Field notes · Compliance

NIS2 in 2026: who it covers, the 24-hour clock, and why your country's version is the one that counts.

NIS2 is past the deadline, unevenly transposed, and now starting to bite. The directive is the same everywhere, but the law that binds you is the national one your member state passed, on its own timetable. Here is who is in scope, what the rules demand, and the quiet truth underneath it all: you cannot report in 24 hours what you never saw.

Published 9 June 2026 · Argus Root security practice · ~21 min read

Get NIS2-ready detection Why your country matters →

NIS2 is the European Union's cybersecurity law for organisations that matter to how society runs, and in 2026 it has moved from a deadline most people ignored to enforcement that is starting to land. It applies to medium and large entities across eighteen sectors, sorts them into essential and important, and obliges each to run a baseline of security measures, report significant incidents on a 24-hour, 72-hour and one-month clock, and hold its board personally answerable for getting this right. The complication that defines the year is that NIS2 is a directive, not a regulation, so what binds you is your country's national transposition rather than the directive itself, and those national laws arrived late and unevenly. The obligations are real; the rulebook you must read is the one written in your own member state.

A directive, which is why your national law is the one that counts.

The single most useful thing to understand about NIS2 is the legal shape of it, because it explains why two companies in the same sector can face different rules depending on where they operate.

NIS2 is Directive (EU) 2022/2555, the successor to the 2016 NIS Directive, and it replaces a narrow first attempt at securing critical services with a far wider and stricter regime. A directive sets the objectives and the floor; each member state then writes its own national law to meet them, with room to be stricter and to fill in the detail. That is different from the GDPR or the AI Act, which are regulations that apply word-for-word across the Union. With NIS2, the directive tells you the shape of your obligations, but the precise scope thresholds, the competent authority you answer to, the registration process and the penalty levels are set by your country's transposing act.

For a single-country business that distinction is a footnote. For anyone operating across several member states it is the heart of the compliance problem, because the same group can be an essential entity under one national law and an important one under another, report incidents to different authorities through different channels, and face different supervisory styles. The practical consequence is that there is no single NIS2 checklist that settles the matter everywhere. The directive gives you the structure; the national law gives you the specifics, and the specifics are what an auditor will hold you to.

The 2026 transposition reality.

The story of NIS2 in 2026 is not the directive, which has been settled since 2022. It is the uneven, late and still-completing process of turning it into national law, and that mess is where the practical uncertainty lives.

Member states were required to transpose NIS2 by 17 October 2024, with the rules applying from the next day. A large number missed it. The European Commission opened infringement proceedings against 23 member states in November 2024, and in May 2025 sent reasoned opinions, a sharper formal step, to 19 that still had not notified full transposition, with several referred toward the Court of Justice. Through late 2025 and into 2026 the picture has steadily filled in: earlier movers such as Belgium, Italy, Hungary and Croatia completed their laws, Germany's NIS2 implementation act took effect in December 2025 with its national registration live, and by the first quarter of 2026 the majority of states had transposed, while a few, among them France, the Netherlands and Spain, were still finalising or operating under interim arrangements.

Two things follow from that for a covered organisation. The first is that enforcement has begun where the law is in place: through the first half of 2026, the earliest-transposing states started supervisory action, with proceedings over late incident notification, formal warnings to entities lacking baseline measures, and sector inspections. The grace period, in those countries, is over. The second is that waiting for your own country to finish is not a strategy, because several states apply obligations from the moment their law takes effect with no transition period, and the security work the directive demands takes months to stand up regardless of the legal date. The honest reading is that the deadline debate is a distraction from the build, which has to happen either way.

transposition timeline · directive vs national reality

Key dates in NIS2 transposition and enforcement.
When	What happened	What it means
17 Oct 2024	EU transposition deadline	Missed by many member states
Nov 2024	Infringement proceedings vs 23 states	Commission applies pressure
May 2025	Reasoned opinions to 19 states	Formal escalation, CJEU next
Dec 2025	Germany's act in force, registration live	Largest economy now binding
2026	Majority transposed; first sanctions begin	Enforcement is real where law exists

Whether it applies to you, and as what.

Scope under NIS2 is mostly mechanical: a sector test and a size test, with a few deliberate exceptions. The label you land with then decides how hard you are supervised.

The directive covers eighteen sectors, split into two annexes. The essential group includes energy, transport, banking and financial market infrastructure, health, drinking and waste water, digital infrastructure, ICT service management, public administration and space. The important group adds postal services, waste management, chemicals, food, manufacturing, digital providers such as online marketplaces and search engines, and research. The size test brings in entities that are at least medium-sized, meaning roughly 50 or more employees or more than €10 million in turnover, which is what expands coverage from the ten thousand or so entities under the old directive to well over a hundred thousand. A set of critical providers is pulled in regardless of size, including DNS service providers, top-level domain registries, trust service providers and parts of public administration, because their failure would ripple too widely to exempt on headcount.

The essential-versus-important split does not change the security baseline you must meet; it changes the supervision. Essential entities face proactive oversight, meaning an authority can audit them at will and ahead of any incident, and sit under the higher penalty ceiling. Important entities are supervised reactively, looked at when something has gone wrong, under a lower ceiling. Two further points catch people out. NIS2 reaches organisations established outside the EU that provide covered services within it, which can require designating an EU representative, in the same long-arm style as the GDPR. And supply-chain security is one of the mandatory measures, so even a vendor that is not directly in scope increasingly inherits obligations through the contracts of customers who are, which is why smaller IT and cloud suppliers are now being asked to evidence their security posture.

Registration, and the authority you answer to.

Before any of the security work is assessed, most covered entities have an administrative duty that is easy to overlook and is often the first hard deadline they meet.

NIS2 expects entities in scope to make themselves known to their national competent authority, registering basic details such as their name, sector, contact points and the member states in which they operate, so the regulator has a population it can supervise. The mechanism is national: Germany's authority opened its registration process when its implementation act took effect at the end of 2025, and other member states run their own portals and timelines. For a group operating in several countries this multiplies, because the entity may need to register, and report incidents, separately in each member state where it has covered operations, each through a different channel and authority. Identifying the right authority and registering on time is unglamorous, but failing to do it is itself a breach, and it is the step that puts you on the regulator's radar in the first place. The sensible order is to settle scope and entity type, then register, then turn to the security baseline, rather than discovering the registration duty after an incident has already started the reporting clock. There is some relief coming on the reporting side: the NIS2 cooperation group has adopted common incident-reporting templates to standardise filings across member states, and a single entry point for reporting has been proposed to spare multi-country entities from filing the same incident many times over.

The ten measures every covered entity must run.

Article 21 sets the security baseline as an all-hazards list rather than a prescriptive standard. The detail is left to national guidance, but the ten headings are fixed and worth knowing as a gap-analysis frame.

The measures span policy and practice. They require risk analysis and information-system security policies; incident handling; business continuity, including backups, disaster recovery and crisis management; supply-chain security covering the relationships with direct suppliers and service providers; security in acquiring, developing and maintaining systems, with vulnerability handling and disclosure; policies to assess whether the measures are working; basic cyber hygiene and regular security training; cryptography and, where appropriate, encryption; human-resources security, access-control policies and asset management; and the use of multi-factor authentication, secured voice, video and text communications, and secured emergency communications. None of these is exotic, which is the point: NIS2 codifies a baseline that a mature security programme would already recognise, and the work for most organisations is evidencing and closing the gaps rather than inventing something new.

article 21 · the baseline, grouped

The Article 21 cybersecurity risk-management measures grouped by theme.
Theme	Measures	What an auditor wants
Govern	Risk analysis, security policies, effectiveness assessment	Documented, board-approved, reviewed
Detect & respond	Incident handling, continuity, backups, crisis management	Tested, not just written
Build secure	Secure acquisition and development, vulnerability handling	Patch cadence, disclosure process
Control access	MFA, access control, asset management, cryptography	Enforced, evidenced
People & chain	Cyber hygiene, training, supply-chain security, HR security	Training records, supplier assessments

The reporting clock, and the capability it assumes.

Article 23 is where NIS2 stops being a policy exercise and becomes an operational one, because it puts a stopwatch on your response and the stopwatch starts whether or not you were watching.

When a covered entity becomes aware of a significant incident, one that causes or can cause serious operational disruption or financial loss, or affects others through harm, the reporting runs in stages. An early warning goes to the national CSIRT or competent authority within 24 hours, flagging whether the incident looks malicious or could cross borders. A fuller notification follows within 72 hours, with an initial assessment of severity and impact and any indicators of compromise. A final report is due within one month, and if the incident is still live at that point, a progress report is filed instead, with the final report following once it is resolved. The cooperation group has been standardising the templates for this to cut the paperwork, but the deadlines themselves are firm.

The 24-hour figure is the one that exposes the gap between compliance on paper and compliance in fact. You cannot warn an authority within a day about an incident you have not detected, and you cannot characterise its severity at 72 hours without logs, monitoring and someone watching them. A great deal of NIS2 reads like governance, but the reporting clock is a detection-and-response requirement wearing a legal coat, and an organisation without round-the-clock visibility of its systems will miss the first deadline not through negligence but through blindness. This is the part that turns NIS2 from a document your lawyers own into a capability your security operations have to provide, and it is the reason a serious response to the directive starts with the question of who, or what, is watching.

Why the board suddenly cares: personal liability.

NIS2 deliberately moved cybersecurity out of the server room and into the boardroom, and it did so with the one mechanism that reliably changes behaviour at that level.

Under Article 20, the management body of a covered entity must approve the cybersecurity risk-management measures, oversee their implementation, and take part in training so that members can recognise and weigh cyber risk themselves. Crucially, members of that body can be held personally liable for failures in this duty, and several national transpositions give authorities the power to suspend named individuals from management functions until the failures are remediated. This is the provision that turns NIS2 from an IT budget line into a governance obligation, because it removes the option of treating security as something delegated entirely downward and forgotten. A board that has never seen the entity's risk assessment, or that signs it off without understanding it, is now carrying a personal exposure it cannot outsource.

Penalties, and the laws NIS2 sits beside.

The numbers are GDPR-sized, the non-financial sanctions are sharper than most expect, and NIS2 rarely arrives alone.

For essential entities the ceiling is up to €10 million or 2% of total worldwide annual turnover, whichever is higher; for important entities it is up to €7 million or 1.4%. Beyond the fines, authorities can order specific remediation, make compliance binding through instructions, suspend an entity's authorisation to provide its service, and, as noted, bar individuals from management. For many organisations the operational sanctions are the more frightening, because losing the authorisation to operate is an existential event in a way a fine usually is not.

NIS2 also has to be read next to its neighbours. A single incident that exposes personal data triggers both NIS2 reporting to the cybersecurity authority and GDPR breach notification to the data-protection authority, on separate clocks, so the two regimes stack rather than substitute. NIS2 sits alongside DORA for the financial sector and the EU AI Act as parts of the same European compliance constellation, which is why an organisation in a covered sector usually faces several of these at once. And a common trap is worth naming plainly: an ISO 27001 certificate is a real head start, but it is not NIS2 compliance. It covers much of the risk-management baseline yet leaves the statutory reporting timelines, the supply-chain duties, the registration step and the management-liability provisions unaddressed. Treating the certificate as the finish line is how well-run companies still end up exposed, a distinction that runs through our wider compliance and sovereignty work.

NIS2 is a detection problem before it is a paperwork problem.

Most NIS2 guidance is written by lawyers and reads like a policy project. The part that decides whether you comply is operational, and it is the part we care about most as the people who run the monitoring.

Strip the directive back to what it forces you to be able to do, and a pattern emerges. You must detect a significant incident, because the 24-hour clock starts at awareness. You must characterise it within 72 hours, which needs logs, telemetry and someone able to read them under pressure. You must show, on demand for essential entities, that your measures work and that you can reconstruct what happened. None of that is satisfied by a binder of policies; it is satisfied by continuous monitoring, by a security information and event management system that is tuned rather than merely installed, and by people or automation watching it around the clock. An organisation can have every Article 21 policy written and still fail NIS2 at the first real incident because nothing was watching when it mattered.

That is the lens we bring, because monitoring is the discipline the firm is built around rather than a service we bolted on. A workable NIS2 response sequences in a particular order: confirm your scope and entity type under national law and register where required; close the Article 21 gaps with the board trained and signed on; and stand up the detection and response capability that the reporting clock silently assumes, whether that is a managed SIEM, a security operations capability, or open-source tooling run properly rather than left in default. We are candid about where the honest answer is to do less or to use what you have, because a tuned open-source stack watched by people who understand it beats an expensive platform nobody reads. Where it helps to put real eyes on your systems, that is the work our managed security practice exists to do, and it is where NIS2 stops being a compliance cost and becomes the monitoring you should have had anyway.

Questions organisations are asking in 2026.

Does NIS2 apply to my company?

Probably, if you operate in one of the eighteen covered sectors and you are at least a medium-sized organisation, meaning roughly 50 or more staff or over €10 million in turnover. The sectors are broad, covering energy, transport, banking, health, water, digital infrastructure, public administration, manufacturing, food and more. Some small companies are pulled in regardless of size when they are critical, such as DNS providers, top-level domain registries and trust service providers. The honest first step is to map your sector and size against your national transposition law, because that is what binds you.

What is the difference between an essential and an important entity?

Both must meet the same core security and reporting obligations; the difference is how they are supervised and penalised. Essential entities, in the most critical sectors, face proactive supervision and can be audited at any time, with fines up to €10 million or 2% of global turnover. Important entities are supervised reactively, after something goes wrong, with fines up to €7 million or 1.4%. The classification follows your sector and size rather than a choice you make, so the practical task is to find out which one you are.

Is NIS2 in force if my country hasn't transposed it yet?

NIS2 is a directive, so it binds you through your national law rather than directly. The EU deadline to transpose it was 17 October 2024, and many member states missed it. Where the national law is in place, the obligations apply now; where it is still pending, formal enforcement may be limited, but several states have signalled they will apply obligations from the date of transposition with no transition period. Treat your national law as the live rulebook and prepare regardless, because retroactive enforcement on transposition is a real possibility.

What are the NIS2 incident reporting deadlines?

Three stages, and the clock starts when you become aware of a significant incident. An early warning within 24 hours, a fuller incident notification within 72 hours including an initial assessment, and a final report within one month. If the incident is still running at the month mark, you file a progress report and a final one after it ends. The tight first deadline is the operational catch: you cannot warn the authority within a day about something your monitoring never detected.

What are the fines under NIS2?

For essential entities, up to €10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities, up to €7 million or 1.4%. Money is not the whole of it: supervisory authorities can also order specific measures, suspend an entity's authorisation to operate, and in some member states temporarily bar named individuals from management roles until the failure is fixed.

Can directors be held personally liable under NIS2?

Yes, and this is the change that tends to move boards. Under Article 20, the management body must approve the entity's cybersecurity risk measures, oversee their implementation, and undergo training themselves. Where they fail in that duty, they can be held personally accountable, and in several national laws that includes temporary suspension from management functions. Cybersecurity under NIS2 is a board responsibility that cannot be wholly delegated to IT.

We are already ISO 27001 certified. Are we NIS2 compliant?

Not automatically. ISO 27001 is a strong foundation and covers much of the risk-management ground, but NIS2 adds obligations it does not, including the statutory incident-reporting timelines, the supply-chain duties, management-body accountability and registration with a national authority. An ISO 27001 information security management system makes NIS2 far easier to reach, but the two are not the same certificate, and treating one as the other leaves real gaps.

Does NIS2 apply to companies outside the EU?

It can. An organisation established outside the EU that provides covered services within it generally falls in scope and may be required to designate a representative in the Union. As with the GDPR, the reach follows the service into the European market rather than stopping at the entity's headquarters, so a non-EU provider serving European essential or important entities should check its position rather than assume it is exempt.

What are the ten Article 21 measures?

A baseline set every covered entity must implement: risk analysis and security policies; incident handling; business continuity and crisis management including backups; supply-chain security; security in acquiring, developing and maintaining systems, with vulnerability handling; policies to assess whether the measures work; basic cyber hygiene and security training; cryptography and encryption; human-resources security, access control and asset management; and multi-factor authentication with secured communications. They are deliberately an all-hazards baseline rather than a detailed checklist, which is left to national guidance.

How is NIS2 different from the original NIS Directive?

NIS2 is far wider and harder-edged. It expands coverage from a handful of sectors and roughly ten thousand entities to eighteen sectors and well over a hundred thousand, removes the old operator-of-essential-services designation in favour of size-based scope, adds the staged incident-reporting clock, introduces management liability, and raises penalties to GDPR-like levels. Organisations that sat outside the first directive frequently find themselves inside this one.

Does NIS2 cover my suppliers and vendors?

Indirectly, and it makes their security your concern. Supply-chain security is one of the Article 21 measures, so a covered entity has to assess and manage the cybersecurity risk of its suppliers and service providers, including managed IT and cloud. In practice this pushes obligations down the chain through contracts even to companies not directly in scope, which is why many smaller vendors are now being asked to evidence their security by customers who are covered.

How does NIS2 relate to the GDPR and the EU AI Act?

They are separate instruments that frequently apply at once. A single cyber incident can trigger both NIS2 reporting to the cybersecurity authority and GDPR breach notification to the data-protection authority, on their own timelines. NIS2 also sits alongside the EU AI Act and DORA as part of the European compliance constellation, and an organisation in a covered sector usually has to satisfy several of them together rather than one at a time.

Was NIS2 delayed or simplified?

The directive itself was not delayed; member states were simply late transposing it. Separately, in January 2026 the European Commission proposed targeted amendments to ease the administrative burden for tens of thousands of companies, and the NIS2 cooperation group has adopted common incident-reporting templates to standardise filings. The direction is simplification of process rather than a softening of the core duties, so the obligations remain and the reporting is meant to get less painful, not optional.

What should we do first to prepare for NIS2?

Confirm whether you are in scope and as which type of entity under your national law, then register with your competent authority if required. After that, the work is detection and response before paperwork: you cannot meet the 24-hour reporting duty without the monitoring to see an incident in the first place. Map your Article 21 gaps, get the board trained and signed on, and make sure something is watching your systems around the clock.

Do we have to register under NIS2, and with whom?

Most covered entities have to register with their national competent authority or CSIRT, providing basic details such as their name, sector, contact points and the member states where they operate. The exact mechanism is set by national law and varies: Germany's authority opened registration when its act took effect in December 2025, and other states run their own portals. Registration is often the first hard deadline an entity meets, because authorities cannot supervise a population they cannot see, and failing to register is itself a breach.

What counts as a significant incident under NIS2?

An incident is significant, and therefore reportable, if it has caused or is capable of causing severe operational disruption to the service or financial loss to the entity, or if it has affected or could affect others by causing considerable material or non-material damage. The thresholds are sharpened by sector-specific implementing rules for some categories, such as digital infrastructure providers. The practical test most teams use is simple: if you are unsure whether it qualifies, the 24-hour early warning is cheap insurance against a missed-reporting penalty.

Managed security

You cannot report in 24 hours what nothing is watching.

We map your Article 21 gaps against your national NIS2 law, stand up the detection and response that the reporting clock assumes, and run the monitoring so a significant incident is something you see rather than something you explain after the fact. Managed SIEM, security operations and open-source tooling run properly, by people who would rather tune it than sell you a box.

Talk to our security practice More field notes →

Your national law, not a generic checklist Detection before paperwork Monitored from inside the EU