NIS2: Which Organisations Are Affected and What They Must Do
Alexandre Durand
Editorial Director — Cybersecurity Expert
The NIS2 Directive (2022/2555) significantly broadens the scope of cybersecurity regulation across the EU. Millions of organisations are now within scope, up from a few thousand under the original NIS1 Directive.
18 Sectors Covered
Highly critical sectors (Annex I) include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration and space. Critical sectors (Annex II) include postal services, waste management, chemicals, food, manufacturing, digital providers and research.
Size Criteria
Entities with 50 employees or EUR 10 million turnover (Article 2, Directive 2022/2555) operating in a covered sector fall within scope. Essential entities are large organisations in highly critical sectors; important entities are medium-sized organisations across all covered sectors.
Key Obligations
Compliance centres on cybersecurity governance, risk management, supply chain security, and incident notification to the national competent authority (e.g. NCSC in the UK, BSI in Germany) — 24 hours for the early warning, 72 hours for the full report (Article 23, Directive 2022/2555).
*This article is for informational purposes only and does not constitute legal advice.*