NIS2 vs. NIS1: What Changed and Who's Affected

The Network and Information Security Directive 2 (NIS2) became enforceable on October 17, 2024. This is not an incremental update. It is a complete overhaul of the EU's cybersecurity framework that expands coverage to 18 sectors, introduces personal liability for executives, and mandates 24-hour incident reporting.

If you thought NIS1 did not apply to your organization, think again. NIS2's scope has expanded so dramatically that an estimated 160,000+ entities across Europe are now in scope, compared to approximately 15,000 under the original directive. For any organization operating in or serving the EU market, understanding your obligations under NIS2 is no longer optional.

The Regulatory Shift: From Voluntary to Mandatory

The original NIS Directive (2016) had significant limitations:

Inconsistent implementation across member states

Narrow scope (primarily operators of essential services)

Limited enforcement mechanisms

No personal liability provisions

NIS2 addresses these gaps with a harmonized approach. According to ENISA (EU Agency for Cybersecurity), the new directive represents "the most comprehensive EU cybersecurity legislation to date."

The European Commission's digital strategy underscores that NIS2 is designed to create a "culture of security across sectors that are vital for our economy and society." This means the directive is not just about IT security departments. It is a governance mandate that reaches into boardrooms and executive suites.

What Changed: NIS1 vs. NIS2

Aspect	NIS1 (2016)	NIS2 (2024)

Sectors Covered

7 sectors

18 sectors

Entity Categories

OES + DSPs

Essential + Important

Size Threshold

Member state discretion

EU-wide rules (50+ employees or 10M+ euros revenue)

Incident Reporting

72 hours

24 hours (early warning) + 72 hours (full notification)

Penalties

Varied by state

10M euros or 2% turnover (essential) / 7M euros or 1.4% (important)

Executive Liability

None

Personal liability for management

Supply Chain

Not addressed

Mandatory third-party risk management

Who Is In Scope?

NIS2 distinguishes between Essential Entities (higher criticality, stricter oversight) and Important Entities (significant but less critical):

Essential Entities (11 Sectors)

Energy (electricity, oil, gas, hydrogen)

Transport (air, rail, water, road)

Banking and financial market infrastructures

Health sector

Drinking water and wastewater

Digital infrastructure (DNS, TLD registries, cloud, data centers)

ICT service management (B2B)

Public administration

Space

Important Entities (7 Sectors)

Postal and courier services

Waste management

Manufacture of critical products (chemicals, medical devices, electronics)

Food production and distribution

Digital providers (online marketplaces, search engines, social platforms)

Research organizations

Size thresholds: Organizations with 50+ employees or 10M+ euros in annual turnover in these sectors are automatically in scope. Member states can also designate smaller entities if they provide critical services.

Key Requirements

1. Governance and Accountability

Board-level oversight of cybersecurity is mandatory, not recommended

Management must approve security policies and risk assessments personally

Personal liability: Executives can face individual penalties for compliance failures, including temporary bans from management roles

This personal liability provision changes the calculus for every C-suite executive. Cybersecurity is no longer something that can be delegated to IT and forgotten. Board members and senior leaders must demonstrate they understand the risks, approve the mitigation strategies, and actively oversee implementation.

2. Risk Management Measures

NIS2 mandates "appropriate and proportionate" measures including:

Risk analysis and incident handling policies

Business continuity and crisis management

Supply chain security

Network and system security (including vulnerability disclosure)

Cryptography and encryption policies

Access control and asset management

MFA and secure communications

3. Incident Reporting

The timeline is aggressive and unforgiving:

24 hours: Early warning to competent authority

72 hours: Full incident notification with impact assessment

1 month: Final report with root cause analysis and remediation actions

Meeting the 24-hour early warning requirement demands mature detection capabilities. Organizations that rely on manual monitoring or weekly log reviews will struggle to meet this bar. Automated detection, clear escalation procedures, and pre-drafted notification templates are essential.

4. Supply Chain Security

Organizations must assess and address security risks in their supply chains, including direct suppliers and service providers. This extends accountability beyond your own perimeter. If a critical supplier suffers a breach that affects your operations, you bear reporting and remediation obligations. According to NIST's supply chain risk management guidance, organizations should maintain a registry of all critical suppliers, conduct regular security assessments, and include security requirements in procurement contracts.

NIS2 fundamentally shifts cybersecurity from an IT function to a board-level governance obligation. The personal liability provisions for executives ensure that cybersecurity decisions carry the same weight and accountability as financial reporting and regulatory compliance.

Penalties and Enforcement

The enforcement regime is significantly strengthened compared to NIS1:

Entity Type

Maximum Fine

Additional Penalties

Essential

10M euros or 2% global turnover

Management bans, public disclosure

Important

7M euros or 1.4% global turnover

Public disclosure of non-compliance

National authorities now have expanded powers, including on-site inspections, security audits, and the ability to issue binding instructions. For essential entities, authorities can conduct proactive supervision without waiting for an incident.

The Board Brief

Key messages for your board:

Scope is dramatically larger. If you operate in any of 18 sectors with 50+ employees, you are likely in scope

Executives face personal liability. This is a governance issue, not just an IT concern

24-hour incident reporting requires mature detection and response capabilities already in place

Supply chain obligations mean you are responsible for your vendors' security posture

Penalties are substantial, reaching up to 10M euros or 2% of global turnover

Implementation Checklist

Determine applicability: Confirm your sector, size threshold, and member state registration requirements

Gap assessment: Compare current posture against Article 21 requirements in detail

Governance structure: Establish formal board oversight and executive accountability for cybersecurity

Incident response: Upgrade detection and reporting capabilities to meet the 24-hour early warning timeline

Supply chain review: Assess and document third-party risks across all critical suppliers

Training: Educate management on personal liability provisions and their governance obligations

How I Help

With 20+ years advising organizations on regulatory compliance and security governance, I help companies assess their NIS2 exposure and build practical compliance programs. My compliance services include gap assessments against Article 21 requirements, governance framework design, and board-level briefings tailored to NIS2's executive accountability provisions.

For organizations that need ongoing security leadership through the compliance process, my fractional CISO engagements provide the strategic oversight that NIS2 demands without the cost of a full-time hire.

Book a consultation to assess your NIS2 exposure and build a compliance roadmap with clear milestones and accountability.