EMETHRA

NIS2

Network and Information Security Directive

The European directive establishing cybersecurity and incident reporting obligations for essential and important entities.

Request Product SnapshotSee compliance process

What you'll find in this guide

Status
Already active
Applicable since 2025
Applies to
Essential and important entities
18 critical sectors
Maximum penalty
10M EUR
or 2% turnover (essential)
Reporting times
24h / 72h / 1 month
Alert, notification, final

What is NIS2?

The NIS2 Directive is the European regulation that establishes mandatory cybersecurity measures for essential and important entities in critical sectors of the economy.

It significantly expands the scope of its predecessor (NIS1), including new sectors such as public administration, space, wastewater and digital service providers. It establishes clearer criteria to determine which entities are covered.

NIS2 introduces strict incident reporting obligations: early warning within 24 hours, detailed notification within 72 hours and final report within 1 month. It also requires supply chain risk management and management liability.

NIS2 Status

The directive implementation timeline

Dec 2022

Official publication

NIS2 is published in the Official Journal of the EU

Oct 2024

Transposition deadline

Member States were required to transpose the directive into national legislation

2025

Already active

NIS2 obligations are now applicable in Member States

Oct 2027

Review

The Commission will review the functioning of the directive

Key NIS2 Articles

Each article explained with real practical cases

Qué dice la ley

"Essential and important entities shall adopt appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems."

Caso práctico

An energy company must implement: risk analysis policies, incident management procedures, business continuity plan, supply chain security, cybersecurity training and multi-factor authentication.

EMETHRA te ayuda

EMETHRA analyzes your technology stack, identifies vulnerabilities in your software supply chain and generates documentation of implemented security measures to demonstrate compliance during audits.

View official text on EUR-Lex

NIS2 Compliance Process

The 5 steps to comply with the directive

1

Risk assessment

Identify critical assets and threats

2

Security policies

Document procedures and controls

3

Incident management

Prepare response templates and processes

4

Supply chain

Due diligence of critical suppliers

5

Continuous monitoring

Real-time alerts and reports

NIS2 reports generated by EMETHRA

Templates ready for incident notification

Non-compliance sanctions

The consequences of not complying with NIS2

Sanciones aplicables

Essential entities
10M EUR or 2% turnover
Important entities
7M EUR or 1.4% turnover

Directors can be personally liable and face temporary bans from exercising management functions.

Sectors affected by NIS2

Covered essential and important entities

Energy
Transport
Banking
Health
Water
Digital
Public Admin
Space

Frequently asked questions about NIS2

Answering the most common questions

NIS2 applies to essential entities (energy, transport, banking, health, water, digital infrastructure, space, public administration) and important entities (postal services, waste management, manufacturing, food, digital providers). Size criteria are: medium-sized companies (50+ employees or 10M+ turnover) in covered sectors.

Need to comply with NIS2?

EMETHRA generates NIS2 incident notification templates (24h, 72h, 1 month) and helps you with supply chain risk management.

Request Product Snapshot

Related articles in the Observatory

SaaS and enterprise salesCompliance due diligence