NIS vs NIS2: what changed and what you need to do differently
NIS2 replaces the original NIS Directive with significantly broader scope (~10x more entities affected), stricter reporting, explicit personal liability for management, and more prescriptive security measures. Organizations compliant with NIS typically need substantial NIS2 uplift.
Side-by-side
| Dimension | NIS (original) | NIS2 |
|---|---|---|
| Year | 2016 (applied from 2018) | 2022 (applied from 18 Oct 2024) |
| Affected entities EU-wide | ~20,000 | ~180,000 — 10x increase |
| Sectors covered | 7 (Essential Services) + 3 (Digital Service Providers) | 18+ across 2 annexes (Essential + Important entities) |
| Entity classification | Operators of Essential Services + Digital Service Providers | Essential entities + Important entities (stricter for Essential) |
| Size threshold | Sector-specific (often case-by-case) | Generally 50+ FTE or €10M revenue (with exceptions) |
| Security requirements | High-level; implementation details per Member State | 10 prescribed measures (Art. 21) — standardized across EU |
| Incident reporting timeline | 'Without undue delay' | 24h early warning → 72h notification → 1 month final report |
| Management accountability | Not explicitly addressed | Personal liability (Art. 20); mandatory training |
| Maximum fines | Set by Member States | €10M or 2% of turnover (essential) / €7M or 1.4% (important) |
| Supply chain | Not explicit | Explicit obligations (Art. 21(2)(d)) |
| Supervisory approach | Largely reactive | Proactive for Essential, reactive for Important |
When to choose which
NIS (original)
Not applicable — NIS is superseded by NIS2. Focus transition effort on NIS2.
NIS2
Current regime. Focus on NIS2 compliance.
Both
If your Member State hasn't yet transposed NIS2 (as of 2026 some haven't, including Germany in full), you may reference NIS for existing obligations while preparing NIS2 uplift — but supervisory practice is already aligning to NIS2 standards.
The overlap
~55% — while both cover critical-infrastructure cybersecurity, NIS2 is substantially expanded. The core security-measure philosophy overlaps, but NIS2 is far more prescriptive (10 measures listed), broader (18+ sectors vs ~10), stricter (personal liability, fixed fine ceilings), and faster-reporting (24h timeline). Consider NIS2 as a successor, not an extension.
Key differences
- Scope expanded from ~20,000 to ~180,000 entities EU-wide.
- 18+ sectors in Annexes I+II vs 7 Essential + 3 Digital Service Providers.
- Explicit personal liability for management bodies (Art. 20).
- Standardized 10 security measures (Art. 21) vs member-state-specific implementations.
- Strict reporting timelines (24h/72h/1 month) vs 'without undue delay'.
- Explicit supply-chain security obligations.
- Fixed maximum fines at EU level.
- Proactive supervision of essential entities.
Frequently asked questions
If I was NIS-compliant, what do I need to change?+
Substantial uplift required. Even if you were an Operator of Essential Services under NIS, NIS2 adds: personal-liability training for management, documented supply-chain management, 24h incident notification, formal effectiveness assessments, BSI registration (in Germany). The controls themselves aren't new in most cases, but the documentation, accountability, and reporting are significantly more demanding.
When does NIS2 actually apply to my organization?+
The Directive was in force from 18 Oct 2024. Member States had to transpose into national law by the same date (most didn't meet that — Germany still finalizing NIS2UmsuCG). Regardless of transposition: supervisory authorities are applying NIS2 standards in oversight. Legal enforcement requires national transposition but supervisory expectation is already in place.
Does NIS2 cover organizations NIS didn't?+
Yes — massively. NIS2 adds cloud computing services explicitly, broader digital infrastructure (trust services, TLD, DNS at all sizes), public administration, food, postal, chemicals, waste, manufacturing of critical products, and more. Many organizations previously out of scope are now in.
Matproof covers all major EU frameworks.
One platform, 11 frameworks, EU-hosted. 30-minute demo tailored to your framework mix.