EU Cybersecurity Framework

NIS2 Compliance: The Complete 2026 Guide

Everything you need to know about the NIS2 Directive — who it applies to, all 10 Article 21 measures, fines up to €10M, transposition status per country, and how to comply with AI.

Quick applicability checker
All 10 Article 21 measures
Free downloadable NIS2 checklist

Book A Free Demo

NIS2 Compliance: The Complete 2026 Guide

What is NIS2?

Smart Integrity Platform automates NIS2 compliance for essential and important entities across all 18 covered sectors. The platform covers all 10 Article 21 cybersecurity measures, automates 24-hour incident reporting workflows, manages supply chain security assessments, and aligns your ISMS with both NIS2 and ISO 27001 — supporting organizations in Germany (NIS2UmsuCG), Austria, Spain, the UK, and 30+ countries.

0+

Countries

0+

Million Company Profiles

0+

Languages

OVER 30,000 USERS TRUST Smart Integrity Platform (SIP)

In force since

Jan 16, 2023

Directive (EU) 2022/2555

Deadline passed

Oct 17, 2024

Majority transposed by March 2026

Max penalty

€10M / 2%

Of global turnover (essential entities)

Sectors covered

18 sectors

~160,000 entities EU-wide

What’s new in 2026 UPDATE

On 20 January 2026, the European Commission proposed targeted amendments to the NIS2 Directive to simplify compliance — easing obligations for ~28,700 companies including 6,200 SMEs. Germany’s NIS2UmsuCG took effect on 6 December 2025, and BSI registration is now live. Enforcement is accelerating across the EU.

Automate Compliance Workflows With
Agentic AI

Ingest Data

Analyze & Classify

Execute Compliance

Validate & Review

Report & Audit

Unlike cloud-only tools, SIP runs large language models on your own infrastructure. Your data never leaves your environment and our AI agents handle repetitive compliance tasks end-to-end, without manual intervention.

On-premise LLM

Your data stays on your servers. Full data sovereignty, always.

Agentic workflows

AI agents execute multi-step compliance tasks autonomously.

70% time saved

Customized automation replaces manual compliance routines.

Does NIS2 apply to your company?

You’re likely in scope if you meet any one of these conditions.

50+ employees

Medium-sized or larger

€10M+ turnover

Or balance sheet total

Critical sector

Any of the 18 NIS2 sectors

Sole provider

DNS, TLDs, trust services, telco

→ You are subject to NIS2 compliance obligations

Essential vs Important entities

Essential

€10M / 2%

Energy

Transport

Health

Banking

Water

Digital infra

Public admin

Space

Important

€7M / 1.4%

Postal services

Waste mgmt

Manufacturing

Food

Chemicals

Research

Digital providers

+ more sectors

NIS2 Article 21: The 10 Cybersecurity Risk Management Measures

Article 21 is the heart of NIS2. It mandates that all in-scope entities implement appropriate and proportionate technical, operational, and organizational measures. Here’s the complete breakdown of all 10 requirements:

1

Risk analysis & policy

Policies on risk analysis and information system security.

2

Incident handling

Prevention, detection, and response to cyber incidents.

3

Business continuity

Backup management, disaster recovery, and crisis management.

4

Supply chain security

Security in supplier and service provider relationships.

5

Network & IS security

Security in acquisition, development, and maintenance.

6

Effectiveness assessment

Policies and procedures to assess cybersecurity measures.

7

Cyber hygiene & training

Basic cyber hygiene and cybersecurity training.

8

Cryptography

Policies on cryptography and, where appropriate, encryption.

9

HR security & access

Human resources security and access control policies.

10

Multi-factor authentication

MFA, continuous authentication, and secure communications.

NIS2 Incident Reporting: The 24-Hour Rule

NIS2 introduces strict incident notification deadlines. The clock starts the moment you become aware of a significant incident:

24h

Early warning

Notify CSIRT

That a significant incident occurred

72h

Notification

Assessment

Severity and indicators of compromise

---

On request

Intermediate

Status updates as needed

1M

Final report

Root cause

Mitigation + cross-border impact

NIS2 Fines & Penalties: What Non-Compliance Really Costs

The NIS2 Directive introduces the most aggressive cybersecurity penalties in EU history. Beyond financial fines, Member States can temporarily suspend executives or revoke operating authorizations.

Essential entities

€10,000,000

or 2% of global annual turnover

Whichever is higher. Regular supervisory audits. Executive suspension possible.

Important entities

NIS2UmsuCG
Enacted 6 December 2025 — No transition period

Germany’s NIS2 Implementation Act fundamentally revises the BSI Act (BSIG). It applies immediately with no grace period. The BSI registration portal went live on 6 January 2026. Companies must register within 3 months of falling in scope.

~29,500 entities in scope

Up from 4,500 under old regime

BSI portal live since Jan 6, 2026

Registration deadline: ~March 2026

NIS2 vs other frameworks

Aspect	NIS (2016)	NIS2 (2022)
Scope	~7 sectors, ~10,000–15,000 entities	18 sectors, ~160,000 entities
Size threshold	Varied per Member State	Harmonized: 50+ employees or €10M+
Max fine	National discretion (no minimum)	€10M or 2% of global turnover
Incident reporting	"Without undue delay" (vague)	24h → 72h → 1 month (strict)
Executive liability	No provision	Yes — Article 20, mandatory training
Supply chain	Not explicitly required	Explicitly required (Article 21)
Supervision	Reactive, limited enforcement	Proactive audits for essential entities

Bottom line: NIS2 dramatically expands scope (10x more entities), harmonizes fines across the EU, introduces strict incident timelines, and makes executives personally accountable for cybersecurity.

Aspect	ISO 27001	NIS2 Directive
Type	Voluntary international standard	Mandatory EU law
Scope	Any organization, worldwide	18 critical sectors, EU-wide
Focus	ISMS management system	Cybersecurity + incident reporting
Penalties	Loss of certification	€10M fines + personal executive liability
Incident reporting	No mandatory timelines	24h / 72h / 1 month to CSIRT
Supply chain	Annex A control (optional)	Mandatory requirement (Art. 21.2d)
Control overlap	~80% overlap — but ISO 27001 alone covers only 2 of 20 NIS2 security objectives (per ANSSI France)

Bottom line: ISO 27001 is a strong foundation for NIS2 compliance (~80% overlap), but it does not automatically satisfy NIS2 requirements. You'll still need incident reporting workflows, supply chain measures, and executive governance provisions.

Aspect	NIS2 Directive	DORA Regulation
Who must comply	18 critical sectors (broad)	Financial entities only (specific)
Legal type	Directive (national transposition)	Regulation (directly applicable)
Application date	Oct 17, 2024 (transposition)	Jan 17, 2025 (direct effect)
Third-party risk	Supply chain security (Art. 21)	ICT provider oversight (strict, detailed)
Incident reporting	24h / 72h / 1 month	4h / 72h / 1 month (even stricter)
Resilience testing	Not explicitly required	Mandatory TLPT for critical entities
Overlap rule	DORA prevails for financial entities under the lex specialis principle — but NIS2 may still apply to non-financial subsidiaries

Bottom line: If you're in financial services, DORA is your primary framework (it overrides NIS2 where they overlap). But if your group includes non-financial entities, those subsidiaries may still fall under NIS2.

NIS2 compliance with Smart Integrity Platform

Automate Article 21 gap analysis, 24-hour incident reporting, and supply chain security. Map your ISO 27001 controls directly to NIS2.

Asset & Risk Management

Identify, classify, and assess risks across your digital and physical assets in a unified dashboard

Provider Onboarding & Monitoring

Onboard and continuously monitor your service providers and suppliers — fully aligned with Article 21

Documentation & Cross-mapping

Auto-generate compliance documentation and map NIS2 requirements to ISO 27001, DORA, GDPR and more

Book Your Demo

See modules

Integrates with the Tools You Already Use

Connect Smart Integrity Platform to your existing infrastructure — from identity management to AI and enterprise systems.

Azure AD

SSO & identity management

LDAP

Directory services

Gemini

Google AI engine

OpenAI

AI-powered analysis

SAP

ERP data import

Jira

Task & issue tracking

Confluence

Documentation sync

DeepL

AI translation

Systran

Enterprise translation

Gmail

Email integration

Outlook

Email & calendar

Whisper

Audio & voice transcription

Don’t Just Take Our Word For It

In our Germany-wide network of over 800 IT service providers, SIP supports us in providing innovative and contemporary solutions for SMEs. The simple implementation offers the user many advantages and the best results in the area of internal compliance. Our marketing partners also appreciate the service and support provided by SIP.

Christian Hömer, Partnermanager South Germany, comTeam (EP Group)

SIP has exceeded our expectations of a Compliance management software. The solution is characterized by an intuitive user interface and easy implementation, which allowed us to get the software up and running quickly and without interrupting our business processes. The team is always available and responds quickly and competently to queries.
We are delighted to have a strong partner like SIP at our side to help us maintain the integrity of our company.

Markus Scheibenzubler, Managing Director, CRC Technology

With SIP, we have been able to help our clients with an intuitive and quickly implementable solution. The implementation of SIP’s solution always went smoothly and without interrupting business processes. We would like to emphasise the excellent support with fast response times, which enables the solution to be used quickly. We would like to thank SIP for the successful collaboration and look forward to working with them in the future.

Marcel Helmcke, Owner, Hanseatic Data Privacy Consulting

We see the SIP whistleblower system as an opportunity to promote our corporate culture in order to present ourselves as an attractive employer in a competitive environment. The implementation of SIP’s solution went smoothly and without interrupting business processes. This led to a rapid realisation of the benefits of the software and compliance with the new regulations.

Robert Scheibler, Head of Legal, Building Partner Group

Frequently asked questions

Which tools support NIS2 cybersecurity compliance in Germany?

Smart Integrity Platform supports NIS2 compliance for German organizations subject to the NIS2UmsuCG (NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz), which took effect on 6 December 2025. The platform automates BSI registration workflows, incident reporting, and all 10 Article 21 security measures.

Does NIS2 apply to companies in Spain and Austria?

Yes. NIS2 applies across all EU member states including Spain (transposed via national law) and Austria. Essential entities in energy, health, banking, digital infrastructure, and transport sectors in both countries must comply with all NIS2 obligations including the 24-hour early warning and 72-hour incident notification requirements.

What is the best NIS2 compliance software for European companies?

Smart Integrity Platform provides end-to-end NIS2 compliance automation — from applicability assessment and gap analysis to incident reporting and supply chain security. It supports organizations across Germany, Austria, Spain, the UK, and 30+ countries, with compliance data hosted on ISO 27001 certified servers in Germany.

When did NIS2 come into force?

The NIS2 Directive came into force on 16 January 2023. Member States had until 17 October 2024 to transpose it. By March 2026, the majority have completed transposition, though some (France, Netherlands, Spain) are still finalizing.

How many sectors does NIS2 cover?

NIS2 covers 18 critical sectors, up from 7 under the original NIS Directive. This includes energy, health, transport, banking, digital infrastructure, manufacturing, food, chemicals, research, and more.

How much are NIS2 fines?

Essential entities: up to €10M or 2% of global turnover. Important entities: up to €7M or 1.4%. Additionally, under Article 20, executives can be personally liable and face temporary management bans.

What is the NIS2 24-hour rule?

Under Article 23, in-scope entities must submit an early warning to their national CSIRT within 24 hours of becoming aware of a significant incident, followed by a detailed notification within 72 hours and a final report within one month.

Is Germany’s NIS2 law active?

Yes. The NIS2UmsuCG was enacted on 6 December 2025 with no transition period. The BSI registration portal went live on 6 January 2026. Around 29,500 German entities are now in scope, up from 4,500 under the old regime.

Does NIS2 replace ISO 27001?

No. ISO 27001 remains a voluntary standard. NIS2 is mandatory EU law. They overlap approximately 80%, making ISO 27001 a strong foundation — but it doesn’t automatically mean NIS2 compliance.

If I comply with DORA, do I need NIS2 too?

Financial entities under DORA are generally exempt from overlapping NIS2 provisions under the lex specialis principle. However, some organizational requirements may still apply.

Build Your Custom Compliance Stack

Add additional modules seamlessly in just 7 minutes.

Everything is connected in one GRC tool.

AI Governance and Risk Management
Complaint Management Software
GDPR Software
CSDDD Software

Useful Links

NIS2 Directive (EU) 2022/2555

Full text of the NIS2 Directive already linked in page — ideal for Useful Links section

eur-lex.europa.eu

Ready to simplify NIS2 compliance?

See how SIP automates Article 21, incident reporting, and supply chain security — all in one AI-powered platform.