NIS2 (Network and Information Security Directive)
The updated EU directive on cybersecurity that expands the scope of the original NIS Directive to cover more sectors and entities. NIS2 introduces stricter security requirements, incident reporting obligations, and enforcement measures with significant penalties for non-compliance.
The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated cybersecurity legislation that replaces the original NIS Directive from 2016. It significantly expands the scope to cover essential and important entities across 18 sectors, including energy, transport, banking, health, digital infrastructure, and public administration. Member states were required to transpose NIS2 into national law by October 17, 2024.
NIS2 introduces proportionate security requirements based on entity classification. Essential entities (large organizations in critical sectors) face stricter oversight and higher penalties (up to €10 million or 2% of global turnover), while important entities have somewhat lighter requirements but still face penalties up to €7 million or 1.4% of turnover. Key obligations include risk management measures, incident reporting within 24 hours (early warning) and 72 hours (full notification), supply chain security, and management body accountability.
For financial services organizations already subject to DORA, NIS2 generally defers to DORA as the sector-specific regulation (lex specialis). However, organizations in overlapping sectors should understand both frameworks to ensure comprehensive compliance coverage.
Learn More
Discover how Matproof can help you achieve NIS2 (Network and Information Security Directive) compliance.
View framework pageRelated Terms
DORA (Digital Operational Resilience Act)
An EU regulation that establishes uniform requirements for the security of network and information systems in the financial sector. DORA became mandatory on January 17, 2025, and applies to banks, insurance companies, investment firms, and their critical ICT service providers.
Incident Reporting
The formal process of detecting, classifying, and reporting ICT-related incidents to competent authorities. DORA Articles 17-23 establish specific requirements for incident classification, initial notification, intermediate reports, and final reports to supervisory authorities.
Supply Chain Security
The management of cybersecurity risks throughout the supply chain, including all third-party vendors, software providers, and service partners. Both DORA and NIS2 mandate supply chain security measures to protect against cascading failures and targeted attacks.
Risk Assessment
A systematic process of identifying potential threats, evaluating vulnerabilities, and determining the likelihood and impact of risks to an organization's information assets and operations. Risk assessments are foundational to ISO 27001, DORA, and virtually every compliance framework.
Related Articles
NIS2 Compliance Checklist: 10 Steps to Get Ready
In the compliance domain, there's an enduring myth that the volume of your policies is directly proportional to the strength of your compliance posture
NIS2 Supply Chain Security: Managing Your Vendor Risk
In the rapidly evolving landscape of cybersecurity, the European Union's Directive on security of network and information systems (NIS2) is setting a new standard for supply chain security
NIS2 Directive Explained: Who It Affects and What to Do
NIS2 directive explained covering scope, affected entities, cybersecurity requirements, and compliance obligations for EU organizations.
NIS2 for Financial Services: When DORA and NIS2 Collide
Navigate the overlap between NIS2 and DORA directives for financial services including compliance strategies and cybersecurity requirements.
Automate compliance with Matproof
DORA, SOC 2, ISO 27001 — get audit-ready in weeks, not months.
Request a demo