 17 October 2024. Most have now completed transposition into national law following EU infringement proceedings. Enforcement and supervisory cycles are underway across the EU.

Penalty

Up to EUR 10 million or 2% of global turnover for essential entities. Up to EUR 7 million or 1.4% of turnover for important entities. Personal liability for management bodies.

SCOPE EXPANSION: NIS1 → NIS2

~7 sectors

~10,000 entities EU-wide

Operators of essential services and digital service providers only. Member States had discretion on which entities to include.

→

18 sectors

~160,000 entities EU-wide

All medium and large companies in listed sectors. Unified size-based threshold replaces Member State discretion. Two-tier system: essential + important entities.

TRANSPOSITION STATUS ACROSS THE EU

The deadline was 17 October 2024. As of April 2026, 24 of 27 member states have transposed NIS2 into national law. The European Commission sent reasoned opinions to lagging states in May 2025, accelerating adoption through 2025.

Transposed (24) In progress (3)

Austria

Transposed

NISG 2024

Mar 1, 2025

Belgium

Transposed

NIS2-wet

Oct 18, 2024

Bulgaria

In progress

Cyprus

Transposed

Oct 18, 2024

Czechia

Transposed

Zakon o kyberneticke bezpecnosti

Mar 1, 2025

Germany

Transposed

NIS2UmsuCG

Mar 1, 2025

Denmark

Transposed

Mar 1, 2025

Estonia

Transposed

Jul 1, 2025

Spain

Transposed

May 1, 2025

Finland

Transposed

Kyberturvallisuuslaki

Jan 8, 2025

France

Transposed

Loi Resilience

Apr 1, 2025

Greece

Transposed

Jun 1, 2025

Croatia

Transposed

Zakon o kibernetickoj sigurnosti

Oct 18, 2024

Hungary

Transposed

Oct 18, 2024

Ireland

Transposed

Apr 1, 2025

Italy

Transposed

D.Lgs. 138/2024

Oct 16, 2024

Lithuania

Transposed

Oct 18, 2024

Luxembourg

In progress

Latvia

Transposed

Jan 1, 2025

Malta

Transposed

Jan 1, 2025

Netherlands

Transposed

Cbw

Jun 1, 2025

Poland

Transposed

Nowelizacja KSC

Apr 1, 2025

Portugal

In progress

Romania

Transposed

Jan 1, 2025

Sweden

Transposed

Jan 1, 2025

Slovenia

Transposed

Jun 19, 2025

Slovakia

Transposed

Jan 1, 2025

ENTITY CLASSIFICATION

NIS2 replaces the NIS1 distinction between "operators of essential services" and "digital service providers" with a new two-tier system based on sector criticality and organisation size.

HIGHER OBLIGATIONS

Fines up to EUR 10M / 2% global turnoverProactive supervision (ex-ante)

Energy

Electricity, oil, gas, hydrogen, district heating

Transport

Air, rail, water, road

Banking

Credit institutions

Financial market infrastructure

Trading venues, CCPs

Health

Hospitals, laboratories, pharmaceuticals, medical devices

Drinking water

Supply and distribution

Waste water

Collection, disposal, treatment

Digital infrastructure

IXPs, DNS, TLDs, cloud, data centres, CDNs, trust services

ICT service management (B2B)

Managed service providers, managed security service providers

Public administration

Central government entities

Space

Operators of ground-based infrastructure

INCIDENT REPORTING OBLIGATIONS

NIS2 introduces the most demanding incident reporting requirements in EU law. The clock starts the moment a significant incident is detected.

T+0

Incident detected

A significant cybersecurity incident is identified affecting network and information systems.

24h

Early warning

Submit an early warning to the national CSIRT or competent authority. Must indicate if the incident is suspected to be caused by unlawful or malicious acts, and whether it could have cross-border impact.

72h

Incident notification

Provide a full incident notification updating the early warning with an initial assessment of severity and impact, plus indicators of compromise where available.

1 month

Final report

Submit a comprehensive final report including detailed root cause analysis, mitigation measures applied, cross-border impact assessment, and the type of threat or root cause that likely triggered the incident.

BOARD-LEVEL ACCOUNTABILITY

NIS2 introduces a fundamental shift: cybersecurity is no longer just an IT concern. Management bodies (boards, C-suite) must personally approve and oversee cybersecurity risk-management measures, and can be held personally liable for non-compliance.

Approval obligation

Management bodies must formally approve the cybersecurity risk-management measures adopted by their organisation.

Training requirement

Board members and senior management must undergo regular cybersecurity training to gain sufficient knowledge and skills.

Personal liability

Member States may hold management bodies personally liable for infringements. This can include temporary bans from managerial functions for essential entities.

Oversight duty

Management must supervise implementation of cybersecurity measures on an ongoing basis and ensure adequate resources are allocated.

SUPPLY CHAIN SECURITY

NIS2 requires entities to assess and manage cybersecurity risks in their entire supply chain, including direct suppliers and service providers. This is one of the most operationally challenging requirements, as it extends obligations beyond organisational boundaries.

Supplier risk assessment

Evaluate the cybersecurity practices and vulnerabilities of each direct supplier and service provider, considering the overall quality and resilience of their products and services.

Contractual safeguards

Include cybersecurity requirements in contractual arrangements with suppliers, covering security measures, incident notification, audit rights, and sub-contracting restrictions.

Coordinated risk assessments

Participate in coordinated security risk assessments of critical supply chains as directed by the NIS Cooperation Group and EU institutions.

Continuous monitoring

Establish ongoing monitoring of supplier cybersecurity posture, with processes for responding to newly discovered vulnerabilities or incidents in the supply chain.

KEY MILESTONES

Apr 23, 2026

YOU ARE HERE

KEY COMPLIANCE REQUIREMENTS

Cybersecurity risk management

Implement appropriate technical, operational, and organisational measures to manage risks to network and information systems.

Incident reporting

Submit an early warning to your national CSIRT within 24 hours and a full incident notification within 72 hours of a significant incident.

Supply chain security

Assess and manage cybersecurity risks in your supply chain, including direct suppliers and service providers.

Management accountability

Ensure management bodies approve cybersecurity measures, undergo training, and bear personal accountability for compliance.

Business continuity

Develop and test business continuity and disaster recovery plans to ensure resilience against cyber disruptions.

Vulnerability management

Establish processes for vulnerability discovery, disclosure, and remediation across all critical systems.

Access control and encryption

Implement multi-factor authentication, access management policies, and encryption for data at rest and in transit.

WHO DOES THIS AFFECT?

Select your company type for tailored compliance guidance.

KEY OBLIGATIONS

☐Implement comprehensive cybersecurity risk management measures

☐Report significant incidents to national CSIRT within 24 hours (early warning) and 72 hours (full notification)

☐Ensure supply chain security for all third-party software components

☐Conduct regular vulnerability assessments and penetration testing

☐Ensure management bodies approve and oversee cybersecurity measures

YOUR FIRST STEP

Determine whether your organisation qualifies as an essential or important entity under NIS2 sector definitions and size thresholds

KEY INTERPRETATIONS & FAQ

RELATED TOPICS

MOST CONNECTED REGULATIONS

JUR.	TITLE	STATUS	LINKS
EU	Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance)	adopted	18
EU	Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)	adopted	12
EU	Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)	adopted	8
EU	Commission Implementing Regulation (EU) 2023/203 of 27 October 2022 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340 and (EU) No 139/2014, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 and amending Commission Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340, and Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664	adopted	6
EU	Decision (EU) 2025/1654 of the European Parliament of 7 May 2025 on the closure of the accounts of the European Union Agency for Cybersecurity for the financial year 2023	adopted	4
EU	Decision (EU) 2025/1653 of the European Parliament of 7 May 2025 on discharge in respect of the implementation of the budget of the European Union Agency for Cybersecurity for the financial year 2023	adopted	4
EU	Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance)	adopted	4
EU	Decision (EU) 2024/2315 of the European Parliament of 11 April 2024 on discharge in respect of the implementation of the budget of ENISA (European Union Agency for Cybersecurity) for the financial year 2022	adopted	3
EU	Decision (EU) 2024/2317 of the European Parliament of 11 April 2024 on the closure of the accounts of ENISA (European Union Agency for Cybersecurity) for the financial year 2022	adopted	3
EU	Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC)	adopted	3

← ALL TOPICS