The NIS2 directive has moved from a committee conversation to a legal obligation that affects thousands of companies. If your organisation falls within one of the covered sectors, in 2026 it is no longer about getting ready : it is about demonstrating that you are. In this article I explain plainly what NIS2 requires, who is affected, what changes compared with NIS1, the notification deadlines, the real penalties and how the PECB Lead Implementer certification fits into your roadmap.
What NIS2 is and what changes compared with NIS1
NIS2 is Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union. It replaces the 2016 NIS directive and turns it into something more ambitious : it widens the sectors in scope, raises the minimum level of technical and organisational measures, tightens notification obligations and, above all, places ultimate accountability on the entity's management body.
Each Member State transposes NIS2 into national law and designates a national competent authority, relying on CSIRTs for incident notification. In Spain, for example, NIS2 is being transposed through the "Anteproyecto de Ley" (draft bill), which is still working its way through the legislative process rather than being a completed law.
Who it applies to
The scope is broad and, if you have never looked into it, it may surprise you. NIS2 covers 18 sectors grouped into two categories :
Essential entities (high impact) : energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration and space.
Important entities (significant impact) : postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacture of medical devices, computers and electronics, vehicles and other transport equipment, digital service providers and research organisations.
The size threshold is decisive : in general, NIS2 applies to medium and large entities (more than 50 employees or more than EUR 10 million in turnover) within these sectors. But there are exceptions : certain critical services are covered regardless of their size, including SMEs that provide essential services to other entities.
The Article 21 measures
Article 21 of NIS2 sets out ten blocks of technical, operational and organisational measures that every entity in scope must implement. It is the backbone of compliance. Here are the ten blocks, with what each one means in practice :
- Risk analysis and information security policies. A formal risk management framework, not something improvised.
- Incident handling. Processes to detect, respond and recover.
- Business continuity. Backup management, disaster recovery and crisis management.
- Supply chain security. How you manage the risk of your ICT suppliers.
- Security in the acquisition, development and maintenance of systems. Including vulnerability handling and disclosure.
- Policies and procedures to assess the effectiveness of measures. How you measure that what you have put in place actually works.
- Basic cyber hygiene practices and training. Recurring awareness, not an annual compliance course.
- Policies and procedures on the use of cryptography. And encryption where relevant.
- Human resources security. Access control, identity management.
- Multi-factor authentication and secured communication solutions.
If your organisation already has an information security management system compliant with ISO/IEC 27001, you start with a good part of the journey already done. But NIS2 goes further on some points, particularly supply chain risk management and management accountability.
Incident notification deadlines
One of the most demanding changes in NIS2 is the regime for notifying significant incidents. The deadlines are short and leave no room for improvisation :
- 24 hours : early warning to the competent CSIRT if there are indications that the incident may be the result of malicious acts or have a cross-border impact.
- 72 hours : formal notification of the incident, with an initial assessment (severity, impact, indicators of compromise).
- 1 month : final report with root causes, measures taken and consequences.
These deadlines are not negotiable and require having mature detection and classification processes in place before the incident happens, not after.
Penalties and management accountability
The NIS2 penalty regime is deliberately deterrent. For essential entities, fines can reach EUR 10 million or 2% of annual worldwide turnover, whichever is higher. For important entities, EUR 7 million or 1.4% of turnover.
But the most important novelty is not the amount : it is that NIS2 makes the members of the management body personally accountable. The directive requires them to approve the risk management measures, oversee their implementation and receive periodic cybersecurity training. They may be temporarily barred from holding management positions in the event of a proven serious breach.
A roadmap to get started
If your organisation is in scope and has not yet made progress, here is what I recommend in the projects I work on, in this order :
- Applicability test. Confirm whether your entity is covered (sector + size) and in which category (essential or important). There are nuances, and they are not obvious.
- Gap analysis against Article 21. Ten blocks of measures, what you already have and what is missing. You probably have more than you think, especially if you work with ISO 27001.
- Incident notification framework. Procedures, templates and exercises for the 24-hour, 72-hour and 1-month deadlines.
- Inventory of critical ICT suppliers. Without a clear map of suppliers, the supply chain pillar is impossible.
- Formal involvement of the management body. Approval of policies, a specific training plan and documentary traceability of its involvement.
The difference between the organisations that will comply with NIS2 without incident and those that will face penalties will not be budget, but anticipation. Those who start calmly in 2026 will get there ; those who start at the first inspection are already behind.
Training and certification
If you want to take the step towards official PECB certification, the NIS2 Lead Implementer course is the direct route : official PECB Self-Study so you can progress at your own pace and prepare for the certification exam.