Skip to main content Skip to navigation Skip to footer
Limited time: Design Partner Program. BUSINESS plan free for life.

Free download · 24 pages · A4 PDF

NIS2 Directive: English Summary for CISOs and Compliance Leads

A 24-page English-language summary of Directive (EU) 2022/2555. Covers scope, the ten Article 21 measures, the 24h/72h/1-month Article 23 reporting timeline, Annex I and II sectors, administrative fines, and a 10-step practical compliance roadmap. Authored by Rediacc; not an authoritative translation.

Download the PDF Open in browser

This document is an unofficial summary. For binding interpretation, consult the official text at OJ L 333/80, 27.12.2022.

What is in the PDF

Nineteen sections. Built for the CISO or compliance lead who needs the directive in plain words, not 73 pages of recitals and articles.

  1. Executive Summary
  2. Purpose and Legal Basis
  3. From NIS1 to NIS2: Why a New Regulation?
  4. Scope and Excluded Areas
  5. Key Definitions
  6. Entity Categories: Essential and Important Entities
  7. Sectors in Scope (Annex I and Annex II)
  8. Member State Obligations
  9. Cybersecurity Risk Management Measures (Article 21)
  10. Incident Reporting Obligations (Article 23)
  11. Supply Chain Security
  12. Management Body Responsibility
  13. EU-level Cooperation Structures
  14. Supervision and Enforcement
  15. Administrative Fines
  16. Implementation Timeline and Transition
  17. Implications for Non-EU Businesses
  18. Practical Compliance Roadmap (10 Steps)
  19. Conclusion and Assessment

Three companion guides

The PDF maps the directive. The companion guides turn the obligations into procurement and operational decisions, one audience at a time.

Article 21(2)(d) is a vendor question

Why your third-party vendor list shrinks when the software runs on your own servers, not the vendor's. For CISOs and procurement leads rewriting vendor contracts in 2026.

Read the guide →

Continuous effectiveness without theatre

Article 21(2)(e), (f), and 23 read together. The constant-time fork that makes weekly drills realistic, and the Article 23 reporting timeline you cannot meet without forensic-grade artefacts. For SRE and ops leads.

Read the guide →

What buyers told us in the first NIS2 audit cycle

The five-tool compliance stack mid-market essential entities are quietly assembling, which of those tools one piece of self-hosted software replaces, and the line items that stay yours either way. For CFOs and buyers heading into a renewal cycle.

Read the guide →

Frequently asked

Is this an authoritative translation of the directive?

No. It is an unofficial English-language summary intended to make the directive's structure and obligations accessible. For binding interpretation, consult the official text at OJ L 333/80 (27 December 2022) or via EUR-Lex (CELEX 32022L2555). National transposition acts in your Member State may impose stricter or differently-scoped obligations than the directive itself.

Who is in scope under NIS2?

Companies in Annex I or Annex II sectors that pass the medium-size mark. That means 50+ staff, or more than EUR 10 million in turnover, per Recommendation 2003/361/EC. Annex I covers what the EU treats as the most critical sectors: energy, transport, banking, financial markets, health, water, digital infrastructure, public administration, space. Annex II covers other critical sectors: postal, waste, chemicals, food, manufacturing, digital providers, research. A few entities are in scope no matter their size: TLD registries, DNS providers, trust service providers, and central public administration. Sections 4, 6, and 7 of the PDF cover scope in detail.

When did NIS2 enter into force, and what is the transposition deadline?

The directive took effect on 16 January 2023. Member States had until 17 October 2024 to add it to national law. It started to apply on 18 October 2024. That is also the day NIS1 was repealed. The full timeline sits in Section 16. That covers the 17 April 2025 deadline to send entity lists to the Commission, plus the review schedule. Most teams underestimate how much of that timeline is already behind them.

What are the maximum fines?

For essential entities: EUR 10,000,000 or 2% of global annual turnover, whichever is higher. For important entities: EUR 7,000,000 or 1.4% of global annual turnover, whichever is higher. The directive also allows penalties beyond fines. As a last resort, regulators can temporarily ban senior leaders at essential entities from their roles. Section 15 covers how fines get set.

Does NIS2 apply to non-EU companies?

Yes, in two ways. Directly: non-EU DNS, cloud, data centre, CDN, MSP/MSSP, online marketplace, search, and social-networking providers offering services in the EU must appoint an EU representative and comply. Indirectly: any non-EU supplier providing products or services to EU essential or important entities will be subject to supply-chain security contractual requirements imposed by their EU customers under Article 21(2)(d). Section 17 covers both.

How does Article 23 incident reporting work?

Three deadlines, all triggered by "becoming aware" of a significant incident: 24 hours for an early warning, 72 hours for a full incident notification, and one month for the final report. Service recipients must also be notified without undue delay if a significant cyber threat is likely. Section 10 has the full reporting matrix.

About this summary

Rediacc is a self-hosted infrastructure platform registered in Estonia (OÜ 17363830, VAT EE102920091). This summary was authored as part of our NIS2 content programme. The companion guides above describe how Rediacc addresses specific articles of the directive, including the gaps where Rediacc is not the answer (no certifications yet; no GRC layer; no managed Article 23 reporting; portal-only MFA). For the public capability mapping, see NIS2 and DORA in the documentation.

Send us your vendor questionnaire or your three biggest security line items from last year's budget. We will respond against a working install on one of our own servers, in writing, including the gaps. Or download the PDF and forward it to a colleague.

Download the PDF