NIS2 — IT definition

NIS2 (Network and Information Security 2, EU Directive 2022/2555) is the European directive that strengthens and extends cybersecurity requirements in Europe. It replaces the original NIS directive (2016) and applies to an expanded perimeter — about 160,000 entities in the EU, up from 18,000 under NIS — with stronger obligations on cyber risk management, incident notification, and supervision.

Transposed into French law by the act of 21 October 2024, NIS2 has become one of the main drivers of cybersecurity investment for European CIOs.

Who is subject to NIS2

NIS2 covers 18 critical sectors, split into two categories:

### "Essential" sectors (Annex I, 11 sectors)

• •Energy: (electricity, gas, oil, hydrogen, district heating).
• •Transport: (air, rail, maritime, road).
• •Banking and financial markets: (in complement to DORA for some aspects).
• •Healthcare: (hospitals, laboratories, drug manufacturers).
• •Drinking water and wastewater: .
• •Digital infrastructure: (DNS, TLD registries, IXP, cloud providers, datacenters, CDN).
• •Public administration: .
• •Space: .

### "Important" sectors (Annex II, 7 sectors)

• •Postal and courier services: .
• •Waste management: .
• •Manufacturing and distribution of chemicals: .
• •Food production and distribution: .
• •Manufacturing: (medical devices, computers, electronics, machinery, vehicles).
• •Digital service providers: (search engines, platforms, marketplaces, social networks).
• •Research: (research labs, institutes).

### Size thresholds

NIS2 applies to entities with at least 50 employees or €10M revenue in those sectors (with exceptions for certain activities).

NIS2 obligations

NIS2 imposes four categories of requirements:

### 1. Governance and responsibility

The executive committee is personally responsible for cybersecurity implementation and must be trained on these matters. Individual sanctions possible.

### 2. Cyber risk management

Implement a risk management framework covering:

• •Information security policy.
• •Incident management.
• •BCP / DRP.
• •Supply-chain security.
• •Network and system security.
• •Cryptography.
• •HR security.
• •Multi-factor authentication (MFA).

### 3. Incident notification

Notification to the competent authority (national CSIRT, e.g. ANSSI in France):

• •Early warning: within 24 hours after detection of a significant incident.
• •Detailed notification: within 72 hours.
• •Final report: within one month.

### 4. Supervision and sanctions

• •Regular audits by competent authorities.
• •Administrative fines: up to €10M or 2 % of global turnover for essential entities, €7M or 1.4 % for important entities.
• •Individual sanctions: for executives in cases of gross failure.
• •Activity suspension possible in extreme cases.

NIS2 and application mapping

NIS2 requires (articles 21 and 23):

• •An up-to-date inventory of critical assets and their dependencies.
• •Mapping of IT vendors: and their cyber-risk exposure.
• •Vulnerability tracking: across the supply chain (cf. SBOM).
• •Access traceability: to critical systems.

Without an up-to-date application map, producing this evidence during an audit becomes impossible. This is exactly what Kabeen provides: a live IT-estate graph of applications, dependencies, and IT vendors, exploitable for demonstrating NIS2 compliance.

NIS2 vs NIS vs [DORA](/en/glossary/dora)

• •NIS: (2016): 7 sectors, ~18,000 entities, lighter requirements.
• •NIS2: (2024): 18 sectors, ~160,000 entities, strengthened and harmonized requirements.
• •DORA: lex specialis for the European financial sector. Financial entities are subject to DORA, not NIS2.

Organizations are covered by one or the other, never both.

Compliance roadmap

Typical 12 to 18 month program:

1. Eligibility diagnosis: am I subject to NIS2? Essential or important?
2. Gap analysis: where am I against the 10 measures?
3. Critical IT estate mapping and vendor chain.
4. Risk management policy validated by the executive committee.
5. Incident notification procedure.
6. Awareness program and executive training.
7. Annual internal audit.
8. Registration with the competent authority.

Aligned standards and references

• •ISO 27001: information security management.
• •NIST Cybersecurity Framework: .
• •MITRE ATT&CK: threat taxonomy.
• •EBIOS RM: (ANSSI): risk-analysis method.
• •Local cybersecurity baselines: (e.g. PSSI in France).