The EU’s NIS2 Directive entered into force on 16 January 2023. It replaces the original Network and Information Security (NIS) Directive, which has governed cybersecurity requirements for critical sectors since 2016. Member states have until 17 October 2024 to transpose NIS2 into national law — meaning the national implementing legislation that will be enforced against specific organisations is due within 21 months.

NIS2 is not a minor update to NIS1. It fundamentally changes the scope, the requirements, and the enforcement landscape. Organisations that were not covered by NIS1 may now be in scope. Organisations that were covered by NIS1 face materially higher requirements. And management bodies face personal liability for cybersecurity failures that simply did not exist under the original Directive.

Scope: Dramatically Expanded

NIS1 covered a narrow set of “operators of essential services” in seven sectors: energy, transport, banking, financial market infrastructure, health, drinking water, and digital infrastructure. Designation as an operator of essential services required a competent authority decision — many organisations in these sectors were not captured by NIS1 because they had not been formally designated.

NIS2 adopts a fundamentally different approach. Rather than designation-based scoping, NIS2 uses a size-based threshold: medium-sized enterprises (50+ employees or €10 million+ annual turnover) and large enterprises operating in the covered sectors are in scope automatically, without requiring a designation decision. The covered sectors are also significantly expanded — from 7 under NIS1 to 18 under NIS2, now including waste management, postal services, food production, manufacturing of critical products, and a broader range of digital service providers.

The practical consequence is that tens of thousands of EU organisations that were not covered by NIS1 are now in scope for NIS2. The Directive itself estimates that NIS2 will apply to approximately 160,000 entities across the EU — a figure many times larger than NIS1’s scope.

The Security Requirements: More Specific and More Demanding

NIS1 required operators of essential services to take “appropriate and proportionate technical and organisational measures” to manage security risks — a deliberately vague formulation that resulted in inconsistent implementation across member states. NIS2 specifies minimum security measures that all in-scope entities must implement.

NIS2 Article 21 requires entities to adopt measures covering at minimum: risk analysis and information system security policies; incident handling; business continuity (backup management, disaster recovery, crisis management); supply chain security; secure system acquisition, development, and maintenance; policies and procedures for assessing cybersecurity risk management measures; basic cyber hygiene practices and cybersecurity training; policies on cryptographic use; human resources security; access control and asset management; and multi-factor authentication or continuous authentication.

Management Accountability: The Most Significant Change

NIS2 creates explicit personal accountability for management bodies. Under Article 20, management bodies must approve cybersecurity risk management measures, oversee their implementation, and can be held personally liable for infringements. Management body members are required to undertake cybersecurity training to develop sufficient knowledge to identify risks and assess cybersecurity risk management practices.

This is the most operationally significant change for most organisations. Board and executive leadership that have treated cybersecurity as an IT department responsibility face a regulatory framework that explicitly makes them personally accountable for the adequacy of the organisation’s cybersecurity risk management.

At Bitsecura, we help organisations understand their NIS2 obligations, assess their compliance programme gaps, and build the cybersecurity governance structures that NIS2’s management accountability requirements demand. If you want to understand what NIS2 means for your organisation, start a conversation here.


Bitsecura provides NIS2 compliance consulting and cybersecurity services for essential and important entities. Learn more about our NIS2 services.