The NIS2 Directive: What European Businesses Need to Know

The NIS2 Directive (Directive EU 2022/2555) is the European Union's updated cybersecurity law, in force since 18 October 2024. It applies to medium and large organisations — those with 50 or more employees or €10 million or more in annual turnover — operating in 18 critical and important sectors, including energy, transport, health, banking, digital infrastructure, and manufacturing. If your business operates in the EU in one of these sectors, you almost certainly fall within scope. Micro and small businesses under 50 employees are generally excluded, but specific exceptions apply to DNS providers, trust services, and sole essential service providers regardless of size.

The financial penalties depend on your entity classification. Essential entities — large organisations in the highest-criticality sectors — can be fined up to €10,000,000 or 2% of global annual turnover, whichever is higher. Important entities face fines up to €7,000,000 or 1.4% of global turnover. Beyond fines, authorities can issue binding remediation orders, publicise your non-compliance, suspend your operating licences, and — under Article 20 — hold senior executives personally liable, including temporary bans from management roles. Several member states, including Belgium and Italy, have introduced tiered penalty structures that exceed the NIS2 minimum.

NIS2 Article 21 requires 10 mandatory technical and organisational security measures. Several of these map directly to what attack surface management (ASM) delivers. Article 21(2)(a) requires risk analysis based on an accurate asset inventory — ASM provides that inventory automatically. Article 21(2)(e) explicitly mandates vulnerability handling and disclosure — ASM delivers weekly automated scanning and CVE tracking. Article 21(2)(f) requires you to prove your measures are effective — ASM generates quantifiable metrics and documented scanning evidence. Article 23 requires incident reporting within 24 and 72 hours — ASM provides the detection timestamps and asset data you need to meet those deadlines.

The NIS2 Directive applied from 18 October 2024, and enforcement is already active in Belgium, Croatia, Italy, and Lithuania. As of early 2026, approximately 20 of 27 EU member states have completed or are completing transposition into national law. Germany's NIS2 implementation law entered into force on 6 December 2025, with enforcement beginning in 2026 for around 29,000 entities. If you operate in any EU member state, you should treat NIS2 compliance as required now — the European Commission has already issued formal warnings to 19 member states to complete transposition and has threatened referral to the Court of Justice.

NIS2 uses a size-cap rule: you need 50 or more employees or at least €10 million in annual turnover to qualify as an 'important entity' — the lower threshold. Micro businesses (under 10 employees, under €2M turnover) are generally excluded. However, if your business is the sole provider of an essential service in a member state, operates a DNS service, or provides public electronic communications, you fall in scope regardless of size. Medium-sized businesses in sectors like manufacturing, food production, chemicals, digital services, and postal services should check whether they meet the thresholds — NIS2 was explicitly designed to bring mid-market organisations into scope that NIS1 missed.

The fastest way to understand your NIS2 exposure is to start with your attack surface — the assets and vulnerabilities that regulators will ask about first. SeguriScan's free security scan maps your internet-facing assets in under 60 seconds, identifies vulnerabilities that are relevant to Article 21 requirements, and produces a report you can use as the baseline for your compliance programme. No installation or credit card is required. If you want a guided walkthrough of how SeguriScan maps to your specific NIS2 obligations, book a demo and one of our security experts will walk you through it.