The NIS2 Directive: What It Means for Infrastructure

For two decades, cybersecurity in Europe was treated as a best-effort discipline: encouraged, audited in places, but rarely enforced with real consequences. The NIS2 Directive ends that era. As the successor to the original 2016 Network and Information Security Directive, NIS2 turns a patchwork of national rules into a single, sharper baseline — and it backs that baseline with personal accountability for management and fines that finally get a boardroom's attention.

If your organization runs infrastructure that other people depend on — energy, healthcare, transport, digital services, manufacturing, public administration — the practical question is no longer whether NIS2 applies to you, but how far behind your current posture sits from what the directive expects. This guide explains what changed, who is covered, the concrete obligations, and how to translate the legal text into infrastructure decisions you can actually make.

From NIS to NIS2: what actually changed

The first NIS Directive was a reasonable start that aged badly. It left too much to the discretion of individual member states, which produced wildly inconsistent transposition: a hospital in one country faced strict obligations while an identical operator across the border faced almost none. Scope was narrow, enforcement was soft, and incident reporting was vague enough to be meaningless in practice.

NIS2 was designed to close those gaps. It widens the range of sectors in scope, removes much of the national discretion that created uneven enforcement, sets explicit minimum security measures, and standardizes how and when incidents must be reported. Crucially, it shifts cybersecurity from an IT problem into a governance obligation, with named responsibility at the management level. The directive entered force in early 2023, with member states required to transpose it into national law and operators expected to comply from late 2024 onward.

Who is in scope now

NIS2 dramatically expands coverage compared to its predecessor. It introduces two tiers of regulated organizations: essential entities and important entities. Both must meet the same core security obligations; the difference lies mainly in how strictly they are supervised, with essential entities subject to proactive oversight and important entities supervised more reactively after incidents.

Essential sectors include energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, public administration, and space. Important sectors add postal services, waste management, chemicals, food, manufacturing of critical products, digital providers, and research. The list is broad by design — the EU concluded that modern supply chains are too interconnected to protect only a narrow core.

The size-cap rule

As a general guideline, NIS2 applies to medium and large organizations: roughly those with at least 50 employees or annual turnover above 10 million euros. But size is not the only trigger. Certain providers — DNS operators, top-level domain registries, public electronic communications networks, and some others — fall in scope regardless of headcount because of the systemic role they play. The safest assumption is to check the criteria directly rather than presume you are too small to matter.

The baseline security measures you must implement

One of the most useful aspects of NIS2 is that it stops being vague. Article 21 sets out a concrete list of risk-management measures that in-scope entities must adopt, proportionate to their risk exposure. These are worth knowing because they map almost directly onto infrastructure design decisions:

Risk analysis and information system security policies; incident handling; business continuity and crisis management, including backup and disaster recovery; supply-chain security, covering the security practices of your direct suppliers and service providers; security in network and information system acquisition, development, and maintenance, including vulnerability handling and disclosure; policies to assess the effectiveness of your measures; basic cyber hygiene and security training; policies on cryptography and encryption; human-resources security, access control, and asset management; and, where appropriate, multi-factor authentication, secured voice and video communication, and secured emergency communication.

Read that list as a specification, not a wish list. Each item implies controls you either have or you do not — and an auditor or regulator can ask you to demonstrate each one.

Incident reporting: the clock that matters

NIS2 introduces a multi-stage reporting timeline that catches many organizations off guard because it is genuinely fast. For a significant incident, you must submit an early warning to the relevant authority or national CSIRT within 24 hours of becoming aware of it. A more detailed incident notification follows within 72 hours, including an initial assessment of severity and impact. A final report is due within one month, describing the root cause, the mitigations applied, and any cross-border effects.

Twenty-four hours is not long when systems are down and your team is firefighting. Meeting it requires having detection, escalation paths, and reporting templates prepared in advance — not invented during the crisis. The reporting obligation is, in effect, a forcing function for proper monitoring and observability.

Accountability and penalties

The teeth of NIS2 are what make it different from earlier frameworks. For essential entities, fines can reach up to 10 million euros or 2 percent of total worldwide annual turnover, whichever is higher. For important entities, the ceiling is 7 million euros or 1.4 percent of turnover. Those figures intentionally echo the GDPR and are designed to make non-compliance a board-level financial risk rather than an IT line item.

Just as significant is the personal dimension. NIS2 makes management bodies responsible for approving and overseeing cybersecurity risk-management measures, and members can be held personally liable for failures. Regulators can require training for management and, in serious cases, even suspend individuals from management functions. Cybersecurity governance is no longer something a CISO can be left to own alone.

What NIS2 means for your infrastructure

Translating the directive into engineering terms, a handful of architectural themes do most of the heavy lifting. Network segmentation and access control limit how far an attacker can move once inside, which directly supports the risk-management and incident-containment expectations. Encryption — both at rest and in transit — addresses the cryptography requirement and reduces the blast radius of a breach. Robust, tested backup and disaster recovery satisfy the business-continuity obligation, and the word tested matters: a backup you have never restored is a hope, not a control.

Continuous monitoring and centralized logging are what make the 24-hour reporting deadline achievable; you cannot report what you cannot see. Supply-chain security pushes you to scrutinize the providers underneath your stack, including where they host data and how they handle their own incidents. And identity hardening — multi-factor authentication, least-privilege access, and clean asset inventories — closes the most commonly exploited doors.

Why infrastructure ownership becomes a compliance lever

A subtle consequence of NIS2 is that the more visibility and control you have over your infrastructure, the easier compliance becomes. When your workloads run on opaque, shared hyperscaler services, demonstrating segmentation, data location, encryption key custody, and supply-chain assurances can mean wrestling with shared-responsibility models and contractual attestations. When you operate on infrastructure you can actually see into, those same controls become things you configure and evidence directly.

This is one reason NIS2 sits naturally alongside the broader European move toward digital sovereignty. A private cloud built on transparent, open foundations — with clear data residency, your own encryption keys, and full audit logging — turns many NIS2 requirements from contractual negotiations into operational defaults. clouditiv approaches sovereign private cloud with exactly this in mind: OpenStack-based infrastructure where segmentation, Ceph-backed encrypted storage, Prometheus and Grafana monitoring, and German data residency are part of the platform rather than add-ons, aligned with ISO 27001 and BSI C5 expectations that overlap heavily with the NIS2 baseline.

How to prepare without boiling the ocean

The temptation with a directive this broad is to launch a sprawling programme and stall. A more pragmatic path is to start with a scoping decision — determine whether you are an essential or important entity, and document the reasoning. Then run a gap assessment against the Article 21 measures, scoring each as present, partial, or absent. That single exercise usually reveals that you already do more than you feared in some areas and far less in others.

From there, prioritize the controls that reduce the most risk and unblock reporting: monitoring and logging, incident response runbooks with the 24/72-hour timeline baked in, multi-factor authentication, segmentation, and tested backups. Layer in supply-chain reviews and management training, and keep evidence as you go, because demonstrability is half the battle under NIS2.

The bottom line

NIS2 is less a new burden than a formalization of practices that mature operators were already adopting — now with deadlines, accountability, and financial consequences attached. It rewards organizations that can see into their own infrastructure, prove where their data lives, and respond to incidents on a clock measured in hours. Treat it not as a box-ticking exercise but as a prompt to build infrastructure you genuinely understand and control. The organizations that come through NIS2 comfortably will, almost without exception, be the ones that decided transparency and ownership were worth the effort before a regulator made them prove it.