---
title: NIS2 Directive (Directive EU 2022/2555)
type: concept
tags: [nis2, cybersecurity, supply-chain-risk, eu-directive, critical-infrastructure, legal, regulatory-risk]
sources: ["[[sources/2025-crisk-dora-nis2-overview]]", "[[sources/2026-bcc26-eu-digital-regulation-interpretation-to-implementation]]"]
created: 2026-04-27
updated: 2026-04-27
---

# NIS2 Directive

EU **Directive 2022/2555** updating the original NIS Directive on cybersecurity for network and information systems. **In force 16 January 2023; transposition deadline 17 October 2024 (missed by several Member States — late-2025 compliance).** As a Directive, it requires national transposition — implementation varies by Member State.

## Scope

NIS2 applies to medium and large organisations in critical sectors. Significantly broader than the original NIS Directive.

### Two scope categories

| Category | Description | Regime |
|---|---|---|
| **Essential entities** | Sectors where disruption could have severe societal/economic consequences | Full supervisory regime |
| **Important entities** | Other critical sectors | Lighter supervisory regime |

Both categories must comply with the same core cybersecurity risk-management and incident-reporting obligations — the difference is in supervisory intensity (proactive vs. reactive).

### Threshold

- General: 50+ employees or annual turnover exceeding €10 million.
- Some entities included regardless of size due to systemic importance.

### Sectors covered

- Energy
- Transport
- Banking + financial market infrastructures (also under [[concepts/dora|DORA]])
- Health, drinking water, wastewater
- **Digital infrastructure** — cloud service providers, data centres, content delivery networks, managed service providers, managed security service providers
- Public administration (central + regional)
- Space
- Postal/courier services
- Manufacturing of critical products
- Food production/processing/distribution
- Chemical production
- Research

## Core focus areas

- **Governance and accountability** — oversight responsibilities placed on executives. Management bodies approve cybersecurity risk-management measures, oversee implementation, ensure policies/controls/training are in place.
- **Incident handling and reporting** — detect, assess, respond, report. Structured framework with **early warnings (24 hours), incident notifications (72 hours), final reports (1 month)**.
- **Third-party and supply-chain risk management** — explicitly extends cybersecurity expectations across the supply chain.
- **Business continuity and crisis management** — backup, disaster recovery, crisis response, system restoration.

## Connection to AI-driven process automation

NIS2 implications for organisations deploying AI in business-process automation:

- **Cybersecurity risk-management measures** (Art. 21) must address AI-specific threats — adversarial inputs, prompt injection, model poisoning, data exfiltration via AI tools.
- **Supply-chain security**: the LLM/AI service providers many BPM systems rely on are themselves third parties — covered by NIS2 vendor-diligence expectations.
- **Incident reporting**: a major AI-driven process failure (e.g. fraudulent transactions waved through by a compromised classifier) qualifies as a significant incident → 24-hour early warning, 72-hour notification, 1-month final report.
- **Executive accountability**: "personally liable for gross negligence in cybersecurity oversight" — a known consequence of NIS2 widely cited (e.g. by [[sources/2025-crisk-dora-nis2-overview|C-Risk]]).

## Status (per [[sources/2026-bcc26-eu-digital-regulation-interpretation-to-implementation|BCC26 Jan 2026]])

- Transposition deadline (Oct 2024) was missed by several Member States.
- At time of writing of [[sources/2025-crisk-dora-nis2-overview|C-Risk overview]]: only **17 of 27 EU Member States** had transposed NIS2 into national law.
- January 2026 = grace period; supervision begins through 2026.

## Connection to DORA and AI Act

- **NIS2 × DORA**: financial entities under DORA are typically *also* under NIS2 (banking is a NIS2 essential sector). DORA acts as lex specialis for financial-sector ICT resilience, but NIS2's broader governance and supply-chain requirements may still apply where DORA is silent. The "regulatory collision" point is where these regimes' incident-reporting timelines and materiality tests differ.
- **NIS2 × AI Act**: NIS2 covers cybersecurity risks of AI systems used in critical infrastructure; AI Act covers fundamental-rights and conformity risks. A compromised AI component used in regulated sectors may trigger reporting under both regimes — distinct timelines, distinct authorities.

## Risk for process-automation

| Failure mode | NIS2 trigger |
|---|---|
| AI tool used in healthcare workflow exfiltrates patient data | Significant incident in health sector → reporting cascade |
| Prompt-injection compromises agentic system in critical-infrastructure operator | Cybersecurity risk-management failure → board accountability |
| LLM provider outage halts public-administration process | Supply-chain concentration risk → vendor-diligence question |

## Related

[[concepts/dora]] · [[concepts/eu-ai-act]] · [[concepts/ict-third-party-risk]] · [[concepts/agentic-bpm]] · [[concepts/gdpr-article-22]]