NIS2 explained: who is in scope, what it requires, and the deadlines

NIS2 is the European Union's directive on cybersecurity risk management, and it is far broader than the rule it replaces. If your organization operates in one of the covered sectors and is medium-sized or larger, it almost certainly applies to you, and it expects real security work backed by evidence. This is a plain guide to who is in scope, what NIS2 requires, and where to start.

What NIS2 is

NIS2, formally Directive (EU) 2022/2555, sets a common cybersecurity baseline across the EU. It is a directive, which means each member state writes it into national law, so the exact wording and authority differ by country. In Croatia it lives in the Act on Cybersecurity. The direction is the same everywhere: raise the bar, widen the scope, and make leadership answerable.

Who is in scope

• Medium and large entities across 18 sectors, including energy, transport, banking, health, water, digital infrastructure, public administration, and more.
• Two tiers: essential entities and important entities, with similar duties but different supervision.
• Smaller organizations pulled in when they are critical suppliers to entities that are in scope.
• Supply chains, because in-scope entities must push security requirements down to their providers.

What it requires

• Risk management measures. Technical and organizational controls proportionate to the risk, from the basics through to supply-chain security.
• Incident reporting. An early warning within 24 hours and a fuller notification within 72 hours of a significant incident, with a final report inside a month.
• Supply-chain security. Security requirements imposed on suppliers and service providers.
• Governance and accountability. Management bodies must approve and oversee the measures, and they can be held liable for failures.

The deadlines and enforcement

The directive required member states to transpose it into national law, and enforcement now runs through each national authority rather than Brussels. That means the obligations are live, the supervision is local, and the penalties are real. The practical takeaway: do not wait for a letter. If you are in scope and not yet aligned, the gap is an active risk today.

What to do now

• Confirm scope. Establish whether you are an essential or important entity, or a critical supplier to one.
• Run a gap assessment against the NIS2 measures and your national transposition.
• Stand up the controls the directive expects, and the governance to oversee them.
• Build the detection and response that makes the 24 and 72 hour reporting deadlines achievable. See managed detection and response.
• Produce the evidence, because supervision will ask for proof, not assurances.

NIS2 moved cybersecurity from the IT department to the board. The accountability is now personal.

We turn NIS2 into concrete engineering work and produce the evidence your authority accepts. See NIS2 compliance, or book a scoping call. Not sure whether NIS2 or DORA governs you? Read NIS2 vs DORA.