The Complete NIS2 Compliance Guide for EU Tech Companies (2026)

The NIS2 Directive (EU 2022/2555) is the most significant expansion of EU cybersecurity law since the original NIS Directive of 2016. Member states were required to transpose it into national law by October 17, 2024 — and enforcement deadlines are rapidly approaching.

For EU technology companies, this is not a compliance checkbox exercise. NIS2 fundamentally changes what 'adequate cybersecurity' means in law, raises the bar for incident reporting, extends liability to senior management, and connects directly to DORA (Digital Operational Resilience Act) for organizations in the financial sector.

This guide covers everything you need to know to assess your NIS2 status and build a realistic compliance program.

Does NIS2 Apply to Your Organization?

NIS2 introduced a broader and more precise scoping model than its predecessor. Organizations are in scope if they operate in one of the 18 critical sectors AND meet size thresholds.

The 18 NIS2 Sectors

Highly Critical (Annex I):

• Energy (electricity, oil, gas, hydrogen)
• Transport (air, rail, water, road)
• Banking\n- Financial market infrastructures
• Health (hospitals, clinical labs, pharmaceutical R&D)
• Drinking water\n- Wastewater
• Digital infrastructure (DNS, TLD registries, IXPs, cloud, datacenters, CDNs, electronic communications)
• ICT service management (B2B managed services, managed security services)
• Public administration
• Space

Other Critical (Annex II):

• Postal and courier services
• Waste management
• Chemical production and distribution
• Food production and distribution
• Manufacturing of medical devices, computers, electronics, machinery, motor vehicles
• Digital providers (online marketplaces, search engines, social networks)
• Research organizations

Size Thresholds

Organizations are subject to NIS2 if they are:

• Essential entities: 250+ employees OR €50M+ turnover AND €43M+ balance sheet, in Annex I sectors
• Important entities: 50-249 employees OR €10M-€50M turnover, in Annex I or II sectors

Exceptions (in scope regardless of size):

• DNS service providers
• TLD registries
• Qualified trust service providers
• National CSIRT-designated organizations
• Companies identified as critical by their Member State

The Technology Company Test

For technology companies, the key question is whether your primary business falls under ICT service management (managed services, managed security services) or digital infrastructure (cloud, datacenter, CDN services). If you provide IT outsourcing, managed security operations, or cloud services to enterprises in critical sectors — you are almost certainly in scope.

SaaS companies serving sectors like banking, healthcare, or energy may be in scope as ICT service providers even if they are not themselves in a critical sector.

The 21 Security Measures NIS2 Requires

Article 21 of NIS2 mandates that in-scope organizations implement risk-proportionate technical and organizational measures. The Directive identifies 10 minimum categories; implementing guidance from ENISA and the Commission Implementing Regulation (EU) 2024/2690 expands these into detailed technical requirements. Below is our practical breakdown of the key control areas organized under Article 21's 10 categories:

Category 1: Risk Management Policies

1. Cybersecurity risk assessment — Documented annual risk analysis covering assets, threats, vulnerabilities, and mitigations
2. Information security policy — Board-approved policy with defined roles, responsibilities, and review cycle
3. Asset inventory — Complete register of hardware, software, and data assets with owners and criticality classifications

Category 2: Incident Response

4. Incident response plan — Documented procedures for detection, containment, eradication, recovery, and post-incident review
5. Incident classification criteria — Defined thresholds for 'significant incidents' triggering NIS2 reporting obligations
6. Business continuity plan — Tested procedures for maintaining operations during a significant incident

Category 3: Supply Chain Security

7. Supplier security assessments — Due diligence process for evaluating security posture of suppliers with access to your systems
8. Contractual security requirements — Minimum security clauses in supplier and third-party contracts
9. Software supply chain security — Controls over the security of software development practices and update mechanisms

Category 4: Access Control and Authentication

10. Privileged access management (PAM) — Controls over accounts with elevated access to critical systems
11. Multi-factor authentication (MFA) — MFA enforced for all administrative access and remote access
12. Zero-trust network policies — Network segmentation preventing lateral movement between critical systems

Category 5: Cryptography and Data Protection

13. Encryption at rest and in transit — Documented encryption standards for sensitive data
14. Key management procedures — Processes for generation, storage, rotation, and destruction of cryptographic keys

Category 6: Physical and Environmental Security

15. Physical access controls — Procedures for data center and server room access
16. Environmental monitoring — Controls against environmental threats (power, temperature, flood)

Category 7: Human Resources Security

17. Security awareness training — Annual security training for all staff; role-specific training for IT/security personnel
18. Background verification — Pre-employment screening for personnel with access to critical systems

Category 8: Vulnerability Management

19. Vulnerability management program — Processes for vulnerability identification, prioritization, and remediation
20. Patch management — Defined timelines for applying security patches (critical: 72 hours; high: 14 days; medium: 30 days)

Category 9: Security Monitoring

21. Security monitoring and logging — Centralized log collection, retention (minimum 18 months), and anomaly detection

Incident Reporting: The 72-Hour Timeline

NIS2 introduces strict, multi-stage incident reporting obligations for significant incidents (defined as incidents having substantial impact on service delivery).

What Counts as a "Significant Incident"?

An incident is considered significant if it:

• Causes severe operational disruption to services
• Causes financial loss to the entity
• Has or may have affected other natural or legal persons (customers, suppliers)
• Results in unauthorized access to network and information systems

Reporting Timeline

Hour 0–24: Early warning — Notify your national NIS2 authority that a significant incident has occurred. Minimal details required — indicate whether the incident is suspected to be caused by malicious acts and whether it could have cross-border impact.

Hour 24–72: Incident notification — Submit formal notification including: initial assessment of incident severity, suspected cause, affected systems, geographic scope, and whether the incident may have cross-border impact.

Month 1: Final report (if incident is resolved) or progress report (if ongoing) — Update on containment, impact assessment, and remediation steps.

Month 1 after resolution: Final report (for incidents still ongoing at the one-month mark) — Complete post-incident analysis including root cause, timeline, impact assessment, remediation actions taken, and measures implemented to prevent recurrence.

Who to Report To

Report to your national NIS2 competent authority. In Estonia, this is the Information System Authority (RIA). For organizations operating across multiple EU Member States, report to the authority in your country of primary establishment, and potentially to authorities in affected member states.

NIS2 and DORA: The Overlap

For organizations in the financial sector (banks, insurance companies, payment institutions, crypto-asset service providers, investment firms), the Digital Operational Resilience Act (DORA) — effective January 17, 2025 — operates alongside NIS2.

Where They Align

Both frameworks require:

• ICT risk management policies and procedures
• Business continuity and disaster recovery testing
• Incident classification and reporting
• Third-party ICT risk management

Key DORA Additions

DORA goes further in several areas:

• Threat-led penetration testing (TLPT) — Large financial institutions must conduct TLPT every 3 years using TIBER-EU methodology
• ICT third-party contracts — Detailed mandatory contract clauses for ICT service providers to financial institutions (including exit strategies, audit rights, service level metrics)
• Register of ICT contracts — Maintain and report to regulators a full register of ICT third-party dependencies
• Digital operational resilience testing — Annual testing of all ICT systems; advanced testing for systemic institutions

Practical Implication

If you provide technology services to EU financial institutions, your customers will require DORA-aligned contract terms from you. Many are already sending questionnaires. Getting ahead of this demand — and being able to demonstrate NIS2 compliance — is a competitive advantage.

Management Liability Under NIS2

This is where NIS2 differs most significantly from previous cybersecurity regulations: personal liability for management body members.

Article 20 requires that management bodies (boards of directors, executive teams) of in-scope organizations:

• Approve the organization's cybersecurity risk management measures
• Receive regular cybersecurity training
• Actively oversee implementation of Article 21 measures

Article 32 enables national authorities to hold individual members of management bodies personally liable for violations, including:

• Temporary prohibitions from exercising management functions
• Public statements identifying the responsible persons and the nature of the breach

For CISOs and CTOs at in-scope organizations, this means personal accountability — not just corporate accountability — for cybersecurity failures.

Penalties and Enforcement

NIS2 establishes minimum penalty levels that Member States must implement:

Entity Type	Maximum Administrative Fine
Essential entities	€10,000,000 or 2% of global annual turnover (whichever is higher)
Important entities	€7,000,000 or 1.4% of global annual turnover (whichever is higher)

National authorities also have supervisory powers including:

• On-site inspections and off-site audits
• Security scans and penetration tests
• Requests to provide evidence of compliance
• Binding instructions to remediate specific deficiencies

For context: GDPR has generated over €7 billion in fines since 2018. NIS2 enforcement is expected to follow a similar trajectory once the initial grace periods expire.

Your NIS2 Readiness Checklist

Use this checklist to assess your current compliance status.

Scoping and Governance

• Confirmed whether your organization is in scope (sector + size threshold analysis)
• Identified your competent national authority and registered if required
• Management body has been briefed on NIS2 obligations and liability
• Board-approved cybersecurity policy exists with review date
• CISO or equivalent role designated with reporting line to management

Technical Security

• Asset inventory complete and current (hardware, software, data)
• Risk assessment conducted and documented within past 12 months
• MFA enforced for all administrative and remote access
• Network segmentation implemented for critical systems
• Encryption in place for sensitive data at rest and in transit
• Vulnerability management program operational with defined SLAs
• Centralized logging with 12-month retention
• Patch management process with documented timelines

Incident Response

• Incident response plan documented and tested (tabletop exercise within past 12 months)
• Incident classification criteria defined (what constitutes a 'significant incident')
• 24-hour early warning and 72-hour reporting process established
• Contact information for national authority documented and tested
• Business continuity plan documented and tested

Supply Chain

• Supplier security assessment process in place
• Critical supplier contracts include minimum security requirements
• Software supply chain risks assessed

People

• Annual security awareness training completed for all staff
• Role-specific training for IT/security personnel
• Background check process for privileged access roles

The Reality of NIS2 Compliance for Technology Companies

Having worked through NIS2 gap analyses for several EU technology companies in the past year, we observe a consistent pattern:

Most technology companies are closer to compliance than they think on technical controls. Development teams that follow modern DevSecOps practices — CI/CD with security gates, infrastructure as code, centralized logging, MFA — have often implemented the technical substance of NIS2 without the formal documentation.

The gap is usually in governance and process. What's missing is: a board-approved policy, documented risk assessments, formal incident response procedures with tested reporting timelines, and supplier security programs.

Supply chain is the hardest part. Assessing the security posture of every supplier with access to your systems — and updating contracts to include security requirements — takes time and often requires negotiation with vendors.

Our practical recommendation: start with a 2-day gap analysis workshop to identify your current state against the Article 21 requirements. Then prioritize: incident response capability first (it's time-sensitive and most visible to authorities), then governance documentation, then supply chain.

If you're uncertain about whether NIS2 applies to your organization or where to start, we offer free initial scoping consultations. The regulation is not as complex as it first appears — with the right approach, a mid-sized technology company can reach a defensible compliance position in 3–6 months.