The EU NIS2 Directive
NIS2 increases the requirements for cybersecurity, risk management, and reporting processes for essential and important entities across 18 critical sectors in the EU.
Get a Free ConsultationReading time: 7 minutes
What is the EU NIS2 Directive?
The NIS2 Directive is a key component of the European cybersecurity strategy. It requires organizations in critical and important sectors to ensure an appropriate level of security, actively manage risks, and report security incidents. Its aim is to sustainably strengthen the resilience of critical infrastructure and digital services across the EU. Together with the Cyber Resilience Act and the Digital Operational Resilience Act NIS2 forms an important part of the European framework for digital resilience.
For more than 15 years, Greenbone has been helping customers prepare for the highest possible security standard. We see NIS2 as an opportunity to provide support and build the strongest possible cyber resilience. OPENVAS SECURITY INTELLIGENCE with OPENVAS SCAN supports organizations with continuous vulnerability management. For small and medium-sized IT environments, OPENVAS BASIC can be a practical starting point.
The EU NIS2 Directive: What Are Its Objectives?
The NIS2 Directive is intended to ensure a high common level of cybersecurity across the EU and reduce cyber threats to essential services. Baseline security measures and governance standards are designed to prevent incidents that could impair critical services, destabilize key sectors, or cause significant social and economic damage.
Increase the Common Security Level
NIS2 creates a more consistent minimum level of cybersecurity across the EU and strengthens cooperation between Member States, supervisory authorities, and CSIRTs.
Make Essential Services More Resilient
Affected entities are expected to actively manage cyber risks, better prevent security incidents, and maintain operational capability even in a crisis.
Increase Management Accountability
Cybersecurity becomes a leadership responsibility: executive management must oversee risk measures and bears greater responsibility in the event of violations.
Who Must Comply with NIS2?
NIS2 applies to organizations in defined critical sectors as well as to important economic actors. The relevant criteria are sector, size, and the importance of the services provided. Organizations are classified as “essential” or “important” entities, with different requirements and levels of supervisory intensity.
18 Critical Sectors
NIS2 covers sectors including energy, transport, healthcare, digital infrastructure, public administration, chemicals, food, and digital providers.
Essential Entities
These typically include large organizations in particularly critical areas as well as certain providers that may fall within scope regardless of their size.
Important Entities
Important entities must also implement appropriate technical, organizational, and operational measures and report significant security incidents.
Classification of relevant sectors into essential and important entities under NIS2.
NIS2 Quick Check: Is Your Organization Affected?
A few criteria can quickly indicate whether your organization falls under the NIS2 Directive.
Check the Sector
Is your organization active in one of the 18 NIS2 sectors such as energy, healthcare, digital infrastructure, public services, chemicals, food, research, or industry?
Assess the Size
Does your organization have at least 50 employees, or annual revenue or a balance sheet total of at least EUR 10 million? If so, additional requirements may be relevant.
Assess Security Maturity
Are asset management, vulnerability management, incident handling, backup, supply chain security, and reporting channels already documented and reviewed regularly?
Schematic classification of NIS2 relevance based on key criteria such as sector, size, and security level.
What Requirements Apply to Affected Organizations?
NIS2 requires organizations to implement technical, organizational, and operational security measures. These include, in particular, risk management, vulnerability management, and incident handling.
Risk Analysis and Security Concepts
Affected entities must define and implement concepts for risk analysis and information security and regularly adapt them to the threat landscape.
Asset and Vulnerability Management
IT assets must be visible. Vulnerabilities should be identified, prioritized, and remediated regularly to keep systems and applications secure.
Incident Handling and Crisis Management
Organizations must establish processes for detecting, analyzing, and handling security incidents and clearly document reporting channels.
Business Continuity and Backup
Backup management, recovery planning, emergency communication, and crisis processes should ensure operational capability even during security incidents.
Supply Chain and Service Providers
Risks involving third-party providers, suppliers, and service providers must be assessed and incorporated into security concepts and contractual processes.
Training, Cryptography, and Access Protection
Awareness measures, cyber hygiene, encryption, secure communication, and access controls become part of a resilient security program.
What Reporting Obligations Does NIS2 Provide For?
Security incidents must be reported within defined deadlines. NIS2 provides for a multi-stage reporting process.
| Step | Deadline | Content |
|---|---|---|
| Early Warning | Within 24 hours of becoming aware | Initial notification that a significant security incident has occurred or is likely to occur. |
| Initial Assessment | Within 72 hours of becoming aware | Assessment of severity, impact, and, where available, indicators of compromise. |
| Intermediate Report | At the request of the competent authority | Updated status, further findings, and progress in handling the incident. |
| Final Report | Usually within one month | Root cause analysis, assessment of the impact, and description of the remedial measures taken. |
Timelines for reporting security incidents under NIS2.
NIS2 requires regular risk management, vulnerability management, and resilient security processes.
OPENVAS SECURITY INTELLIGENCE and OPENVAS SCAN support organizations in building a continuous, verifiable security routine. Contact us to learn more.
When Did the EU NIS2 Directive Enter into Force?
The NIS2 Directive entered into force in 2023 and was to be transposed into national law by October 2024.
December 27, 2022
Publication
NIS2 is published in the Official Journal of the European Union.
January 16, 2023
Entry into Force at EU Level
The Directive enters into force and starts the implementation period for the Member States.
October 17, 2024
Deadline for National Transposition
EU Member States had to transpose the requirements into national law by this date.
December 6, 2025
Germany
The German transposition law enters into force and modernizes national cybersecurity legislation.
Action Is Required Now
NIS2 requires continuous risk management. Up-to-date asset data, regular vulnerability scans, clear responsibilities, and resilient reporting processes should be maintained continuously.
Request a Non-Binding Consultation
How Greenbone Supports NIS2 Compliance
Greenbone supports organizations in technically implementing NIS2 requirements and establishing sustainable security processes.
OPENVAS SECURITY INTELLIGENCE
OPENVAS SECURITY INTELLIGENCE consolidates results from distributed OPENVAS SCAN systems, enriches context through security advisories, and supports central workflows for vulnerability management.
OPENVAS SCAN
OPENVAS SCAN identifies known vulnerabilities, misconfigurations, and missing security updates in networks, systems, applications, endpoints, and container environments.
OPENVAS BASIC
OPENVAS BASIC is the ideal entry point for vulnerability scans in small and medium-sized IT environments. For larger NIS2 setups, OPENVAS SCAN and SECURITY INTELLIGENCE are suitable options.
OPENVAS SECURITY INTELLIGENCE dashboard with vulnerability scan results, CVSS severity distribution, and asset inventory, aligned with continuous vulnerability management.
Frequently Asked Questions About NIS2
What is NIS2?
NIS2 is an EU Directive for strengthening cybersecurity. It requires organizations in critical and important sectors to implement specific security measures and reporting obligations.
Which Organizations Are Affected by NIS2?
Public and private entities in 18 critical sectors are affected. Sector, size, and the importance of the services provided are decisive.
What Is the Difference Between Essential and Important Entities?
Essential entities are particularly critical organizations and are generally subject to stricter supervisory measures. Important entities must also implement security measures and report incidents.
What Measures Does NIS2 Require?
Among other things, NIS2 requires risk analysis, security concepts, incident handling, business continuity, supply chain security, training, access control, asset management, and vulnerability management.
What Reporting Deadlines Apply to Security Incidents?
For significant security incidents, an early warning is required within 24 hours. An initial assessment follows within 72 hours, and the final report is generally due within one month.
When Does NIS2 Apply in Germany?
The EU Directive entered into force on January 16, 2023. Member States had to transpose it by October 17, 2024. In Germany, the transposition law entered into force on December 6, 2025.
How Does Greenbone Support NIS2?
Greenbone supports organizations with OPENVAS SCAN and OPENVAS SECURITY INTELLIGENCE for ongoing vulnerability management, centralized visibility of assets, and risk prioritization.
Is OPENVAS BASIC Suitable for NIS2?
OPENVAS BASIC can be a practical entry point for small and medium-sized IT environments. For larger or more heavily regulated environments, OPENVAS SCAN and OPENVAS SECURITY INTELLIGENCE are usually better suited.
Is Your Organization Ready for NIS2?
Check now whether your vulnerability management, asset transparency, and reporting processes meet the requirements. Greenbone supports you in building continuous security processes and making risks visible at an early stage.
NIS2 Readiness Check with Greenbone
Would you like to assess whether your vulnerability management, asset transparency, and security processes are sufficient for NIS2? Talk to us about your current environment and suitable deployment options for OPENVAS SECURITY INTELLIGENCE, OPENVAS SCAN, or OPENVAS BASIC.
