Updated juni 25, 2026
Summary: NIS-2 Directive (EU 2022/2555) holds board members personally liable for cybersecurity failures and requires essential entities to vet the jurisdictional exposure of every cloud provider in their supply chain. Sovereign infrastructure, combined with structured logging and documented TOMs, is the most defensible path to audit-ready compliance.

The NIS-2 Directive (EU 2022/2555) is the European Union’s binding cybersecurity framework for operators in critical sectors. It replaces the original NIS Directive, roughly doubles the number of covered sectors, introduces personal liability for board members, and ties supply-chain security obligations directly to the jurisdictional identity of cloud and software providers. For any organisation classified as an essential entity, the Directive is not a box-ticking exercise: it is a legal instrument with criminal referral potential and fines of up to EUR 10 million or two percent of global annual turnover.

Who falls under NIS-2 and what the Directive actually requires

NIS-2 creates two tiers: essential entities and important entities. Essential entities face stronger supervision, including proactive audits, while important entities are subject to reactive oversight triggered by incidents or complaints.

Annex I of EU 2022/2555 defines eleven sectors of high criticality: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management in a business-to-business context, public administration, and space. Within those sectors, organisations with more than 250 employees or annual turnover above EUR 50 million are automatically classified as essential. Annex II adds eight further sectors, including postal services, waste management, food production, chemicals and digital providers, where the threshold drops to 50 employees or EUR 10 million turnover for classification as an important entity.

The headline obligations under Article 21 cover four domains: risk management measures, incident handling, business continuity and supply-chain security. Each must be documented, tested and kept current. The Directive does not merely require that measures exist; it requires that management has formally approved them and that the organisation can demonstrate their effectiveness to a national competent authority on request.

Key threshold: Public administration bodies at central government level are classified as essential entities regardless of their headcount, meaning every ministry, regulatory body and national agency is in scope with no size exemption.

Supply-chain security and the jurisdictional problem of Big Tech cloud

Article 21(2)(d) of NIS-2 requires essential entities to assess and manage security risks arising in their supply chain, including the security practices and the jurisdictional exposure of direct suppliers and service providers.

This requirement has an underappreciated consequence for organisations using US-headquartered cloud platforms such as Microsoft Azure, Microsoft 365, Google Workspace or AWS. Under the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) and FISA Section 702 (Foreign Intelligence Surveillance Act), US authorities can compel these providers to disclose data stored anywhere in the world, including in EU data centres. The physical location of a server does not override the jurisdictional reach of the provider’s home country law. A national competent authority auditing an essential entity can reasonably ask: what foreign government access rights does your cloud provider carry, and how have you assessed that risk?

A sovereign infrastructure model, where hosting, processing and identity management are operated by a provider incorporated and legally domiciled in a jurisdiction without extraterritorial access laws, eliminates this structural exposure. Switzerland, under the revised Federal Act on Data Protection (revFADP) effective September 2023, provides a legal environment with no equivalent of the CLOUD Act. Choosing a Swiss-domiciled provider is therefore not merely a privacy preference; it is a documented risk mitigation that satisfies Article 21 supply-chain requirements in a way that a US-controlled provider with EU data centres cannot replicate.

“Supply chain security is no longer optional. Operators of essential services must understand who their third-party providers are, what jurisdiction those providers fall under, and what access foreign authorities may claim.” — ENISA, NIS Investments Report 2023

According to the ENISA NIS Investments Report 2023, NIS entities increased their security budgets by an average of 11 percent year-on-year, with supply-chain risk management cited as a primary driver of that increase. The same report found that third-party risk remains one of the least mature disciplines across covered organisations.

Incident reporting: the 24-72-720 structure and what CISOs must build

NIS-2 Article 23 imposes a three-stage reporting obligation for significant incidents: an early warning within 24 hours of awareness, a formal notification within 72 hours, and a final report within one month (approximately 720 hours). Each stage has specific content requirements.

The 24-hour early warning must state whether the incident is suspected to involve unlawful or malicious acts and whether it may have cross-border impact. The 72-hour notification must include an initial assessment of severity and scope. The monthly report must contain a full description of the incident, its root cause, mitigating measures applied, and the cross-border impact if any.

To meet these timelines without scrambling, a CISO needs three capabilities in place before an incident occurs. First, continuous log aggregation from all infrastructure components into a SIEM (Security Information and Event Management) system, with alert thresholds that distinguish nuisance from significant incidents using a documented classification scheme. Second, a tested incident response playbook that pre-assigns roles for legal, communications and technical response, with a named owner for each reporting stage. Third, tamper-evident log retention for at least twelve months, so that post-incident forensics can reconstruct the sequence of events for the monthly final report.

ENISA’s Threat Landscape 2023 identified supply-chain attacks as a primary vector, accounting for 17 percent of significant incidents analysed across NIS-covered sectors. Many of these incidents involved compromised credentials or malicious updates delivered through third-party software, precisely the scenario that sovereign, self-hosted infrastructure with controlled update pipelines is designed to prevent.

Practical implication: A log from a public cloud provider’s shared portal is not equivalent to sovereign log custody. If your cloud provider controls the logging pipeline, an advanced attacker with provider-level access can alter those logs. Essential entities should maintain an independent, immutable log copy outside the primary cloud environment.

Member-state implementation differences and cross-border compliance

NIS-2 is a directive, not a regulation, which means each EU member state transposes it into national law with some latitude. The deadline for transposition was 17 October 2023, and several member states missed it, creating a patchwork of enforcement environments that compliance officers in multi-jurisdictional organisations must navigate.

Jurisdiction Lead authority Enforcement emphasis Notable addition beyond NIS-2 minimum
Germany BSI (Bundesamt für Sicherheit in der Informationstechnik) Proactive audit and registration-based supervision KRITIS-DachG adds physical security requirements for critical infrastructure operators
Netherlands NCSC-NL, with sector-specific authorities Sector regulator-led, coordination through NCSC Dutch Cybersecurity Act (Cyberbeveiligingswet) introduces self-assessment obligations
France ANSSI (Agence nationale de la sécurité des systèmes d’information) Certification-focused, aligned with SecNumCloud SecNumCloud qualification effectively required for sovereign public sector hosting
Belgium CCB (Centre for Cybersecurity Belgium) Notification-driven, with sectoral competent authorities Mandatory registration in the CCB portal before supervision begins

Organisations operating across multiple EU member states must identify their main establishment under Article 26, which determines the lead competent authority, but remain subject to the national authorities of each member state where they operate services. The Network and Information Security Cooperation Group (NIS CG), established under Article 14 of the original NIS Directive and continued under NIS-2, coordinates cross-border supervision, but it does not eliminate the need for entity-level engagement with each national authority.

Technical and organisational measures: what audit evidence looks like

NIS-2 Article 21 specifies a minimum set of technical and organisational measures (TOMs). Auditors do not simply want a policy document; they want evidence that the policy is operational. The most defensible approach maps each Article 21 requirement to a control in ISO/IEC 27001:2022, the current version of the international information security management standard, because NIS-2 recitals explicitly reference risk-based frameworks of this kind.

For a sovereign infrastructure context, evidence should include: a current asset inventory covering every system that processes sensitive data, with its hosting location and legal jurisdiction clearly noted; encryption standards specifying named algorithms and key lengths (for example, AES-256 for data at rest, TLS 1.3 for data in transit, and a post-quantum key exchange algorithm for high-value channels); access control logs demonstrating least-privilege enforcement and regular access reviews; penetration test reports from the past twelve months, with remediation evidence; and a business continuity plan with a documented and tested recovery time objective.

The IBM Cost of a Data Breach Report 2023 found that the average cost of a data breach reached USD 4.45 million globally, the highest figure in the report’s history. Organisations with a mature incident response plan in place reduced their breach costs by an average of USD 1.49 million compared to those without. This figure makes the business case for TOM documentation concrete: it is not merely a compliance cost but a direct financial risk reduction measure.

Management accountability and personal liability under Article 20

Perhaps the most consequential change introduced by NIS-2 is Article 20, which requires member states to ensure that management bodies of essential entities can be held personally liable when a breach occurs because management failed to approve or oversee the required cybersecurity measures. This is not a corporate fine; it is personal exposure for named individuals.

“Board members cannot delegate cybersecurity responsibility and then claim ignorance when a breach occurs. NIS-2 is explicit: management bears accountability and can face personal sanctions.” — NCSC-NL, NIS-2 implementation guidance

In practice, this means that the CISO and compliance officer must ensure that cybersecurity risk assessments, incident response plans and supply-chain security evaluations are presented to, discussed by, and formally approved by the board or equivalent management body. Meeting minutes, board resolutions and signed policy documents are the evidence trail that separates a defensible position from personal liability exposure. An organisation that can show the board reviewed and approved its sovereign infrastructure strategy, including a documented assessment of why a US-controlled cloud provider was excluded, is materially better positioned in an enforcement proceeding than one that left these decisions entirely at the technical level.

FAQ

Which sectors are classified as essential entities under NIS-2?

NIS-2 Directive (EU 2022/2555) Annex I lists eleven sectors of high criticality: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration and space. Organisations in these sectors with more than 250 employees or annual turnover above EUR 50 million are automatically classified as essential entities.

What is the NIS-2 incident reporting timeline for essential entities?

Essential entities must submit an early warning to their national competent authority within 24 hours of becoming aware of a significant incident, a more detailed notification within 72 hours, and a final report within one month. The 24-hour early warning must indicate whether the incident is suspected to be caused by unlawful or malicious acts and whether it has cross-border impact.

How does choosing a US-controlled cloud provider create a NIS-2 supply-chain risk?

Under the US CLOUD Act and FISA 702, US authorities can compel US-headquartered cloud providers to disclose data regardless of where that data is physically stored. NIS-2 Article 21 requires essential entities to address risks arising from their supply chain, including the jurisdictional exposure of each supplier. A provider subject to US jurisdiction introduces a structural risk that must be documented, assessed and either mitigated or eliminated. A provider incorporated and operating exclusively under EU or Swiss law does not carry that exposure.

Can board members face personal fines under NIS-2?

Yes. Article 20 of NIS-2 requires member states to ensure that management bodies of essential entities can be held personally liable for infringements caused by their failure to approve or oversee cybersecurity risk-management measures. Member states may also temporarily prohibit individuals from exercising managerial functions if an organisation repeatedly fails to comply.

What technical and organisational measures count as evidence in a NIS-2 audit?

Auditors look for documented risk assessments, an incident response plan with tested procedures, access control policies, encryption standards with named algorithms, asset inventories, business continuity plans, and evidence that these measures are reviewed regularly. Aligning with ISO/IEC 27001:2022 provides a recognised control framework that maps directly onto NIS-2 Article 21 requirements and simplifies the audit conversation with national competent authorities.

Frequently asked questions

Which sectors are classified as essential entities under NIS-2?
NIS-2 Directive (EU 2022/2555) Annex I lists eleven sectors of high criticality: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration and space. Organisations in these sectors with more than 250 employees or annual turnover above EUR 50 million are automatically classified as essential entities.
What is the NIS-2 incident reporting timeline for essential entities?
Essential entities must submit an early warning to their national competent authority within 24 hours of becoming aware of a significant incident, a more detailed notification within 72 hours, and a final report within one month. The 24-hour early warning must indicate whether the incident is suspected to be caused by unlawful or malicious acts and whether it has cross-border impact.
How does choosing a US-controlled cloud provider create a NIS-2 supply-chain risk?
Under the US CLOUD Act and FISA 702, US authorities can compel US-headquartered cloud providers to disclose data regardless of where that data is physically stored. NIS-2 Article 21 requires essential entities to address risks arising from their supply chain, including the security practices and the jurisdictional exposure of each supplier. A provider subject to US jurisdiction introduces a structural risk that must be documented, assessed and either mitigated or eliminated.
Can board members face personal fines under NIS-2?
Yes. Article 20 of NIS-2 requires member states to ensure that management bodies of essential entities can be held personally liable for infringements caused by their failure to approve or oversee the implementation of cybersecurity risk-management measures. Member states may also temporarily prohibit individuals from exercising managerial functions if an organisation repeatedly fails to comply.
What technical and organisational measures count as evidence in a NIS-2 audit?
Auditors look for documented risk assessments, an incident response plan with tested procedures, access control policies, encryption standards with named algorithms, asset inventories, business continuity plans, and evidence that these measures are reviewed regularly. Aligning with ISO/IEC 27001:2022 provides a recognised control framework that maps directly onto NIS-2 Article 21 requirements and simplifies the audit conversation.