What is the NIS2 Directive?
NIS2 is Directive (EU) 2022/2555 — the European Union's framework for a high common level of cybersecurity across the bloc. It replaces the original 2016 Network and Information Security Directive (NIS1), which covered far fewer organizations and left wide gaps between how member states applied it. NIS2 is the EU's answer to a decade of growing attacks on the services that economies and societies depend on.
The crucial thing to understand is that NIS2 is a directive, not a regulation and not a certification. There is no "NIS2 certificate" to earn. A directive sets the outcome the EU wants and leaves each member state to write the national law that delivers it. So in practice you do not comply with NIS2 directly — you comply with your country's national transposition of it, which is where the precise obligations, authorities and penalties actually live.
NIS2 raises the floor in three ways at once: it pulls many more organizations into scope, it spells out the security measures they must take, and it makes senior management answerable for whether those measures happen. The sections below walk through each.
NIS2 vs NIS1
NIS1, the 2016 directive, applied to a narrow set of "operators of essential services" and a handful of digital service providers, and member states identified entities case by case — which produced very uneven coverage across the EU. NIS2 scraps that patchwork: it defines scope by sector and size so that being caught no longer depends on a national authority designating you, sharpens the security and reporting duties, and adds real supervision and enforcement. If you were comfortably outside NIS1, do not assume the same of NIS2.