TL;DR
- NIS2 (Directive (EU) 2022/2555) is the second-generation EU directive on network and information security, replacing NIS1.
- It came into force in January 2023 and member states were required to transpose it by 17 October 2024.
- Scope is dramatically expanded — many more sectors, lower size thresholds, and a clearer obligation regime than NIS1.
- Caught entities face cyber-risk management duties, supply-chain security, incident reporting (24-hour early warning), and personal accountability for senior management.
What NIS2 Is#
The Network and Information Security Directive 2 (NIS2) is the EU's headline cyber-resilience regulation. It replaces the original NIS Directive of 2016, which had been criticised for inconsistent transposition across member states, narrow scope, and weak enforcement.
NIS2 broadens the scope, harmonises rules, raises sanctions, and introduces individual accountability for senior management. It came into force on 16 January 2023; member states had until 17 October 2024 to transpose it into national law. As of 2026 transposition is largely complete though uneven in places.
Who Is in Scope#
NIS2 distinguishes 'essential' and 'important' entities. Both are in scope; obligations are similar but supervisory regimes differ.
| Category | Sectors |
|---|---|
| Essential — Annex I | Energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure (including cloud, DNS, IXP, data-centre, CDN), ICT service management, public administration, space. |
| Important — Annex II | Postal/courier, waste management, manufacture/distribution of chemicals, food, manufacturing of medical devices / computers / electronics / vehicles / machinery, digital providers (search engines, online marketplaces, social networks), research. |
Size threshold: typically medium-sized (50+ employees, USD 11 m+ turnover/balance sheet) or larger. Some sectors — including critical infrastructure operators, DNS service providers, trust service providers, public administration entities — are in scope regardless of size.
The Risk Management Obligations#
Article 21 sets out the cybersecurity risk management measures that in-scope entities must implement. The minimum list:
- Policies on risk analysis and information system security.
- Incident handling.
- Business continuity (backups, disaster recovery, crisis management).
- Supply chain security — including direct supplier security.
- Security in network and information systems acquisition, development and maintenance.
- Policies on the effectiveness of cybersecurity risk management measures.
- Basic cyber-hygiene practices and cybersecurity training.
- Cryptography and where appropriate encryption policies.
- Human resources security, access control policies, asset management.
- MFA, secure voice/video/text communications, and emergency communication systems where appropriate.
Incident Reporting#
NIS2 introduces a structured incident-reporting timeline:
- Within 24 hours — early warning to the national CSIRT or competent authority.
- Within 72 hours — incident notification with initial assessment, severity, impact.
- Within one month — final report including root-cause analysis and mitigation steps.
- Intermediate reports on request from the authority.
The 24-hour early warning is a significantly shorter window than under NIS1 and tighter than GDPR Article 33's 72 hours. Have an incident-response playbook that explicitly flags NIS2 obligations and assigns the reporting role; do not assume the GDPR breach-response process will cover it.
Management Accountability#
NIS2 requires management bodies of in-scope entities to approve and oversee the cybersecurity risk-management measures. Management can be held personally liable for compliance failures, and member states must require management to undergo cybersecurity training periodically.
Penalties#
Penalties are tier-aligned:
- Essential entities — up to USD 11 m or 2% of global annual turnover, whichever is higher.
- Important entities — up to USD 8 m or 1.4% of global annual turnover, whichever is higher.
- Non-monetary sanctions including suspension of certifications, prohibition from holding management roles in essential entities, and temporary suspension of activities are also available.
Relationship to UK#
The UK is no longer subject to NIS2 directly. The Network and Information Systems Regulations 2018 (the UK transposition of NIS1) remain in force, and the UK government has indicated a UK Cyber Security and Resilience Bill that broadly tracks NIS2 ambitions for digital infrastructure providers and managed services. UK providers selling into the EU should still treat NIS2 as relevant — if you serve essential or important EU entities, your contractual obligations are likely to flow down.
Where Yobitel Sits#
Yobitel's UK regulatory baseline reflects UK NIS-equivalent rules. For customers in NIS2 scope using Yobitel infrastructure, we operate to NIS2-compatible incident reporting timelines and provide the supply-chain evidence (sub-processor lists, security attestations) needed for the customer to satisfy their own obligations.
References
- Directive (EU) 2022/2555 — NIS2 · EUR-Lex
- ENISA — NIS Directive · ENISA
- European Commission — NIS2 · European Commission