Framework
October 20, 2025

NIS 2 Implementation Guide

Written by
Rebecca Williams
GRC Consultant

The NIS 2 Directive (EU 2022/2555) raises the bar for cybersecurity across the European Union. Building on the original NIS Directive from 2016, it expands scope, tightens governance expectations, and standardises reporting for critical and essential entities.

This guide explains what NIS 2 is, who must comply, what the key requirements are, and how to implement an effective compliance framework.

What is NIS 2?

The Network and Information Security Directive 2 (NIS 2) is the EU’s primary cybersecurity law for organisations that provide essential and important services. Its goal is to reduce the number and severity of cyber incidents through stronger risk management, incident response, and supply-chain security.

NIS 2 sets minimum standards for technical and organisational measures, incident notification, and governance. Unlike its predecessor, it introduces direct liability for senior management and higher penalties for non-compliance.

Who is in scope?

NIS 2 applies to both Essential Entities and Important Entities that operate within the EU and meet certain thresholds for size or sector impact. Essential entities include:

  • Energy providers and utilities
  • Transport operators
  • Banking and financial market infrastructure
  • Healthcare organisations and laboratories
  • Digital infrastructure providers (DNS, IXPs, cloud, data centres)
  • Important entities include:
  • Manufacturers of critical products (medical, chemicals, food)
  • Postal and waste management companies
  • Digital service providers (marketplaces, social platforms, managed services)

Even non-EU organisations are subject to NIS 2 if they deliver services to EU customers or citizens.

Key requirements

NIS 2 establishes a common set of cybersecurity and risk management practices that entities must maintain and document.

These requirements mirror many international frameworks such as ISO 27001 and NIST CSF, making alignment achievable for organizations with mature security programs.

Implementation steps

1. Conduct a gap analysis: review your current security posture against NIS 2 obligations. Map existing ISO 27001, SOC 2, or NIST CSF controls to identify missing areas.

2. Define governance and accountability: appoint a senior executive responsible for compliance oversight. Establish cross-functional coordination between IT, risk, and legal teams.

3. Formalise incident response procedures: document classification criteria, escalation paths, and reporting templates to meet CSIRT timelines.

4. Strengthen supply-chain oversight: categorise vendors based on criticality. Implement periodic assessments and clear contractual clauses for security and reporting.

5. Test and improve resilience: run tabletop exercises, penetration tests, and recovery simulations to validate readiness. Document lessons learned and corrective actions.

6. Monitor and document continuously: use automated monitoring and evidence collection to maintain visibility across controls, making audits faster and less disruptive.

Complyance helps organisations map NIS 2 requirements, automate evidence tracking, and maintain a continuous view of their cybersecurity posture.

NIS 2 vs NIST CSF

While both frameworks aim to strengthen cyber resilience, they serve different purposes:

NIS 2 can be seen as the regulatory implementation layer, while NIST CSF serves as a technical and procedural blueprint to meet its objectives.

NIS 2 represents a major step in harmonising cybersecurity across the EU. It brings greater accountability, clearer expectations, and tighter integration between governance, risk, and technology.

To succeed, organizations should treat compliance as a continuous process, not a one-time audit. By aligning NIS 2 with existing security frameworks and leveraging automation for monitoring and evidence management, compliance becomes a natural extension of resilience.

Complyance helps enterprises maintain that visibility by automating control mapping, vendor oversight, and incident documentation; so teams spend less time proving compliance and more time strengthening it.

FAQs

When does NIS 2 take effect? Member states were required to transpose the Directive into national law by October 2024. Compliance enforcement began soon after.

What is the penalty for non-compliance? Fines can reach €10 million or 2 percent of global turnover, depending on severity and entity classification.

Can existing certifications help meet NIS 2 obligations? Yes. ISO 27001, ISO 22301, and SOC 2 certifications provide a strong foundation for NIS 2 compliance.

How often should incident response plans be tested? At least annually, and after any major organisational or infrastructure change.

ON THIS PAGE
This is some text inside of a div block.
This is some text inside of a div block.
Complyance is the AI powered, end-to-end GRC platform
Book a demo

We put AI to work for Enterprise GRC teams

Get in touch
PLATFORM
Controls
Policies
Risks
Vendor
AI Agents
AI AGENTS
Policy Drafting AI Agent
Customer Trust AI Agent
Vendor Risk Scoring AI Agent
Vendor Questionnaire Review AI Agent
Evidence Review AI Agent
FRAMEWORKS
HIPAA
ISO 27001
SOC 2
PCI DSS
NIST CSF 2.0
CMMC
More
INDUSTRIES
Healthcare
Technology
Manufacturing
Retail
Services
Utilities
USE CASES
Risk Automation
Information Security Automation
Compliance Automation
Internal Audits
Complyance Ltd
© Copyright 2025