NIS2 (Network and Information Security Directive 2) is an EU directive that expands and strengthens cybersecurity requirements for organisations in critical and important sectors. It introduces stricter obligations around governance, incident reporting, supply chain security, and technical controls compared to the original NIS directive.

Who does NIS2 apply to?

NIS2 applies to organisations in essential and important sectors operating in the EU, including energy, transport, banking, health, digital infrastructure, and managed service providers. Scope depends on sector classification and whether the organisation meets size thresholds, though some obligations apply regardless of size.

What does NIS2 require in practice?

NIS2 requires organisations to implement appropriate technical and organisational security measures, establish incident response and reporting processes, manage supply chain and third-party risk, and demonstrate accountability at board level. It places specific obligations on management rather than delegating security entirely to IT teams.

When does NIS2 take effect?

NIS2 was adopted in December 2022. EU member states were required to transpose it into national law by October 2024. Enforcement timelines vary by country, but organisations should treat requirements as active and begin readiness work now.

What is the difference between NIS and NIS2?

NIS2 significantly expands scope to cover more sectors and organisation types, introduces stricter incident reporting timelines, adds supply chain security obligations, increases management accountability and personal liability, and sets higher minimum security requirements than the original NIS directive.

Knowledge

NIS2 explained

NIS2 is an EU cybersecurity directive that expands expectations around governance, risk management, incident handling, supply chains, and technical and organisational measures. Many teams have heard the name but are still unclear on what it means for their environment.

Discuss your NIS2 readiness See related services

What NIS2 is

NIS2 is the updated EU framework for a higher common level of cybersecurity across member states. It goes beyond “be secure” language and expects organisations to manage cyber risk in a more structured and defensible way.

In practice, NIS2 is not only about one security tool or one policy document. It touches:

how risks are identified and managed
how incidents are prepared for and handled
how suppliers and dependencies are considered
how technical and organisational measures are chosen and maintained
how management oversight and accountability work

That is why many teams discover that NIS2 is broader than they first assumed.

Does this apply to us?

operates in an essential or important sector
is being asked about NIS2 by customers, partners, or leadership
expects future assessment, audit, or regulatory scrutiny
supports in-scope organisations through IT, cloud, software, managed services, or security work
already has controls and tooling, but is unsure whether they map cleanly to NIS2 expectations

What changes in practice

NIS2 matters because it pushes organisations away from vague awareness and toward more defensible security management.

In practice, teams often need to think more clearly about:

management responsibilities and decision quality
ownership of security activities
incident reporting readiness
access and control design
supply-chain and dependency risk
evidence that controls exist and actually work
how security priorities are chosen, tracked, and revisited

This is often where the real work begins: not in reading the directive, but in turning it into decisions, control improvements, and operational routines.

Common misunderstandings

”NIS2 is just paperwork.”

Documentation matters, but it is weak if the underlying controls, ownership, and evidence are not real.

”NIS2 is mainly an IT issue.”

It involves management oversight, operational readiness, supplier risk, and organisation-wide accountability.

”If we already do security work, we are probably fine.”

Maybe, maybe not. Many teams already do useful work, but the gaps often appear in coordination, evidence, prioritisation, and consistency.

”It is only relevant once the regulator contacts us.”

That is usually too late. Buyers, partners, and internal stakeholders often start asking questions earlier.

Common gaps

Organisations often struggle with one or more of the following:

broad awareness but unclear scoping
policies that do not translate into technical action
tools in place but weak prioritisation logic
unclear control ownership across teams
incident plans not grounded in operational reality
security activities that exist but are hard to evidence
supplier risk treated as a checkbox rather than a real dependency question

How WFH Labs helps

WFH Labs helps teams move from “we know NIS2 matters” to “we know what to do next.”

We reduce the topic to the questions that actually matter for the specific environment. Then we identify where ownership needs clarifying, where control logic is weak, and where existing work simply needs to be framed better.

The goal is a realistic sequence of technical and organisational steps — not one oversized compliance project.

See the NIS2 technical readiness service page for engagement details.

FAQ

Is NIS2 only for very large organisations?

No. Size matters in scope decisions, but NIS2 reaches beyond the biggest enterprises. Sector, role, and organisational importance also matter.

Does ISO 27001 automatically solve NIS2?

Not automatically. It can help, but NIS2 still needs practical interpretation, operational readiness, and real control evidence.

Do we need to know our exact legal scope before doing anything?

Not necessarily. Many teams benefit from early preparation because the practical issues are worth addressing regardless.

Is NIS2 mainly about supply chain and vulnerability management?

Those are important parts, but NIS2 is broader. It also touches governance, incidents, resilience, controls, and accountability.

Sources and official references are listed in the sidebar.

At a glance

What it is: An EU-wide cybersecurity directive for essential and important entities across a broad range of sectors.
Who it affects: Organisations in scope, plus teams that support them through IT, software, managed services, or supply chains.
Why it matters: It raises expectations for governance, operational readiness, supplier risk, and real security controls.
Where teams struggle: Understanding scope, turning broad text into practical action, and connecting policy language to technical reality.

Key takeaways

NIS2 is not just paperwork — underlying controls, ownership, and evidence need to be real
Scope interpretation is often more nuanced than it first appears
Governance, incidents, suppliers, and technical measures are all affected
Early preparation is almost always less expensive than reacting under pressure

Relevant if

You are in an essential or important sector, or support organisations that are
Customers, partners, or leadership are already asking NIS2 questions
You want to understand what the directive actually changes before pressure increases

Official sources

European Commission — NIS2 Directive overview EUR-Lex — Directive (EU) 2022/2555 (NIS2)ENISA — NIS2 Directive page ENISA — NIS2 Technical Implementation Guidance

Useful next pages

The next step is usually to move from understanding the topic into a more practical discussion of the related work.

Service

NIS2 technical readiness

WFH Labs helps organisations turn broad NIS2 requirements into practical technical priorities, clearer ownership, and a realistic action plan.

View service

Knowledge

ISO 27001 technical readiness explained

A plain-language guide to ISO 27001 technical readiness — what the standard is, what organisations often misunderstand, and where the real work begins.

Read explainer

Knowledge

Vulnerability management explained

A practical guide to vulnerability management — what it is, why scanning alone is not enough, and where teams commonly struggle to turn findings into action.

Read explainer

Next step

Need help turning NIS2 into practical priorities?

WFH Labs helps organisations move from broad NIS2 awareness to a realistic technical action plan. The next step is usually a short situation discussion.

Discuss your NIS2 readiness Company details