NIS 1 vs NIS 2: key differences explained

A practical breakdown of what has changed and what it means for your organization.

6 mins read

The background of the NIS directive

The Network and Information Systems (NIS) directive was first introduced in 2016 as the EU’s initial attempt to strengthen cybersecurity resilience across its member states. The NIS directive was the first internal market instrument aimed at improving the resilience of the EU against cybersecurity risks, being the first to standardise the cybersecurity response in its member states. This directive was necessary as businesses increasingly relied on information technology, creating vulnerabilities that malicious actors could exploit. 

Recognizing the importance of such measures, other countries worldwide have also been adopting unified frameworks to establish baseline cybersecurity requirements across sectors, such as the USA with the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and Australia with the Security of Critical Infrastructure Act (SOCI).

By 2018, EU member states were required to transpose the NIS Directive into their national laws. However, a subsequent full report was released concluding that despite its achievements, the NIS directive had proven its limitations. The rapid digital transformation accelerated by the COVID-19 pandemic, combined with a rising number of cyberattacks, emphasised the need for a broader and more robust cybersecurity framework. This led to the introduction of the NIS 2 directive, which came into force in January 2023.

Expanded scope of NIS 2

NIS 2 significantly expands the scope of its predecessor by including additional sectors beyond those covered by the original directive. While NIS 1 focused on critical sectors such as energy, transport, healthcare, finance, water management, and digital infrastructure, NIS 2 incorporates a broader range of industries. These now include providers of public electronic communications services, social platforms, waste water and waste management, manufacturing of critical products, postal and courier services, public administration (both at central and regional level), and space-related services.

A comparison can be seen here: NIS 1 vs NIS 2 sectors in scope

This expansion reflects the EU's recognition of how interconnected and vulnerable modern society has become to cyber threats. The inclusion of additional sectors ensures that critical services are better protected against potential disruptions caused by cyberattacks.

Classification of entities

Under NIS 2, organizations are classified into two categories: essential and important entities. These classifications determine the level of obligations imposed on organizations.

These categories are defined in Article 3 of the directive, with an essential entity being:

  • Large enterprises operating in a critical sector
  • DNS service providers
  • Trust service providers
  • Public administration bodies
  • Public electronic communication networks
  • Any critical entity according to the CER Directive (2022/2557)
  • Other entities specified by individual member states


Important entities do not meet the criteria of essential entity but fall under one of these general criteria:

  • Provides a service or activity within the European Union
  • Are mid-sized or large organizations
  • Operating in one of the defined critical sectors


The size of an organization also plays a role in determining its classification. The directive provides the following definitions:

  • Small or micro organizations: Fewer than 50 full-time employees (FTE) and turnover below €10 million
  • Medium-sized organizations: 50-249 FTE or turnover exceeding €50 million, or a balance sheet total exceeding €43 million
  • Large organizations: More than 250 FTE or turnover exceeding €50 million and a balance sheet total exceeding €43 million

    Organizations can choose the lowest financial measure to meet the thresholds of an important entity. This means that they can exceed one of the requirements without having to comply with the requirements of an essential entity.


Is your company under the NIS 2 scope?

A practical guide to determining your organization's classification under the EU's updated cybersecurity directive.

Read the article

 

Improvements in enforcement mechanisms

Under NIS 1, accountability was less defined. This changed with NIS 2, making management bodies of entities explicitly accountable for ensuring compliance with cybersecurity obligations. Now, executives can face personal repercussions for non-compliance, including fines or bans from managerial roles, promoting a culture of responsibility at the top level.

For instance, essential entities may face fines of up to €10 million or 2% of their total annual worldwide turnover, whichever is higher. Important entities could incur fines up to €7 million or 1.4% of their turnover. Plus, public disclosure of non-compliance is mandated, which can lead to reputational damage and loss of stakeholder trust.

NIS 2 also mandates specific reporting timelines for cyber incidents: an early warning within 24 hours, a detailed incident notification within 72 hours, and a final report within one month. These timelines enhance situational awareness and enable swift responses to threats.

Cross-border cooperation

NIS 2 enhances cross-border cooperation through the establishment of the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe). This network facilitates swift and coordinated responses to large-scale cybersecurity incidents and crises across the EU. By promoting information sharing and joint preparedness activities among member states, EU-CyCLONe aims to strengthen the collective cybersecurity posture of the Union.

NIS 2 also mandates the creation of a Cooperation Group composed of representatives from member states, the European Commission, and the European Union Agency for Cybersecurity (ENISA). This group is tasked with supporting and facilitating strategic cooperation and information exchange among member states, further harmonizing cybersecurity practices across the EU. ​

Furthermore, each member state must designate single points of contact (SPOCs) to streamline communication between national authorities and facilitate cross-border collaboration during incidents.

Challenges in implementation

The deadline for member states to transpose NIS 2 into national law was 17 October 2024. However, as of February 2025, only seven out of the 27 EU member states have fully transposed it: Belgium, Croatia, Greece, Italy, Lithuania, Romania and Slovakia. The implementation approaches across these countries vary, making compliance particularly challenging for companies operating across multiple jurisdictions.

For instance, Belgium allows compliance through the CyFun framework, whereas Italy mandates a custom framework based on NIST. Lithuania accepts ISO27001 certification with additional requirements based on recommendations from the European Union Agency for Cybersecurity (ENISA). Other countries may impose different requirements once NIS 2 is transposed into law. As a result, businesses with cross-border operations still struggle to navigate compliance obligations effectively.

CyFun, ISO 27001 vs NIS 2

Learn how NIS 2 aligns with CyberFundamentals (CyFun), ISO 27001, and other cybersecurity standards

Read the article

 

Importance of compliance

Despite these challenges, compliance with NIS 2 remains critical, not only to avoid substantial fines but also to mitigate cybersecurity risks that could have severe consequences for organizations and national security. Strengthening cybersecurity measures is essential to ensuring the resilience of businesses and infrastructure against the growing threat landscape.


Security requirements keep evolving

Stay ahead with Maiky’s streamlined InfoSec management.