NIS2 and critical infrastructure cybersecurity compliance: what operators need to know for 2026

Why It Matters

Cyberattacks against critical infrastructure surged 30 percent year over year in 2024, with the energy, transport, and healthcare sectors absorbing the greatest share of incidents (ENISA, 2025). A single ransomware event at a European hospital network in late 2024 disrupted patient care across 14 facilities for nine days and cost an estimated EUR 22 million in recovery and lost revenue (Dragos, 2025). Against this backdrop, the European Union adopted Directive (EU) 2022/2555, widely known as NIS2, replacing the original NIS Directive and dramatically expanding the scope, severity, and enforceability of cybersecurity obligations for operators of essential and important services. With national transposition deadlines having passed on 17 October 2024 and enforcement actions now ramping up across member states, operators that have not yet aligned their governance, risk management, and incident reporting processes face mounting legal, financial, and operational exposure. Understanding what NIS2 requires, who it applies to, and how to implement it is no longer optional for any organization operating in or supplying services to the EU's critical infrastructure sectors.

Key Concepts

Essential vs. important entities. NIS2 divides in-scope organizations into two tiers. Essential entities include operators in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Important entities cover postal and courier services, waste management, chemicals manufacturing, food production and distribution, manufacturing of medical devices, electronics, machinery, and motor vehicles, as well as digital providers such as online marketplaces and search engines. Essential entities face stricter supervisory regimes and higher penalty ceilings.

Risk-based approach. Rather than prescribing specific technologies, NIS2 mandates that entities adopt proportionate technical, operational, and organizational measures based on an all-hazards risk assessment. This mirrors frameworks like NIST CSF 2.0 and ISO 27001 but adds sector-specific obligations and mandatory board-level accountability.

Supply chain security. NIS2 places explicit obligations on entities to assess and manage cybersecurity risks within their supply chains, including contractual security requirements for direct suppliers and service providers (European Commission, 2024). This represents a significant expansion from the original directive.

Management body liability. Senior management can be held personally liable for non-compliance. Board members and C-suite executives must approve cybersecurity risk management measures and undergo regular cybersecurity training.

Regulatory Timeline

As of early 2026, ENISA reports that 23 of 27 member states have completed transposition into national law, though variations in scope and enforcement intensity remain (ENISA, 2026).

Who Must Comply

NIS2 applies to medium-sized and large organizations operating in the 18 sectors listed in Annexes I and II of the directive. The size threshold generally captures entities with 50 or more employees or annual turnover exceeding EUR 10 million. However, certain entities qualify regardless of size, including providers of DNS services, TLD name registries, qualified trust service providers, and public electronic communications networks.

Organizations outside the EU also fall within scope if they provide services to EU customers in covered sectors. The directive requires such entities to designate an EU representative in one of the member states where they operate.

Key sectors and indicative entity counts include:

• Energy (electricity, oil, gas, hydrogen, district heating): approximately 25,000 entities across the EU (European Commission, 2024)
• Transport (air, rail, water, road): approximately 13,000 entities
• Health (hospitals, laboratories, pharmaceutical manufacturers, medical device makers): approximately 22,000 entities
• Digital infrastructure (cloud providers, data centres, CDNs, IXPs): approximately 4,500 entities
• ICT service management (managed service providers, managed security service providers): approximately 6,000 entities

Compliance Requirements

1. Cybersecurity risk management measures (Article 21). Entities must implement at minimum: risk analysis and information system security policies; incident handling procedures; business continuity and crisis management; supply chain security; security in network and information system acquisition, development, and maintenance; vulnerability handling and disclosure; cybersecurity testing and audit practices; cryptography and encryption policies; human resources security; and multi-factor authentication or continuous authentication solutions.

2. Incident reporting (Article 23). Entities must submit an early warning to their national CSIRT or competent authority within 24 hours of becoming aware of a significant incident. A full incident notification must follow within 72 hours, and a final report, including root cause analysis, must be submitted within one month.

3. Governance and accountability (Article 20). Management bodies must approve and oversee the implementation of cybersecurity risk management measures. Members of management bodies are required to undertake regular cybersecurity training. Failure to comply can result in personal liability and temporary management bans.

4. Registration (Article 27). Entities must register with national competent authorities and provide updated information on contact details, IP ranges, and the member states in which they operate.

5. Penalties (Article 34). For essential entities, maximum administrative fines reach EUR 10 million or 2 percent of total worldwide annual turnover, whichever is higher. For important entities, the ceiling is EUR 7 million or 1.4 percent of turnover. Supervisory authorities can also impose periodic penalty payments and order the temporary suspension of certifications or authorizations.

Step-by-Step Implementation

Step 1: Scope and classification. Determine whether your organization qualifies as an essential or important entity under NIS2. Map all subsidiaries, joint ventures, and shared services that may independently fall within scope.

Step 2: Gap assessment. Conduct a thorough gap analysis comparing current cybersecurity posture against the Article 21 requirements. Benchmark against ISO 27001, IEC 62443 (for OT environments), and the NIST Cybersecurity Framework 2.0 to identify overlaps and shortfalls.

Step 3: Board-level governance. Establish or update a board-level cybersecurity governance charter. Assign clear roles and responsibilities. Schedule mandatory cybersecurity training for all management body members at least annually.

Step 4: Risk assessment and treatment. Perform an all-hazards risk assessment covering physical, cyber, and hybrid threats. Prioritize risk treatment actions using a documented risk appetite statement approved by senior management.

Step 5: Supply chain security program. Inventory all critical suppliers and ICT service providers. Embed cybersecurity clauses in contracts, require evidence of security certifications, and conduct periodic supplier audits or assessments.

Step 6: Incident response and reporting. Update incident response plans to meet the 24-hour/72-hour/one-month reporting cadence. Conduct tabletop exercises quarterly and full-scale simulations at least annually. Establish pre-configured reporting templates and communication channels with your national CSIRT.

Step 7: Technical controls. Deploy or enhance multi-factor authentication, network segmentation, encryption at rest and in transit, vulnerability scanning, endpoint detection and response, and security information and event management (SIEM) capabilities.

Step 8: Testing and validation. Implement a continuous cybersecurity testing programme including penetration testing, red team exercises, and vulnerability disclosure policies. ENISA recommends at least annual penetration tests for essential entities (ENISA, 2025).

Step 9: Documentation and evidence. Maintain auditable records of all risk assessments, treatment plans, incident reports, training logs, and supplier assessments. Supervisory authorities may request evidence at any time.

Step 10: Continuous improvement. Treat NIS2 compliance as an ongoing programme rather than a one-time project. Integrate lessons learned from incidents, audits, and threat intelligence into iterative risk management cycles.

Common Pitfalls

Treating NIS2 as a purely IT issue. NIS2 covers operational technology (OT), IoT, and physical security. Organizations that limit compliance efforts to IT departments miss significant risk exposure in industrial control systems and building management networks.

Underestimating supply chain obligations. Many operators focus on internal controls but neglect the directive's explicit requirement to manage third-party risk. A 2025 survey by PwC found that only 38 percent of in-scope entities had updated supplier contracts to include NIS2-aligned cybersecurity clauses (PwC, 2025).

Delayed board engagement. Treating cybersecurity as a technical delegation rather than a governance responsibility leaves organizations exposed to personal liability provisions. Board members who cannot demonstrate active oversight face sanctions under multiple national transpositions.

Confusing NIS2 with GDPR timelines. The 24-hour early warning requirement is significantly faster than GDPR's 72-hour breach notification window. Organizations that rely on existing GDPR processes without adaptation risk non-compliance on the first qualifying incident.

Ignoring cross-border obligations. Entities operating in multiple member states must understand varying national transposition nuances. The directive introduces a lead supervisory authority model for certain digital service providers, but many sectors remain subject to multiple national regimes.

Key Players

Established Leaders

• Siemens — Global industrial cybersecurity provider with dedicated OT security solutions for energy, transport, and manufacturing critical infrastructure
• Palo Alto Networks — Enterprise cybersecurity platform with OT-specific threat detection and NIS2 compliance modules deployed across European critical infrastructure operators
• Dragos — Industrial cybersecurity firm specializing in OT/ICS threat detection, with threat intelligence covering European energy and water utilities
• Fortinet — Network security vendor with integrated IT/OT security fabric solutions widely adopted in EU critical infrastructure

Emerging Startups

• Claroty — Israeli-founded OT security platform providing asset visibility and threat detection for critical infrastructure operators, valued at over USD 1.7 billion after 2024 funding rounds
• Nozomi Networks — OT and IoT security analytics platform used by major European energy and transport operators for NIS2-aligned continuous monitoring
• Phosphorus — xIoT security platform automating device discovery and remediation across enterprise IoT and OT environments
• Wiz — Cloud security platform helping digital infrastructure providers meet NIS2 requirements for cloud-native environments

Key Investors/Funders

• European Commission (Digital Europe Programme) — Allocated EUR 1.65 billion for cybersecurity capacity building across member states from 2021 to 2027
• European Cyber Competence Centre (ECCC) — Coordinates EU cybersecurity investment priorities and co-funds national capacity building
• Insight Partners — Major growth equity investor backing multiple cybersecurity companies with European critical infrastructure focus

Real-World Examples

Engie (France, energy). The French energy conglomerate began its NIS2 readiness programme in early 2024, integrating OT security monitoring across 47 power generation sites and 12 gas distribution networks. Engie deployed Nozomi Networks sensors alongside its existing SIEM infrastructure and established a dedicated OT security operations centre staffed by 35 analysts. By Q4 2025, the company reported a 60 percent reduction in mean time to detect OT anomalies and achieved full alignment with France's ANSSI transposition requirements. The estimated investment exceeded EUR 18 million over two years (Engie Annual Report, 2025).

Deutsche Bahn (Germany, transport). Germany's national railway operator restructured its cybersecurity governance to meet NIS2 requirements, elevating the CISO role to report directly to the management board. Deutsche Bahn conducted a comprehensive supply chain audit covering more than 200 critical ICT and OT suppliers, resulting in updated contractual requirements for 89 percent of assessed vendors. The company also implemented a 24/7 incident reporting capability linked directly to the BSI (Germany's federal cyber agency), successfully filing its first NIS2-compliant early warning within 18 hours of a targeted phishing campaign in March 2025 (BSI, 2025).

Philips (Netherlands, health/manufacturing). Operating across both the health and manufacturing sectors under NIS2, Philips implemented a unified cybersecurity risk management framework covering its medical device portfolio and production facilities. The company invested in ISO 27001 and IEC 62443 dual certification for its connected health platforms, addressing both IT and OT security requirements. Philips also published a supply chain cybersecurity standard requiring all Tier 1 suppliers to demonstrate compliance with NIS2-equivalent measures by mid-2025, with 72 percent of suppliers meeting the deadline (Philips Integrated Annual Report, 2025).

Enel (Italy, energy). Italian utility Enel established a cross-functional NIS2 compliance task force spanning IT, OT, legal, and procurement departments. The company invested EUR 25 million in upgrading cybersecurity infrastructure across its European generation and distribution assets, deploying micro-segmentation and zero-trust architecture in OT networks. Enel's programme was cited by ENISA as a model for essential entity compliance in the energy sector (ENISA, 2025).

Action Checklist

• Confirm entity classification (essential vs. important) and register with the relevant national competent authority
• Complete a gap assessment against Article 21 requirements, benchmarked to ISO 27001 and IEC 62443
• Brief the board on NIS2 personal liability provisions and schedule annual cybersecurity training for management body members
• Conduct an all-hazards risk assessment covering IT, OT, IoT, and physical security domains
• Audit critical supply chain partners and embed NIS2-aligned cybersecurity clauses in supplier contracts
• Update incident response plans to meet 24-hour early warning and 72-hour notification deadlines
• Deploy or validate multi-factor authentication, network segmentation, encryption, and continuous monitoring tools
• Schedule annual penetration testing and quarterly tabletop exercises
• Establish a documentation repository for audit-ready evidence of compliance
• Monitor national transposition updates and ENISA guidance for sector-specific implementing acts

FAQ

What is the difference between NIS2 and the original NIS Directive? NIS2 significantly expands the original directive's scope from approximately 7 sectors to 18 sectors, covering an estimated 160,000 entities across the EU compared to roughly 12,000 under NIS1 (European Commission, 2024). It introduces harmonized penalty ceilings, mandatory supply chain risk management, stricter incident reporting timelines (24-hour early warning), and personal liability for management bodies. The directive also removes the distinction between operators of essential services and digital service providers, replacing it with essential and important entity categories based on sector and size.

Does NIS2 apply to organizations outside the EU? Yes. Any entity providing services within the scope of NIS2 to customers in EU member states must comply, regardless of where the organization is headquartered. Non-EU entities are required to designate a representative in one of the member states where they provide services. This extraterritorial reach is similar in concept to GDPR's scope and affects global technology companies, cloud providers, and managed service providers serving European critical infrastructure.

How do NIS2 incident reporting requirements compare to GDPR? NIS2 requires a faster initial response: an early warning must be submitted within 24 hours of becoming aware of a significant incident, followed by a full notification within 72 hours and a final report within one month. GDPR requires notification within 72 hours of becoming aware of a personal data breach. Organizations subject to both regimes may need to file parallel notifications if a cyber incident also involves personal data, making integrated reporting workflows essential.

What penalties can organizations face for non-compliance? Essential entities face fines of up to EUR 10 million or 2 percent of global annual turnover, whichever is greater. Important entities face fines of up to EUR 7 million or 1.4 percent of turnover. Beyond financial penalties, supervisory authorities can impose binding instructions, order security audits at the entity's expense, require public disclosure of non-compliance, and temporarily suspend management body members from exercising their functions.

Can existing ISO 27001 certification satisfy NIS2 requirements? ISO 27001 provides a strong foundation and covers many of the risk management, governance, and documentation requirements of NIS2. However, NIS2 includes specific obligations not fully addressed by ISO 27001 alone, such as the 24-hour incident early warning, mandatory supply chain risk management, management body training and personal liability, and sector-specific technical measures. Organizations with existing ISO 27001 certification should conduct a targeted gap analysis to identify supplementary controls needed for full NIS2 compliance.

Sources

• ENISA. (2025). NIS2 Directive Implementation Status Report: National Transposition and Enforcement Readiness. European Union Agency for Cybersecurity.
• ENISA. (2026). Threat Landscape for Critical Infrastructure 2025. European Union Agency for Cybersecurity.
• European Commission. (2024). NIS2 Directive: Scope, Obligations, and Implementation Guidance. Publications Office of the European Union.
• Dragos. (2025). Year in Review: OT Cybersecurity Threats and Incidents Affecting European Infrastructure. Dragos, Inc.
• PwC. (2025). NIS2 Readiness Survey: Supply Chain Cybersecurity Compliance Across EU Essential Entities. PricewaterhouseCoopers.
• BSI. (2025). NIS2 National Implementation Report and Incident Statistics. Bundesamt für Sicherheit in der Informationstechnik.
• Philips. (2025). Integrated Annual Report 2024: Cybersecurity and Supply Chain Resilience. Koninklijke Philips N.V.
• Engie. (2025). Annual Report 2024: Digital Transformation and Cybersecurity. Engie S.A.