NIS2 in the EU

NIS2 puts liability on the desk of senior management

The EU cybersecurity directive NIS2 now applies across the European Union. Every member state transposes it into national law — Germany since December 2025, Poland from April 2026, in some countries with no transition period at all. I have gathered here, in plain language: who it covers, what it requires, which fines apply and what to do first.

This material is provided for information and does not constitute legal advice. You should confirm the final classification of your company with a lawyer.

What NIS2 is

NIS2 is the EU cybersecurity directive — formally Directive (EU) 2022/2555. It replaced the older NIS directive of 2016 and raised the bar considerably: more sectors, more obligations and fines that carry real weight. Its goal is a common, high level of cybersecurity across the entire Union.

Each member state transposes the directive into its own national law, and implementations differ in dates and detail. Germany's implementation act took effect on 6 December 2025, with no transition period; Poland's amended act on the national cybersecurity system applies from 3 April 2026. In each country a national authority supervises compliance.

The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.— European Commission, digital-strategy.ec.europa.eu
In brief

Three things you need to know

Who it affects

Companies from 50 people

Medium and large entities (from 50 employees or 10 million € turnover) in 18 sectors — including manufacturing, energy, transport, healthcare and digital services. Their suppliers too, through requirements written into contracts.

Fine

Up to 10 million €

For essential entities up to 10 million € or 2 % of worldwide turnover; for important entities up to 7 million € or 1.4 %. On top of that, the personal responsibility of senior management.

Deadline

Already in force

The EU transposition deadline passed on 17 October 2024. National laws now apply — in Germany since 6 December 2025 with no transition period, in Poland from 3 April 2026 — usually with a registration window of a few months.

Scope

Who NIS2 affects

The directive divides companies into two categories — essential and important entities — depending on sector and size.

Essential entities

Larger companies in critical sectors

As a rule, companies from 250 employees or 50 million € turnover operating in the critical sectors covered by the legislation. They are subject to stricter supervision and higher fines.

Important entities

Medium companies in covered sectors

Medium-sized companies (from 50 employees or 10 million € turnover) from the covered sectors that stay below the thresholds for essential entities. A lower fine ceiling, the same core obligations.

Covered sectors

Annex I — sectors of high criticality

  • Energy, transport, banking and financial market infrastructure
  • Healthcare, drinking water and waste water
  • Digital infrastructure and management of ICT services
  • Public administration and space

Annex II — other critical sectors

  • Manufacturing (including medical devices, electronics, machinery, vehicles)
  • Production, processing and distribution of food
  • Postal and courier services, waste management
  • Chemicals manufacturing and digital service providers

The domino effect in the supply chain

Even if your company falls outside NIS2 itself, it can be pulled in indirectly. When you supply software, infrastructure or critical services to a covered entity, that customer is obliged to verify how you handle cybersecurity. In practice this means contract clauses that impose requirements on you similar to those facing your large client.

Obligations

What the law requires — ten areas

Article 21 of the directive sets out a minimum set of risk-management measures. It prescribes the required outcomes and leaves the choice of technology to the company.

  • Policies on risk analysis and information-system security
  • Incident handling — detection, response, documentation
  • Business continuity: backups, disaster recovery, crisis management
  • Supply-chain security, including relationships with software suppliers
  • Security in acquisition, development and maintenance, including vulnerability handling
  • Policies and procedures to assess the effectiveness of risk-management measures
  • Basic cyber hygiene and regular staff training
  • Cryptography and encryption where it makes sense
  • Human-resources security, access control and asset management
  • Multi-factor authentication (MFA) and secure communications
Reporting

Reporting incidents — 24 / 72 hours / one month

A significant incident is reported in stages to the competent national CSIRT or supervisory authority. The deadlines run from the moment the incident becomes known.

Stage 1

24 hours

Early warning. The first notification of the incident to the authority, indicating whether it may stem from unlawful or malicious action.

Stage 2

72 hours

Incident notification with an initial assessment of severity and impact, together with indicators of compromise (IoC).

Stage 3

One month

Final report: a full description of the incident, root-cause analysis, the measures taken and any cross-border impact.

Fines and the liability of senior management

The directive introduces fines that carry weight in the budget of any company. For essential entities they reach up to 10 million € or 2 % of total worldwide annual turnover — whichever amount is higher. For important entities it is up to 7 million € or 1.4 %.

New and decisive: senior management must approve the risk-management measures and oversee their implementation — and is liable for breaches. This responsibility cannot be fully delegated and cannot be contracted away. Cybersecurity has thereby become, once and for all, a matter for the boardroom rather than for the IT department alone.

Timelines differ between member states. Germany applies its law from day one, with registration due within three months; Poland grants a longer window, with obligations phasing in until April 2027. Wherever you operate, the direction is the same — and across the market, most affected companies still have work ahead of them.

Timeline across the EU

Dates worth writing down

Source: Directive (EU) 2022/2555 and the national implementing acts and authorities.

EU directive

Since January 2023

Directive (EU) 2022/2555 entered into force; member states had until 17 October 2024 to transpose it into national law.

National laws

2025–2026

Implementations are taking effect across the EU — in Germany since 6 December 2025 with no transition period, in Poland from 3 April 2026 — with registration deadlines a few months after entry into force.

Ongoing obligations

Continuous

Risk management, incident reporting (24 / 72 h / one month), evidence and documentation duties — to be maintained permanently.

Evidence

On request

The supervisory authority can require proof that the measures are implemented; essential entities are subject to regular oversight.

How I build NIS2-ready systems

There are three architecture decisions I make from the first day of every project — because they lead towards conformity with the directive anyway.

The data stays with you. Everything I build runs in the client's infrastructure (on-prem or on a server you control yourself, hosted wherever you prefer). That solves the supply-chain problem at the technical level before anyone even starts talking about it.

Audit logs from day one. The server keeps them automatically: who, when, what. On top of that I add whatever logging you need or the regulations demand. Access control works at record level, not just on the screen.

The documentation writes itself. It is generated automatically as the system is built. You receive a ready package that you can essentially regenerate from the system at any time — and use as the basis for any further paperwork the rules require.

Sources

Last updated: July 2026. Informational material; it does not constitute legal advice.

First step

Book 30 minutes. I answer every email myself.

The first call is a calm conversation to get to know each other. I check whether I can help at all. No slides, no sales pressure. If I see it is a poor fit, I say so directly.

Would you rather talk than write? Pick a slot in the calendar — we will meet on Zoom:
Open Cal.com →

Phone +48 601 789 966 — you can call, I pick up myself.

Please enter your name and company.
Please enter a phone number or an email address.
Please choose your company size.
Please choose your industry.
Briefly describe what you would like to talk about.

Sent. Thank you.

I reply within one business day, usually sooner.