NIS2 Directive Compliance

Stop Guessing Whether NIS2 Applies to You,Get Clarity in 5 Minutes

Updated 2026-05-18
Key Takeaways: NIS2 applies to 160,000+ EU entities across 18 sectors — this page explains scope rules, size-cap exceptions, supply-chain obligations, and how to manage group-wide compliance.

Over 160,000 EU entities across 18 sectors now face mandatory NIS2 cybersecurity obligations. If your organization operates in the EU,or serves EU customers,you may already be in scope and not know it.

Get the Free NIS2 Checklist

Free PDF,2 fields, no credit card, instant access

4.8 / 5 Customer satisfaction score
93% Would recommend Priverion
Swiss-hosted European data residency
Trusted by 50+ privacy teams across 14 countries
Healthcare
Aviation
Energy
Legal
Technology
Zurzach logo
AXA logo
Open Medical logo
Glencore logo
Pilatus logo
Liferay logo
CareerFairy logo
Voicepoint logo
Kellerhals Carrard logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Liferay logo
CareerFairy logo
Zurzach logo
Voicepoint logo
Open Medical logo
Kellerhals Carrard logo
AXA logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Why NIS2 Scope Is So Confusing

Three Forces That Make NIS2 Applicability Harder Than GDPR

Most compliance leaders we speak with have read the directive,and still aren't certain whether every subsidiary is in scope. That confusion isn't a knowledge gap. It's a structural problem built into how NIS2 was designed.

16x

Expansion in entities covered vs. the original NIS Directive,from ~10,000 to 160,000+

Source: European Commission NIS2 impact assessment, 2022

The Size-Cap Rule Has Exceptions That Catch You Off Guard

NIS2 generally targets organizations with 50+ employees or €10M+ turnover in 18 sectors. Simple enough,until you discover that DNS providers, TLD registries, trust service providers, and sole providers of essential services are in scope regardless of size. One 15-person subsidiary running your group's DNS could pull the entire organization into compliance obligations nobody planned for.

27

EU member states transposing NIS2 into national law,each with potential variations in scope and enforcement

NIS2 Directive (EU) 2022/2555, Article 41,national transposition deadline October 2024

National Transposition Creates a Patchwork of Requirements

Germany's NIS2UmsuCG introduces additional entity categories beyond the directive. Belgium, the Netherlands, and France each have their own enforcement nuances. If your group operates across multiple EU jurisdictions,which is exactly who Priverion serves,you're not managing one regulation. You're managing a matrix of national interpretations, each with different supervisory authorities, reporting timelines, and penalty structures.

€10M

Maximum fine for essential entities,or 2% of global annual turnover, whichever is higher

NIS2 Directive (EU) 2022/2555, Article 34(4) and 34(5)

Supply Chain Obligations Extend Scope to Companies That Think They're Exempt

Article 21(2)(d) requires in-scope entities to address supply chain security,meaning they'll impose NIS2-aligned requirements on their suppliers through contracts. Even if your organization doesn't meet the size threshold or operate in a listed sector, your clients can pull you into compliance. IT service providers, cloud vendors, and outsourced process providers are particularly exposed. And management bodies can be held personally liable for non-compliance,this isn't abstract risk.

Not sure if your organization,and its subsidiaries,fall within NIS2 scope?

Get the Free NIS2 Checklist

200+

Hours saved on ROPA management

Medtec redirected 200+ hours from manual ROPA documentation to ISO 27001 preparation during their first year on Priverion

60%

Lower total cost vs. legacy platforms

Based on published per-user, per-module pricing of enterprise privacy platforms compared to Priverion's per-company model for a 10-entity, 500-user organization

3 mo

Ahead of schedule on ISO 27001 certification

Medtec accelerated their ISO 27001 readiness by three months using Priverion's audit-ready evidence packages and automated documentation

What Our Customers Say

Trusted by Compliance Teams Across Europe

Privacy and compliance leaders at multi-entity organizations rely on Priverion to operationalize NIS2 and GDPR compliance.

"We needed to map NIS2 applicability across 12 subsidiaries in 5 EU jurisdictions. Priverion gave us a single dashboard that replaced a maze of spreadsheets. We achieved full NIS2 compliance readiness across all entities in 8 weeks."

Stefan Mueller

Group Head of IT Compliance, Industriewerk Holding AG

Result: NIS2 compliance across 12 subsidiaries in 8 weeks

Based on customer interview, Q1 2025

"Priverion cut our compliance administration time by 60% within the first six months. The automated ROPA recertification alone saved us from hiring an additional FTE. The Swiss hosting was a decisive factor for our board."

Claudia Berger

Data Protection Officer, Aircraft manufacturer Ltd

Result: 60% less compliance admin time in 6 months

Based on customer case study, Q4 2024

"We redirected over 200 hours from manual documentation to ISO 27001 preparation. Priverion's evidence packages made our certification audit remarkably smooth,we were three months ahead of our original timeline."

Dr. Thomas Keller

CEO, Medtec AG

Result: 200+ hours saved, ISO 27001 certified 3 months early

Based on customer case study, Q1 2025

Get the Free NIS2 Checklist
Priverion vs. OneTrust

Why mid-market privacy teams are making the switch

OneTrust serves Fortune 500 organizations with broader GRC scope and dedicated privacy teams. Priverion was built for organizations that need enterprise-grade compliance without the enterprise overhead.

What you get with OneTrust

Per-module, per-user pricing

Costs escalate with every new user, module, and subsidiary. Budget requests become a quarterly ritual.

US-headquartered, global data processing

In a post-Schrems II landscape, US-based processing creates legal exposure for European data transfers that your DPA will ask about.

Built for the Fortune 500

Sprawling feature sets including ESG, ethics hotlines, and cookie consent mean longer onboarding, steeper learning curves, and paying for capabilities you'll never use.

200+ integrations, most shallow

A long connector list sounds impressive until you realize most require custom configuration and ongoing maintenance.

Months to deploy

Enterprise sales cycles and implementation timelines measured in quarters, not weeks.

What you get with Priverion

Predictable pricing, no expansion traps

Priced by number of companies and organizational size,not per user or per module. Add team members without renegotiating your contract.

Swiss-built, Swiss-hosted, European data residency

All data processing stays within Swiss infrastructure. Not a marketing checkbox,a legal requirement for cross-border data transfers in a post-Schrems II world.

Purpose-built for group-wide privacy

ROPA, DPIA, vendor risk, DSR, incident management, and cross-entity data mapping in one platform. We don't do ESG or cookie consent,we do privacy management exceptionally well.

Deep integrations where they matter

HR, procurement, and IT asset management systems,the workflows that actually drive privacy compliance. Deep connectors that work reliably, not 200 shallow ones that don't.

Operational in weeks, not months

Aircraft manufacturer cut compliance admin time by 60% in their first 6 months. Medtec saved 200+ hours preparing for ISO 27001. Time-to-value is measured in weeks.

Aircraft manufacturer,first 6 months post-implementation | Medtec,ISO 27001 preparation

Switching doesn't have to be painful. Most teams are fully migrated within weeks.

Get the Free NIS2 Checklist
NIS2 Sectors

The 18 Sectors Covered by NIS2,And Why Classification Matters

NIS2 divides in-scope entities into two categories with different obligations and penalty regimes. Knowing where your organization and its subsidiaries fall is the first step toward a targeted compliance strategy.

Sectors of High Criticality (Annex I),"Essential Entities"

Subject to proactive supervision by competent authorities. Maximum fines of €10M or 2% of global turnover. 24-hour early warning and 72-hour incident notification requirements.

  • Energy (electricity, oil, gas, hydrogen, district heating)
  • Transport (air, rail, water, road)
  • Banking
  • Financial market infrastructures
  • Health (hospitals, laboratories, pharma, medical devices)
  • Drinking water
  • Waste water
  • Digital infrastructure (DNS, TLD, cloud, data centres, CDNs, trust services)
  • ICT service management (B2B,managed service and security providers)
  • Public administration (central government)
  • Space

Other Critical Sectors (Annex II),"Important Entities"

Subject to reactive (ex-post) supervision. Maximum fines of €7M or 1.4% of global turnover. Same incident reporting timelines apply.

  • Postal and courier services
  • Waste management
  • Chemicals (manufacture, production, distribution)
  • Food (production, processing, distribution)
  • Manufacturing (medical devices, electronics, machinery, motor vehicles)
  • Digital providers (online marketplaces, search engines, social networks)
  • Research organizations

Operate across multiple sectors or jurisdictions? That's exactly what Priverion was built for.

Get the Free NIS2 Checklist

Free NIS2 resource

Find out in 5 minutes whether your organization falls under NIS2

A structured, 2-page checklist covering the size-cap rule, all 18 sectors, supply chain triggers, and national transposition exceptions. Used by 2,400+ compliance professionals since launch.

2,400+

Checklists downloaded since Q3 2024

5 min

Average time to complete the assessment

18

Sectors covered with specific guidance

Get the Free NIS2 Checklist

Free PDF. 2 fields. Instant access,no sales call required.

Free Resource

Download the NIS2 Applicability Checklist

A structured, 2-page PDF that walks you through the size-cap rule, sector classification, and national transposition exceptions,so you know exactly where each entity in your group stands.

Your data is processed in Switzerland under Swiss data protection law. We'll send you the checklist and may follow up once,no spam, no drip campaigns. Privacy policy

Get the Free NIS2 Checklist

Free PDF,instant access

About this page — references, definitions, and FAQs

Key Takeaways — NIS2 Directive Compliance Scope

The NIS2 Directive (EU) 2022/2555 expands EU cybersecurity obligations to over 160,000 entities across 18 critical sectors in all 27 member states. Organizations with 50+ employees or €10M+ annual turnover in listed sectors must comply, though size-cap exceptions apply to DNS providers, TLD registries, and trust service providers. Supply-chain obligations under Article 21(2)(d) extend compliance requirements to vendors and service providers who may not otherwise be in scope. National transposition creates a patchwork of requirements, making group-wide compliance particularly challenging for multi-entity organizations.

Definitions

What is the NIS2 Directive?

NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated framework for achieving a high common level of cybersecurity across all member states. It replaces the original NIS Directive (2016/1148) and significantly expands the scope, harmonizes penalties, and introduces management liability. The full text is available at EUR-Lex — Directive (EU) 2022/2555.

What is an Essential Entity under NIS2?

Essential Entity refers to organizations in 11 high-criticality sectors (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space) that meet the size-cap threshold. Essential entities face stricter supervisory regimes and higher penalties — up to €10 million or 2% of global annual turnover. Source: NIS2 Directive, Article 3 and Annex I.

What is an Important Entity under NIS2?

Important Entity covers organizations in 7 additional sectors (postal services, waste management, chemicals, food production, manufacturing, digital providers, and research) that meet the size threshold. Important entities face penalties of up to €7 million or 1.4% of global annual turnover. Source: NIS2 Directive, Article 3 and Annex II.

What is the Size-Cap Rule?

Size-Cap Rule is the general threshold that brings organizations into NIS2 scope: 50 or more employees, or annual turnover/balance sheet exceeding €10 million. However, certain entity types — DNS providers, TLD name registries, qualified trust service providers, and sole providers of essential services — are in scope regardless of size. Source: NIS2 Directive, Article 2.

Frequently Asked Questions

Who needs to comply with the NIS2 Directive?

NIS2 applies to medium and large organizations (50+ employees or €10M+ turnover) operating in 18 critical sectors across all 27 EU member states. Certain entities such as DNS providers, TLD registries, and trust service providers must comply regardless of size. According to the European Commission's NIS2 impact assessment, over 160,000 entities are estimated to fall within scope — a 16-fold increase from the original NIS Directive.

What are the penalties for NIS2 non-compliance?

Essential entities face administrative fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face fines of up to €7 million or 1.4% of global annual turnover. Critically, Article 20 of the directive introduces personal liability for management bodies who fail to approve and oversee cybersecurity risk-management measures. Source: NIS2 Directive, Articles 34(4), 34(5), and 20.

Which 18 sectors are covered by NIS2?

NIS2 covers 11 essential sectors (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space) and 7 important sectors (postal and courier services, waste management, manufacture/production/distribution of chemicals, food production/processing/distribution, manufacturing, digital providers, research). The full sector lists are defined in Annexes I and II of Directive (EU) 2022/2555.

Does NIS2 apply to companies outside the EU?

Yes. Non-EU companies providing services within the EU in covered sectors may fall under NIS2 scope. Additionally, Article 21(2)(d) requires in-scope entities to impose supply-chain security requirements on their suppliers through contractual obligations, effectively extending compliance requirements to non-EU vendors and service providers. ENISA's guidance on NIS2 implementation confirms this extraterritorial reach. Source: ENISA — NIS Directive topic page.

How does NIS2 differ from the original NIS Directive?

NIS2 dramatically expands scope from approximately 10,000 entities under NIS1 to over 160,000 entities. Key differences include: 7 new sectors added, harmonized penalty framework across all member states, mandatory 24-hour early warning for significant incidents (previously not standardized), explicit supply-chain risk management requirements under Article 21(2)(d), and personal liability for management bodies under Article 20. Source: Directive (EU) 2022/2555.

What is the NIS2 incident reporting timeline?

NIS2 mandates a three-stage incident reporting process defined in Article 23: (1) an early warning within 24 hours of becoming aware of a significant incident, (2) an incident notification within 72 hours providing an initial assessment of severity and impact, and (3) a final report within one month detailing root cause analysis, cross-border impact, and remediation measures taken. Source: NIS2 Directive, Article 23.

How does national transposition affect NIS2 compliance?

Each of the 27 EU member states must transpose NIS2 into national law, which can introduce variations in scope, enforcement mechanisms, and supervisory authority structures. For example, Germany's NIS2UmsuCG introduces additional entity categories beyond the directive's baseline. Organizations operating across multiple jurisdictions must track each country's transposition status and any additional national requirements. The original transposition deadline was October 17, 2024, though several member states have experienced delays. Source: NIS2 Directive, Article 41.

Can supply-chain obligations pull exempt companies into NIS2 scope?

Yes. Article 21(2)(d) of NIS2 requires in-scope entities to address supply-chain security, meaning they will impose NIS2-aligned cybersecurity requirements on their suppliers through contractual clauses. Even organizations that do not meet the size threshold or operate in a listed sector can be pulled into de facto compliance by their clients. IT service providers, cloud vendors, managed security service providers, and outsourced process providers are particularly exposed to these cascading obligations.

NIS2 Statistics and Context

According to the European Commission's NIS2 impact assessment (2022), the directive expands coverage from approximately 10,000 entities under the original NIS Directive to over 160,000 entities — a 16-fold increase. The directive covers 18 sectors across all 27 EU member states. Essential entities face maximum fines of €10 million or 2% of global annual turnover, while important entities face fines of up to €7 million or 1.4% of global turnover. ENISA's 2023 Threat Landscape report noted that the healthcare and energy sectors experienced the highest volume of cyber incidents among NIS-covered sectors, underscoring the rationale for NIS2's expanded scope. Source: ENISA Threat Landscape 2023.

NIS2 Essential vs. Important Entities — Comparison

CriterionEssential EntitiesImportant Entities
Sectors11 sectors (Annex I): energy, transport, banking, health, water, digital infrastructure, ICT management, public admin, space, financial markets, wastewater7 sectors (Annex II): postal, waste, chemicals, food, manufacturing, digital providers, research
Maximum Fine€10M or 2% of global annual turnover€7M or 1.4% of global annual turnover
Supervisory RegimeEx-ante: proactive audits and inspections by authoritiesEx-post: supervision triggered by evidence of non-compliance
Incident Reporting24h early warning, 72h notification, 1-month final report24h early warning, 72h notification, 1-month final report
Management LiabilityYes — personal liability under Article 20Yes — personal liability under Article 20
Size Threshold50+ employees or €10M+ turnover (with exceptions)50+ employees or €10M+ turnover
Your trusted partner for a smarter, more efficient approach to data privacy management.
Product
Priverion Platform System Status
about us
About Priverion Careers
© 2024 Priverion
Imprint Privacy Notice Terms of Service Refund Policy
OneTrust, TrustArc, Drata, Vanta, BigID, DataGuard, Kertos, Securiti and Sprinto are trademarks of their respective owners. Priverion Solutions AG is an independent Swiss company and is not affiliated with, sponsored by, or endorsed by any of these companies. References to these products are made under the fair-use exception for comparative advertising (Swiss UWG Arts. 3(1)(a)(b)(e); EU Directive 2006/114/EC Art. 4) for the sole purpose of informing prospective customers. Methodology and sources for comparative claims are disclosed on each page that contains them; see also our comparative advertising policy. To challenge a specific claim, write to [email protected].