NIS2

What NIS2 is

NIS2 (Network and Information Security Directive 2, Directive 2022/2555) is the European baseline regulation for cybersecurity across critical economic sectors. It replaces the 2016 NIS directive, broadening the scope of organisations covered and significantly raising the obligation bar.

Who is in scope

Organisations are covered if they:

• operate in one of the 18 sectors listed in annexes I and II (energy, transport, finance, healthcare, water, digital infrastructure, space, public administration, manufacturing, food, research, etc.);
• employ more than 50 staff or exceed €10M in annual turnover;
• or are specifically designated by national decree for their criticality.

NIS2 distinguishes essential entities (max fine €10M or 2% of worldwide turnover) from important entities (max fine €7M or 1.4%).

Core obligations

• Documented and maintained risk analysis covering the supply chain.
• Proportionate technical and organisational measures (access management, encryption, monitoring, incident handling).
• Incident notification to the relevant national authority (ANSSI in France) within 24 h (early warning), 72 h (notification) and one month (final report).
• Cybersecurity training for leadership and concerned staff.
• Personal accountability of executives — temporary bans from holding directorship roles are possible for serious breaches.

NIS2 at Hexceos

Hexceos supports clients through NIS2 scoping, gap analysis, operational remediation and documentation for ANSSI inspections. See our audit & compliance services and our deep-dive article NIS2 in 2026 — who is really concerned.