The main difference between NIS1 and NIS2 is that NIS2 is the newer, more comprehensive version of NIS that retains the original’s cybersecurity foundation while expanding coverage to critical areas, including public administration, space, postal and courier services, chemical, food, waste management, and digital infrastructure, and imposing stricter obligations on both “essential” and newly defined “important” entities.
But what are the key differences between NIS1 and NIS2? How can organizations understand what has changed and how to prepare for compliance? Reading this article might be a good start.
What is NIS?
The Network and Information Systems Directive (NIS Directive) is the European Union’s first comprehensive cybersecurity law, adopted in 2016, that established common security and incident‑reporting obligations for Operators of Essential Services (OES), such as energy, transport, banking, health, water, and digital infrastructure, and Digital Service Providers (DSP) like online marketplaces, search engines, and cloud computing platforms. It required Member States to develop national cybersecurity strategies, appoint competent authorities (e.g., CSIRTs), and ensure timely reporting of significant incidents
Why Was NIS1 Important?
NIS was a significant step forward for cybersecurity in the European Union, aiming to ensure that critical infrastructure and essential services were protected from cyber threats. Since its introduction in 2016, the NIS Directive has been a cornerstone of cybersecurity regulation in the EU. However, the cybersecurity landscape has evolved, and so has the regulatory framework. Enter NIS2, the updated directive that replaces the original NIS1.
What is NIS2?
NIS2 is the successor to NIS1, introduced to address the shortcomings of the original directive and to adapt to the changing cybersecurity landscape. Officially known as Directive (EU) 2022/2555, NIS2 aims to enhance cybersecurity across the EU by setting stricter requirements and expanding the scope of the regulation to include more sectors and companies.
National Transposition of NIS2 Across the EU
The NIS2 Directive becomes effective only once each EU Member State transposes it into national law. Because every country follows its own legislative process, the specific obligations, supervisory models, and enforcement mechanisms differ across the EU. Examples include:
- Germany’s IT‑Sicherheitsgesetz,
- France’s Loi de Programmation Militaire (LPM) cybersecurity provisions,
- Netherlands’ Wet beveiliging netwerk- en informatiesystemen (Wbni),
- Italy’s national NIS2 implementation decree,
- Poland’s ustawa o KSC
For organizations operating in multiple countries, understanding these national differences is essential for full compliance.
How Did NIS2 Improve on NIS1?
Beyond expanding coverage to more sectors, NIS2 raises the bar with stricter horizontal cybersecurity and governance requirements. Entities must implement robust risk management measures, secure supply chains, streamline incident reporting with tighter timelines, and ensure vulnerability handling.
Crucially, NIS2 holds management bodies personally accountable for compliance failures and introduces significant penalties, including fines and potential service suspensions. It also establishes stronger supervisory and enforcement frameworks at the EU-wide level, including improved cross-border cooperation and cyber‑crisis coordination mechanisms like EU‑CYCLONe.
NIS2 vs. NIS1: Differences Table
To better understand how NIS2 differs from NIS1, let’s break down the key changes:
| Aspect | NIS1 | NIS2 |
|---|---|---|
| Scope | Applied to a limited number of essential sectors, such as energy, transport, healthcare, and finance. | Expanded to include more sectors, such as food supply, digital infrastructure, postal services, and more. |
| MFA Requirement | No explicit multi-factor authentication (MFA) requirement. | Requires MFA in Article 21(2)(j). |
| Sectors Covered | Essential sectors only. | Both essential and important sectors, including medium to large companies. |
| Minimum Security Requirements | Less specific, with broader guidelines. | More concrete and detailed minimum security measures that organizations must implement. |
| Risk Management | Focused on broader risk management practices. | Introduces a specific risk management approach with more detailed requirements. |
| Incident Reporting | Required, but less standardized across member states. | Stricter and more standardized incident reporting requirements across the EU, including reporting significant incidents within 24 hours and a detailed report within 72 hours. |
| Supply Chain Security | Limited focus on supply chain risks. | Stronger emphasis on addressing security risks within supply chains, including third-party relationships. |
| Supervision and Enforcement | Varied enforcement across different EU member states. | Stricter and more uniform enforcement powers for national authorities, with consistent penalties across member states. |
| Non-Compliance Fines and Penalties | Specifics of penalties were left to the discretion of individual EU member states. | More uniform and stricter penalties, including fines up to €10 million or 2% of global turnover. |
| Governance and Accountability | General expectations for organizational responsibility. | Clear governance structures and accountability measures, including the requirement for management bodies to approve cybersecurity measures and be held accountable for non-compliance. |
| Cooperation Among Member States | Limited cooperation and information sharing. | Enhanced cooperation, including the establishment of the European Cyber Crises Liaison Organization Network (EU-CyCLONe) for coordinated responses. |
| Cyber Hygiene and Awareness | Limited emphasis on staff training and awareness. | Stronger focus on promoting cyber hygiene and regular cybersecurity training for employees. |
Key Differences Between NIS1 and NIS2
1. Expanded Scope
One of the most significant changes in NIS2 is the expanded scope.
While NIS1 applied only to operators of essential services in specific sectors, NIS2 broadens this to include additional industries and a wider range of digital service providers. This means that many new sectors now fall under the directive’s purview, including:
- Public administration
- Space
- Postal and courier services
- Production, processing and distribution of food
- Manufacture, production and distribution of chemicals
- Digital infrastructure & ICT services / Digital providers
- Waste management
The inclusion of these sectors reflects the growing importance of digital infrastructure and the need to improve the resilience of network and information systems across the EU.
2. Explicit Multi-Factor Authentication (MFA) Requirement
Article 21(2)(j) of the NIS2 Directive mandates the use of multi-factor authentication (MFA) where appropriate to secure voice, text, and video communications, as well as internal communication systems during emergencies.
In addition, Article 21 of NIS2 highlights the need to protect human resources, enforce access control policies, manage assets, and secure supply chains, all of which can be enhanced with MFA.
3. More Concrete Security Requirements
NIS1 provided general guidelines on security measures, but NIS2 goes further by specifying detailed minimum security requirements that organizations must implement. These requirements are designed to ensure that all covered entities adopt a risk management approach that includes technical, operational, and organizational measures. This change makes it easier for organizations to understand what is expected of them and helps create a more consistent level of security across the EU.
4. Stronger Emphasis on Supply Chain Security
NIS2 places a much stronger emphasis on supply chain security, recognizing that vulnerabilities in the supply chain can be a significant source of risk. Organizations are now required to address security risks that arise from their relationships with third-party suppliers and service providers. This includes conducting thorough risk assessments and ensuring that suppliers meet the necessary security standards.
5. Governance and Accountability
NIS2 introduces clearer governance structures and accountability measures within organizations. Management bodies are now required to approve cybersecurity risk management measures and can be held accountable for non-compliance. This change ensures that cybersecurity is treated as a top priority at the highest levels of an organization, leading to more effective implementation of security practices.
6. Cooperation Among Member States
NIS2 emphasizes enhanced cooperation and information sharing among EU member states. The directive establishes the European Cyber Crises Liaison Organization Network (EU-CyCLONe) to support coordinated responses to large-scale cybersecurity incidents. This network facilitates a unified and efficient approach to handling significant cybersecurity threats across the EU.
7. Reporting Timelines
Under NIS2, organizations must adhere to more precise timelines for incident reporting. Significant incidents must be reported within 24 hours of detection, with a detailed report to follow within 72 hours. These standardized reporting timelines ensure that cybersecurity incidents are addressed promptly and consistently across the EU.
8. Risk-Based and Sector-Aware Security Expectations
NIS2 expands the scope of covered entities and adopts a unified, risk-based cybersecurity framework that applies broadly across sectors. While the underlying requirements are consistent, organizations in different sectors are expected to assess and manage their specific risk profiles and implement appropriate measures that reflect the nature of their operational challenges. This approach promotes effective and context-sensitive cybersecurity practices without prescribing entirely separate technical regimes per industry.
9. Cyber Hygiene and Awareness
NIS2 places a stronger emphasis on promoting cyber hygiene and awareness among employees. Organizations are now required to conduct regular training and awareness programs to ensure that staff are well-informed about cybersecurity risks and best practices. This focus on employee awareness helps to build a culture of security within organizations, reducing the likelihood of successful cyberattacks.
10. International Cooperation
NIS2 also encourages cooperation with third countries and international organizations to enhance global cybersecurity resilience. By fostering collaboration beyond the EU, NIS2 aims to strengthen global defenses against cyber threats and ensure a coordinated response to international cybersecurity challenges.
Conclusion
NIS2 represents a significant evolution of the original NIS Directive, addressing its shortcomings and adapting to the current cybersecurity landscape. The expanded scope, more concrete security requirements, stronger emphasis on supply chain security, and stricter enforcement measures make NIS2 a more robust and comprehensive framework for protecting critical infrastructure and essential services across the EU. Moreover, NIS2 introduces clearer governance structures, enhances cooperation among member states, and places a greater focus on cyber hygiene and international collaboration.