D3 Security · Security Operations Glossary

What Is the NIS2 Directive?

Q: What are NIS2 fines?

For essential entities, NIS2 fines can reach 10 million euros or 2 percent of global annual turnover, whichever is higher. For important entities, the cap is 7 million euros or 1.4 percent of global annual turnover.

A standalone glossary definition, part of the D3 Security Operations Glossary.

Definition

The NIS2 Directive is Directive (EU) 2022/2555, the European Union law requiring essential and important entities in critical sectors to implement baseline cybersecurity risk-management measures, report significant incidents within 24/72-hour and one-month windows, and hold management bodies personally accountable for cybersecurity oversight.

NIS2 entered into force on October 18, 2024, replacing the original 2016 NIS Directive. The transposition deadline for EU member states was October 17, 2024. Most of the bloc has now completed national transposition, and 2026 is the year active enforcement begins. Belgium became the first member state to set a hard conformity assessment deadline: April 18, 2026. Germany’s BSI issued the first public NIS2 fine, €850,000 against a cloud service provider, in February 2026.

The directive’s practical reach is global. Any organization with EU subsidiaries, regulated EU customers, or critical-sector suppliers inside the Union inherits the reporting obligations. A US-headquartered bank with a Frankfurt branch reports under NIS2 whenever the branch is affected. Supply chain vendors above the 50-employee or €10 million annual revenue threshold are in scope from the moment they cross it.

What NIS2 requires

The directive imposes four categories of obligation on in-scope entities, enforced by national authorities and backed by personal liability at the management level.

Risk-management measures (Article 21). Policies on incident handling, business continuity, supply chain security, network security, access control, cryptography, asset management, and human-resources security. The measures must be documented, operating, and auditable.

Incident reporting (Article 23). Three checkpoints against a single significant incident: a 24-hour early warning, a 72-hour formal notification to the relevant national authority, and a final incident report within one month. Each checkpoint requires structured evidence, not summaries.

Management oversight (Article 20). Boards and executives must approve risk-management measures, oversee their implementation, and undergo regular training. Member states can impose temporary bans on managerial functions at essential entities where oversight failure contributes to a material incident.

Supply chain security (Article 21). Essential entities must account for the security posture of their direct suppliers. Suppliers without NIS2-grade incident reporting become unacceptable procurement risk.

Essential vs. important entities

NIS2 distinguishes two tiers of regulated entity, with different fine caps and supervision regimes.

Tier	Sectors	Fine cap	Supervision
Essential	Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space	€10M or 2% of global turnover	Ex ante and ex post
Important	Postal services, waste management, chemicals, food, manufacturing, digital providers, research	€7M or 1.4% of global turnover	Ex post only

Why NIS2 is a SOC architecture problem

The 24-hour early warning clock starts from awareness of a significant incident. Awareness is itself produced by investigation. A manual SOC faces roughly 3,000 alerts a day, takes 70 minutes to investigate one, and leaves 63 percent of them untouched. Incidents that should start the clock are discovered late or not at all. When one is confirmed, analysts pivot across five to eight tools to reconstruct what happened. Both stages collapse inside 24 hours.

Legacy SOAR was designed for the era before this clock. Static playbooks fail on novel threats. API drift breaks integrations silently. L1 automation stops the moment it sees an unexpected result. NIS2 auditors expect investigation depth, not alert summaries, and a regulator reading a SOAR case note finds sequence steps rather than evidence.

An autonomous SOC closes the gap. Morpheus AI triages 95 percent of alerts at Level 2 depth in under two minutes, generates runtime playbooks per incident, and assembles NIS2 early warnings, 72-hour updates, and one-month reports from evidence already captured during live investigation. Attack Path Discovery traces attacker movement East-West across the stack and North-South through 90 days of telemetry, producing the path evidence a regulator will ask to see.

Also see: DORA Attack Path Discovery

Frequently asked questions

What does NIS2 stand for?
NIS2 stands for the second Network and Information Security Directive, formally Directive (EU) 2022/2555. It replaced the original NIS Directive of 2016 and entered into force on October 18, 2024.

Who must comply with NIS2?
NIS2 applies to essential entities in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. It also applies to important entities in postal services, waste management, chemicals, food, manufacturing, digital providers, and research. Supply chain vendors above the 50-employee or €10 million annual revenue threshold that serve these sectors are also in scope.

What are the NIS2 incident reporting timelines?
NIS2 requires three reporting steps against a single significant incident: a 24-hour early warning, a 72-hour formal notification to the relevant national authority, and a final incident report within one month. All three require structured, documented evidence.

What is Article 20 of NIS2?
Article 20 requires the management bodies of essential and important entities to approve cybersecurity risk-management measures, oversee their implementation, and undergo regular training. Article 32(5) authorizes member states to impose temporary bans on managerial functions at essential entities where oversight failure contributes to a material incident.

What are NIS2 fines?
For essential entities, NIS2 fines can reach €10 million or 2 percent of global annual turnover, whichever is higher. For important entities, the cap is €7 million or 1.4 percent of global annual turnover.

When does NIS2 enforcement start?
NIS2 has been legally in force since October 18, 2024. The transposition deadline for EU member states was October 17, 2024. 2026 is the year national authorities across the bloc move from transposition into active enforcement. Belgium set the first hard conformity assessment deadline on April 18, 2026.

Related terms

DORA — Digital Operational Resilience Act, the EU financial-sector parallel to NIS2 with a 4-hour initial incident notification window.

KRITIS Dachgesetz — Germany’s critical infrastructure protection law, which expanded the national regulated scope from 2,000 to over 30,000 entities in March 2026.

SOAR — Security Orchestration, Automation and Response, the legacy category NIS2 reporting windows have outgrown.

Attack Path Discovery — Morpheus AI’s investigation engine that produces the East-West and North-South evidence NIS2 audits expect.