Who should read this: Anyone currently complying with NIS1, anyone transitioning from NIS1 to NIS2, and anyone wanting to understand the regulatory context of NIS2.
The original Network and Information Systems Directive (NIS1 or Directive 2016/1148) was itself groundbreaking. For the first time, the European Union established a coherent, harmonised framework for cybersecurity across critical sectors. It created a duty for member states to implement national cybersecurity strategies. It introduced the concept of “operators of essential services” and imposed mandatory incident reporting.
Yet within years of NIS1’s entry into force, its limitations became apparent. The directive was too narrow in scope. Member States implemented it differently—sometimes dramatically so. The gap between NIS1’s regulatory reach and the expanding threat landscape widened year by year. By 2020, the European Commission acknowledged that NIS1 had “inherent shortcomings” and could not effectively address emerging cybersecurity challenges.
NIS2 is the response. This guide explains what changed, why the changes matter, and what organisations moving from NIS1 to NIS2 should expect.
The Original Vision: What NIS1 Achieved
NIS1, which entered into force on 9 May 2018, was Europe’s first attempt at continent-wide cybersecurity regulation. Its contributions were real:
It established mandatory national cybersecurity strategies. Member States were obliged to assess their cybersecurity landscape and develop strategies to increase their resilience.
It created the Cooperation Group. This institutional mechanism enabled national competent authorities to coordinate, share information, and develop common approaches across the EU. The Cooperation Group remains central to NIS2 governance.
It introduced a network of national Computer Security Incident Response Teams (CSIRTs). These teams became the operational backbone for incident response and coordination.
It defined “operators of essential services”—entities in energy, transport, water, health, and digital services—and imposed mandatory cybersecurity and incident reporting obligations on them.
It established a single point of contact in each Member State to facilitate cross-border incident coordination and information sharing.
In the context of 2016 (when NIS1 was legislated), these achievements were substantial. NIS1 created the regulatory conditions for European cybersecurity to move beyond fragmentation and ad hoc national approaches.
Why NIS1 Was Not Enough: The Shortcomings
Yet by the early 2020s, it was clear that NIS1 had structural limitations. The European Commission’s review, which underpinned NIS2 development, identified several inherent shortcomings.
Scope Too Narrow
NIS1 applied primarily to “operators of essential services” in five sectors: energy, transport, water, health, and digital services. This list was narrowly tailored and left out growing areas of criticality. The definition of digital services was outdated—it predated cloud computing’s explosive growth, the rise of content delivery networks, the dominance of social media platforms, and the expansion of managed security services.
More significantly, NIS1 left massive swathes of the economy unregulated. Manufacturers, chemical producers, food supply, waste management, postal services, and space operations—all critical to European resilience—were largely out of scope. A single cyberattack on a pharmaceutical manufacturer or a water treatment chemical supplier could cascade across the economy, but NIS1 did not reach these sectors.
This was not an oversight. The scope was a deliberate compromise reflecting political consensus in 2016. But as threat landscapes evolved and digital interconnectedness deepened, the compromise became obsolete.
Fragmented Implementation Across Member States
Article 4 of Recital 4 captures the core problem: “The cybersecurity requirements imposed on entities providing services or carrying out activities which are economically significant vary considerably among Member States in terms of type of requirement, their level of detail and the method of supervision. Those disparities entail additional costs and create difficulties for entities that offer goods or services across borders.”
NIS1 gave Member States enormous discretion. Who qualifies as an “operator of essential services”? Member States decided individually. What measures should they take? The Directive specified principles but left much to national judgement. How should incidents be reported? Each Member State created its own process, timelines, and definitions of significance.
The result was fragmentation. A cloud provider operating across ten Member States faced ten different compliance regimes. The same incident might be reportable in one country and not in another. One Member State might require annual audits; another might conduct spot checks. This created costs, confusion, and compliance gaps.
Recital 5 emphasises this: “All those divergences entail a fragmentation of the internal market and can have a prejudicial effect on its functioning, affecting in particular the cross-border provision of services and the level of cyber resilience due to the application of a variety of measures.”
Inadequate Governance and Accountability
NIS1 did not explicitly require management-body or board-level involvement in cybersecurity governance. It treated cybersecurity as a technical issue to be delegated to IT and security teams. This proved inadequate. Boards, often disconnected from cybersecurity risk, did not exercise proper oversight. Cyber-risk decisions were made without C-suite or board awareness.
The SolarWinds attack and major ransomware incidents of 2019-2021 underscored this gap. Boards should have understood and approved cybersecurity strategy. But NIS1 did not mandate it.
Weak Enforcement
NIS1 had penalties, but they were applied inconsistently across Member States. Some countries prosecuted violations vigorously; others rarely enforced. The maximum fine (EUR 100,000 or equivalent) was modest compared to the economic significance of the sectors covered. There was no effective harmonisation of enforcement.
The NIS2 Response: What Changed
NIS2 (Directive 2022/2555) was legislated in December 2022 and entered into force on 12 November 2023. It addresses each of the above shortcomings.
Expanded Scope with Size-Cap Rule
NIS2 extends to eleven sectors (energy, transport, water, health, digital infrastructure, public administration, space, chemical, food, manufacturing, postal). This covers far more of the economy than NIS1.
But the bigger innovation is the size-cap rule. Rather than relying on Member State discretion to identify essential operators, NIS2 uses an objective criterion: entities that are medium-sized or larger (250+ employees or EUR 50 million+ turnover) in any Annex I or Annex II sector are in scope. This replaces subjective Member State designation with an automatic, formula-based rule.
Recital 7 explains: “a uniform criterion should be established that determines the entities falling within the scope of this Directive. That criterion should consist of the application of a size-cap rule, whereby all entities which qualify as medium-sized enterprises…and which operate within the sectors…fall within its scope.”
This is a fundamental change. It removes discretion, creates legal certainty, and extends compliance obligations to far more organisations automatically.
Harmonised Obligations with Implementing Acts
NIS1 specified principles. NIS2 specifies ten minimum measures in Article 21(2)—policies on risk analysis, incident handling, business continuity, supply chain security, secure development, effectiveness assessment, cyber hygiene, cryptography, access control, and multi-factor authentication. These are mandated, not optional.
Moreover, Article 21(5) directs the Commission to adopt implementing acts laying down technical and methodological requirements for specific entity types. This was not possible under NIS1. Now, if you are a cloud provider, a DNS operator, or a data centre provider, you will face implementing acts that spell out precisely what “cloud security” or “DNS security” means under NIS2.
This reduces fragmentation. All Member States must implement the same technical requirements, not interpret them individually.
Mandatory Board-Level Accountability
NIS2 Article 20 explicitly requires that management bodies of essential and important entities approve cybersecurity measures, oversee implementation, and can be held personally liable for breaches. This was not in NIS1.
This is a sea change. It elevates cybersecurity from a technical issue to a strategic governance obligation. Boards cannot delegate away accountability; they must approve measures and ensure competence within the governance structure.
Stronger Incident Reporting Framework
NIS1 required incident notification “without undue delay.” This was vague. Some Member States interpreted it as 72 hours; others as weeks.
NIS2 Article 23 harmonises timelines: for trust service providers, 24 hours; for all others, 72 hours. There is no ambiguity. The Directive also specifies a two-stage process: an early notification within the tight timeframe, followed by intermediate and final reports. This allows regulators to respond to incidents rapidly whilst giving entities time to investigate.
Escalated Enforcement Powers
NIS1 penalties ranged up to EUR 100,000. NIS2 (Articles 34-35) imposes administrative fines up to EUR 10 million or 2% of annual global turnover, whichever is higher. For systematic breaches of Article 21 or Article 23 obligations, the penalty rises to EUR 20 million or 4% of global turnover.
This is not mere housekeeping. A EUR 20 million fine has real deterrent power. It ensures that senior management takes compliance seriously.
Timeline and Transition
NIS1 continued to apply until 18 October 2024. Organisations then transitioned to NIS2 obligations. However, the full compliance deadline for NIS2 is 12 May 2025.
This staggered timeline is important:
By 17 October 2024, Article 20 (governance) obligations became mandatory under NIS2, even before the general compliance deadline.
By 12 May 2025, all Articles 21 (measures) and Article 23 (incident reporting) obligations must be fully compliant.
Member States had until 18 October 2024 (eighteen months from entry into force) to transpose NIS2 into national law.
Organisations should have already begun compliance work. The transition period is designed to give organisations time, but it is not indefinite.
What This Means for Your Organisation
If you were complying with NIS1, you are almost certainly in scope for NIS2. NIS2 scope is broader, and the size-cap rule means that many NIS1-compliant organisations will remain in scope.
Your existing NIS1 measures may meet NIS2 requirements, but you cannot assume this. The ten Article 21(2) measures are more detailed and demanding than NIS1’s principles. You must conduct a gap analysis against Article 21(2) and address any deficiencies.
NIS2 introduces new requirements that did not exist in NIS1: supply chain security is now mandatory, not recommended. Multi-factor authentication is mandatory. Board-level governance is mandatory with personal liability.
If your Board was not involved in cybersecurity governance under NIS1, it must be under NIS2. This requires organisational change, not just technical patching.
The incident reporting timeline is tighter. You must detect significant incidents and notify within 72 hours (or 24 hours if you are a trust service provider). This requires mature incident response capability.
Key Takeaways
-
NIS1 was groundbreaking but narrow in scope, applied only to essential service operators in five sectors, and gave Member States wide discretion, resulting in fragmented implementation and compliance challenges for cross-border operations.
-
NIS1 shortcomings included scope gaps (missing critical sectors), fragmented Member State implementation, weak governance requirements, and inadequate enforcement, which together created regulatory gaps that did not reflect the modern threat landscape.
-
NIS2 addresses these gaps with: expanded scope to eleven sectors plus digital services, a size-cap rule replacing Member State discretion, harmonised technical requirements via implementing acts, mandatory board-level accountability with personal liability, stricter incident reporting timelines, and escalated penalties (up to EUR 20 million or 4% of turnover).
-
The transition is phased: Article 20 governance obligations applied from 17 October 2024; full compliance with Articles 21 and 23 is mandatory by 12 May 2025; organisations transitioning from NIS1 must conduct gap analysis and implement new measures including supply chain security and multi-factor authentication.
-
NIS2 is a regulatory reset, not an incremental update; it reflects lessons learned from major cyberattacks, the failure of NIS1 to address supply chain risks, and the need for harmonised European cybersecurity governance.
