Docply Browse kits
NIS-2

NIS-2 Compliance: The Complete Implementation Guide for 2026

NIS-2 Compliance: The Complete Implementation Guide for 2026
By Alessandro Stella · · 25 min read

2026 is the year NIS-2 stops being a paper exercise. After the registration phase that, in Italy alone, brought more than 30,000 organisations onto the National Cybersecurity Agency (ACN) platform during 2025, Directive (EU) 2022/2555 enters its operational phase across the EU. Member States have transposed the text into national law, competent authorities have published implementing measures, the first conformity assessment deadlines have already passed in some countries, and inspections are scheduled to begin in others before year-end. The grace period is over.

For compliance managers, CISOs, DPOs and members of management bodies, this means that “we are working on NIS-2” no longer reassures anyone. Auditors, regulators and customers expect documented evidence that the ten risk-management measures are implemented, that the management body has approved them, that incident reporting timelines are operational, and that supply chain risk is monitored. Demonstrable controls, not stated intent.

This guide walks through what NIS-2 compliance actually requires in 2026: scope, the ten Article 21 measures, the incident reporting clock, the documentation regulators ask for first, the 2026 calendar of national deadlines, the penalty regime, and a step-by-step implementation path. It is the pillar entry point for the rest of the NIS-2 cluster on Docply — each section links to a deeper article when one exists.

What NIS-2 is, and why it is not just NIS-1 with a higher number

Directive (EU) 2022/2555 — commonly NIS-2 — is the EU’s framework to raise the common level of cybersecurity across 18 critical sectors. It entered into force in January 2023 and replaced the original NIS Directive (2016/1148) on 18 October 2024. Member States had until 17 October 2024 to transpose it into national law; most missed the deadline, and transposition concluded across the EU during 2025 and early 2026.

NIS-2 is not a tweak to NIS-1. It is a structural rewrite that closes the gaps the original directive left open:

The shift in posture is the point. NIS-1 was a compliance directive; NIS-2 is a governance and accountability directive that happens to also list controls.

Who must comply: essential vs important entities

NIS-2 applies to entities that meet two cumulative criteria: they operate in one of the sectors listed in Annex I (highly critical) or Annex II (other critical), and they meet the medium or large enterprise size threshold under Commission Recommendation 2003/361/EC — broadly, more than 50 employees and either over €10 million in annual turnover or over €10 million on the balance sheet.

Below that threshold, you are generally outside scope, with important exceptions: certain entity types are in scope regardless of size when their failure would have significant societal impact. This includes qualified trust service providers, top-level domain name registries, DNS service providers, and providers of public electronic communications networks. Member States can also designate specific entities into scope on a case-by-case basis.

Within scope, NIS-2 distinguishes between two categories that determine the level of supervision, the speed of enforcement, and the ceiling of fines.

Essential entities are large operators in highly critical sectors (Annex I): energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. They are subject to ex-ante supervision: regulators can audit, inspect, and enforce without waiting for an incident.

Important entities are medium operators in highly critical sectors and most operators in Annex II sectors: postal and courier services, waste management, manufacturing of chemicals, food production, manufacturing of medical devices, computers and electronics, machinery, motor vehicles, digital providers (search engines, online marketplaces, social networks), and research organisations. Supervision is ex-post: regulators react when there is evidence of non-compliance.

The exact list of in-scope entities is maintained by each Member State’s competent authority. In Italy, ACN runs the registration platform; in Germany, the BSI portal opened on 6 January 2026; in Belgium, the Centre for Cybersecurity Belgium operates the equivalent. The classification — essential vs important, or out of scope — is largely self-assessed by the entity, then validated and recorded by the authority. Getting it wrong in either direction is risky: under-classifying invites enforcement, over-classifying loads the organisation with obligations it did not need to assume.

For a deeper walkthrough of the entity matrix, sector-by-sector size thresholds, and the safeguard clauses that allow some entities to argue independence, see the dedicated article on who must comply with NIS-2.

The ten Article 21 cybersecurity risk-management measures

Article 21(2) of the Directive lists ten minimum risk-management areas every essential and important entity must implement. The measures are technology-neutral and outcome-based: the Directive tells you what to achieve, not which tool to buy. The proportionality clause in Article 21(1) means depth and sophistication scale with risk exposure, entity size, and the severity of potential incidents — a 60-person manufacturer is not held to the same control depth as a transmission system operator, but both must address all ten areas.

The ten measures are:

  1. Policies on risk analysis and information system security. A documented risk methodology, a security policy approved by the management body, and a risk register that ties identified risks to mitigation actions and owners.
  2. Incident handling. Detection, analysis, containment, eradication, recovery, and post-incident review. To be read together with Article 23: incident handling internally must produce the data Article 23 requires you to report externally within 24 hours.
  3. Business continuity. Backup management, disaster recovery, crisis management, and tested failover procedures. Backups alone are not continuity; restore tests with measured RTO and RPO are.
  4. Supply chain security. Risk assessment of direct suppliers and service providers, contractual security obligations, and continuous monitoring. This is consistently the hardest measure for SMEs to evidence in audit, because it requires reaching beyond the perimeter you control.
  5. Security in network and information systems acquisition, development and maintenance. Secure development lifecycle, vulnerability handling, and patch management with documented timelines.
  6. Policies and procedures to assess effectiveness of risk-management measures. Internal audit, KPI tracking, periodic management review. NIS-2 demands measurement, not just implementation.
  7. Basic cyber hygiene practices and training. Acceptable use, password management, mobile device policy, anti-phishing awareness, recurring training with completion records. Article 20 separately requires training for the management body itself.
  8. Cryptography and encryption policies. Where appropriate, governing data at rest, data in transit, key management, and algorithm choice. “Where appropriate” does not mean “optional”; it means scoped to where it provides real risk reduction.
  9. Human resources security, access control, and asset management. Onboarding/offboarding controls, role-based access, privileged access management, asset inventory, and clean desk/clean screen policies.
  10. Multi-factor authentication, secure communications and emergency communications. MFA on remote access, privileged accounts, and email at minimum. Secure voice/video where the risk profile justifies it, and an emergency communication channel that works when the primary one is compromised.

These ten areas are not optional categories you pick from. Every in-scope entity must address every one of them, with depth proportionate to risk. Many organisations already covered through ISO/IEC 27001 will recognise most controls — but ISO certification alone is not full NIS-2 compliance. Gaps typically appear around supply chain security, explicit MFA requirements, incident reporting timelines, and the management body accountability that ISO does not enforce.

For implementation depth on each measure, including evidence examples and common nonconformities, see the 10 NIS-2 cybersecurity risk management measures.

The incident reporting clock: 24h, 72h, 1 month

Article 23 imposes a three-stage reporting cascade for any “significant incident” — broadly, an incident that has caused or is capable of causing severe operational disruption, financial loss, or material harm to other entities or persons.

The CSIRT or authority can request an interim report at any point during the incident.

Two practical implications. First, the 24-hour early warning is hard if your detection capability is reactive: if you only learn about incidents from a customer complaint or a vendor email, you will routinely miss the window. Operational detection — SIEM, EDR, IDS/IPS appropriate to the entity’s risk profile, with monitored alerts and a triage runbook — is the foundation that makes reporting possible. Second, the 24-hour clock starts when the entity becomes aware of the incident, not when the incident occurred. Awareness must be defined and documented: who decides an event is a “significant incident”, on what criteria, with what authority to escalate. Without this, the clock starts ambiguously and disputes follow.

Member States have layered additional reporting obligations on top. In Italy, the ACN Determination 379907/2025 and the April 2026 Determinations 127434/2026 and 127437/2026 specify the platform, the format, and the scope of significant incident notifications, with full reporting obligations entering into force on 1 January 2027 for entities first listed in 2026. In Germany, reporting goes through the BSI portal opened in January 2026.

The dedicated article on the NIS-2 incident reporting timeline covers the classification thresholds, the differences across major Member States, and the templates we publish for early warning, 72-hour notification, and final report.

The 2026 deadline calendar

Talking about “the NIS-2 deadline” is misleading because there is no single date. There is a cascade of national deadlines that vary by Member State and by entity classification. The picture as it stands in May 2026:

Italy. D.Lgs. 138/2024 transposed NIS-2 with effect from 16 October 2024. Registration on the ACN platform was due by 28 February 2025. Incident notification became operational from 15 January 2026 for the entities first listed in 2025. ACN Determination 379907/2025 and the April 2026 Determinations have set the implementation calendar: basic security measures by October 2026 for the 2025-listed cohort, and 31 July 2027 for entities first listed during 2026. Inspections by ACN can begin from October 2026. The annual update window for activity classification on the platform runs from May to June every year.

Germany. The NIS-2 Implementation Act amended the BSI Act and entered into force on 6 December 2025. The BSI registration portal opened on 6 January 2026. Registration deadline: three months after the Act enters into force — by April 2026. Incident reporting: 24/72/30 days, identical to the Directive’s structure. Around 29,500 entities are now under BSI supervision, up from 4,500 under NIS-1.

Belgium. First Member State to enforce a hard NIS-2 conformity assessment deadline. By 18 April 2026, essential entities had to demonstrate active implementation of risk-management measures via one of three pathways: CyberFundamentals (CyFun) verification, ISO/IEC 27001 certification scope plus Statement of Applicability and most recent internal audit, or direct CCB inspection. Self-attestation alone was not accepted.

Poland. The amended Act on the National Cybersecurity System (KSC) entered into force on 3 April 2026. The official list of key and important entities launched on 13 April 2026. Scope expanded to roughly 42,000 organisations, including food production and waste management.

EU level. On 20 January 2026, the European Commission proposed targeted amendments to NIS-2 as part of a new cybersecurity package, aimed at simplifying compliance — particularly for the estimated 6,200 micro and small-sized enterprises drawn into scope. The amendments are in the legislative process; nothing has changed yet for in-scope entities, and the existing obligations remain fully applicable.

The pattern is consistent across Member States: 2025 was registration and self-classification, 2026 is implementation and the start of supervision, 2027 is full operational compliance for the entities first listed in 2026. The grace period is structural to the rollout, not optional discretion: regulators are signalling they will enforce.

If you need the country-specific deadline matrix in one place, the NIS-2 implementation timeline article breaks it down with a 60-day implementation plan that maps to the calendar above.

Documentation: what regulators ask for first

A common mistake is treating NIS-2 compliance as a control-implementation project, then realising at audit time that controls without evidence are indistinguishable from no controls at all. Article 21 is implementation; what regulators inspect is evidence of implementation. The documentation set is the deliverable.

The minimum documentation footprint of a credible NIS-2 programme is a coherent body of policies, procedures, plans, registers, and reports. Organised by function, it looks like this:

Governance and setup. A project launch decision approved by the management body, a defined NIS-2 scope statement, a documented governance model identifying roles and responsibilities, and a record of the management body’s approval of the cybersecurity programme.

Risk management. A risk assessment methodology, a current risk assessment with identified risks and assigned owners, a risk treatment plan, and a Statement of Applicability if you are using ISO 27001 as a baseline.

Cybersecurity operations. Policies and procedures covering access control, password management, MFA, cryptography, secure configuration, vulnerability management, patch management, logging and monitoring, malware protection, network security, and acceptable use. This is the largest documentation block for most organisations.

Business continuity and crisis management. A business impact analysis, a business continuity plan, a disaster recovery plan, a backup policy with tested restore procedures, and a crisis communication plan.

Supply chain security. A supplier security policy, a supplier risk assessment register, contractual security clauses (template), and a supplier monitoring procedure.

Effectiveness and audit. An internal audit programme, an internal audit procedure, audit reports, KPIs and management review records, and corrective action records.

Incident management. An incident response plan, an incident handling procedure, the early warning, 72-hour notification and final report templates aligned with Article 23, and an incident register.

Corrective actions and training. A training plan with management body training included, training records, awareness campaign materials, and a corrective action register.

This is the structure of the Docply NIS-2 Total Kit — 77 documents organised into 8 bundles — and it is also a generic shape any organisation can build to. The exact count is less important than coherence: a smaller set that is approved, current, used, and demonstrably reviewed beats a thicker set that lives in a SharePoint folder nobody opens.

For a direct view of the document set most regulators expect, the NIS-2 documentation checklist lists every artefact by bundle with priority and Article 21 mapping.

Penalties, enforcement, and personal liability

NIS-2 introduces a harmonised penalty regime that NIS-1 lacked. Article 34 sets ceilings; Member States set the exact amounts within those ceilings. The numbers are significant.

For essential entities, administrative fines can reach €10 million or 2% of global annual turnover, whichever is higher. For important entities, the ceiling is €7 million or 1.4% of global annual turnover, whichever is higher. Beyond fines, regulators have a battery of supervisory tools: binding instructions, ordering corrective actions within deadlines, designating a monitoring officer, ordering public disclosure of the infringement, and — for essential entities — temporarily suspending authorisation to operate certain services.

Article 32(6) introduces personal liability for management. In cases of gross non-compliance, regulators can impose temporary bans on individuals exercising management functions, including CEOs and board members. This is the regulatory teeth behind Article 20’s accountability principle. National authorities are no longer just looking at server logs; they are examining board meeting minutes to verify that leadership approved the cybersecurity programme, oversaw its implementation, and completed the required training.

Enforcement is starting to bite. Member States have been activating supervisory powers throughout the first half of 2026, and the conformity assessment deadlines passed in April have already produced the first wave of administrative measures against late or incomplete submissions. The pattern that emerged from GDPR — high-profile early enforcement actions to set the tone — is repeating with NIS-2.

A common misconception worth addressing: ISO 27001 certification does not constitute full NIS-2 compliance in most jurisdictions. It significantly reduces the gap and provides auditors with a recognised evidence baseline, but organisations must still demonstrate implementation of all Article 21 measures, the Article 20 governance obligations, and the Article 23 reporting capability. ISO 27001 is a strong foundation; NIS-2 is the regulated extension on top.

For the full breakdown of fines, supervisory measures and the case law emerging from early enforcement, see NIS-2 penalties and enforcement.

A pragmatic implementation path

Compliance projects fail when they try to do everything at once. NIS-2 is broad enough that the only way through is in stages, with each stage producing evidence the next stage can build on. Below is the sequence we recommend — proven across consulting engagements and reflected in the bundle structure of the Docply Total Kit.

Stage 1 — Scoping and governance (weeks 1-2). Confirm whether the organisation is essential, important, or out of scope. Register on the national platform if applicable. Draft and approve the project launch decision. Define the cybersecurity governance model: who owns what, escalation paths, the role of the management body. Schedule the first management body training.

Stage 2 — Risk assessment (weeks 3-5). Inventory critical assets, services, and data. Apply a documented risk methodology — ISO 27005 is a defensible default. Produce the risk register and risk treatment plan, with owners and timelines. Get the management body to approve both.

Stage 3 — Core controls implementation (weeks 6-12). Address the ten Article 21 areas in priority order: governance and access control first, then incident handling and business continuity, then supply chain. Implement what is missing, document what already exists. Resist the temptation to write policies for controls that are not actually in operation — auditors detect this immediately.

Stage 4 — Incident reporting capability (weeks 8-10, in parallel). Build the detection, classification and reporting pipeline. Define what counts as a significant incident with named decision-makers. Test the 24/72/30-day workflow with a tabletop exercise before you need it for real.

Stage 5 — Supply chain (weeks 10-14). Inventory direct suppliers in scope. Send security questionnaires. Update contracts with security clauses for new suppliers; renegotiate critical existing ones. Set up monitoring — even quarterly review of public security disclosures is better than nothing.

Stage 6 — Effectiveness and audit (weeks 14-16). Run the first internal audit. Document findings and corrective actions. Hold the first management review meeting. This stage is what turns implementation into a system; without it, the programme drifts within months.

Stage 7 — Training and awareness (continuous). Roll out role-based training. Run phishing simulations. Track completion. Repeat at defined frequency.

The sequence assumes a 14-16 week first iteration. Larger and more complex organisations take longer; mid-market organisations with reasonable IT maturity can compress it. The shape stays the same. After the first cycle, the work becomes maintenance: annual risk reassessment, annual internal audit, quarterly management review, continuous incident handling, continuous supplier monitoring.

For the day-by-day breakdown of a 60-day implementation sprint and the detailed NIS-2 audit readiness checklist, see the linked supporting articles.

What to do this month if you are starting from zero

If you are reading this in May 2026 and your organisation has not yet started, the picture is not catastrophic but it is urgent. The structural deadlines for entities first listed during 2026 are mostly in 2027, but inspections in several Member States can already begin, and the documentation footprint required to pass an inspection takes weeks to build, not days.

Three concrete moves to make this week:

  1. Confirm classification. Verify whether you are essential, important, or out of scope. If you are in scope, register on the national platform if you have not already. The penalty for late registration is among the easiest to receive and among the hardest to argue against.
  2. Run a gap assessment. Pick a recognised baseline — ISO 27001 Annex A is the most common — and map your current controls against it. Article 21 maps cleanly onto ISO 27001. Where you have controls without documentation, the gap is documentation. Where you have neither, the gap is real and prioritise.
  3. Get the management body briefed. Article 20 makes them accountable; brief them. A 60-90 minute session on what NIS-2 obligates, what their personal liability looks like, and what decisions they need to make and approve. Document the briefing — it is the first piece of evidence in your file.

From there, the implementation path in the previous section gives you the sequence.

How Docply fits in

Docply was built for this gap: the gap between the regulatory requirements and the documentation footprint that proves you have met them. The NIS-2 Total Kit is 77 documents — policies, procedures, plans, registers, and report templates — organised into the eight bundles that map to the Article 21 measures and the Article 23 reporting cascade. Drafted by a regulatory consultant, written in audit-ready language, customisable to the entity’s actual scope, lifetime updates included.

It does not replace the work of running the programme — that part is yours. It removes the months of drafting from a blank page that most compliance teams budget for, and lets you spend the time on implementation, evidence, and operations instead. Three sample documents are downloadable from the kit page if you want to assess the quality before committing.

The rest of the NIS-2 cluster on this blog goes deep on each piece: the 10 Article 21 measures, the incident reporting timeline, the management responsibilities under Article 20, the risk assessment methodology, the documentation checklist, and the 60-day implementation timeline. Bookmark this page as the index — it is the entry point we keep updated as the regulatory landscape evolves.

Frequently Asked Questions

What is the difference between NIS-2 and NIS-1?

NIS-2 is a structural rewrite of NIS-1, not an update. The original 2016 directive applied to roughly 6,000 entities across the EU, listed “appropriate measures” without specifying which, left enforcement and penalties to Member State discretion, and produced fragmented, inconsistent implementation. NIS-2 expands scope to roughly 110,000 entities, mandates ten specific risk-management measures in Article 21, imposes a strict 24/72/30-day incident reporting cascade, makes the management body personally accountable under Article 20, and harmonises penalties up to €10 million or 2% of global turnover. The shift from “do something appropriate” to “implement these ten measures, report incidents on this clock, and prove your board approved it” is the substantive change.

Does NIS-2 apply to companies outside the EU?

Yes, in two ways. Direct: NIS-2 applies to non-EU entities that provide in-scope services within the EU — for example, a US cloud provider serving European customers must comply for that part of its operations and must designate an EU representative. Indirect, and more common: any non-EU company in the supply chain of an in-scope EU entity will be pulled into NIS-2 obligations contractually. Article 21’s supply chain measure requires in-scope entities to assess and monitor their suppliers, regardless of where the supplier is based. If you are a US, UK or Asian vendor selling to European essential or important entities, your customers will start asking for security questionnaires, contractual security clauses, and evidence of controls. The requirement reaches you through procurement, not through the regulator.

Is ISO 27001 enough for NIS-2 compliance?

No, but it is the strongest foundation. An ISO 27001-certified ISMS covers most of Article 21 — risk management, access control, cryptography, incident handling, business continuity, supplier security — and gives auditors a recognised evidence baseline. The gaps that consistently remain are: explicit MFA requirements (ISO 27001 says “consider”, NIS-2 says “implement where appropriate”), the 24/72/30-day incident reporting timeline (Article 23 is more prescriptive than ISO incident management), management body accountability and training (Article 20 is sharper than the ISO governance clauses), and supply chain depth (NIS-2 is more demanding than ISO Annex A.5.19-A.5.22). Treat ISO 27001 as 70-80% of the way to NIS-2 readiness, then close the residual gap with targeted controls and documentation. See the ISO 27001 vs NIS-2 comparison for the full mapping.

What happens if my organisation misses the registration deadline?

Late registration is the easiest violation to receive and the hardest to argue against — there is no ambiguity, the deadline is fixed, you are either on the platform or you are not. Consequences depend on the Member State but follow a consistent pattern: an administrative measure ordering immediate registration, a fine proportionate to the delay, and increased supervisory scrutiny going forward. You become the entity the authority opens with, not the one it gets to last. Practical advice if you have missed the window: register immediately, document the reason for the delay if there is a defensible one, and accelerate the implementation calendar to compensate. Regulators are markedly more lenient on entities that self-correct than on entities they have to chase.

How long does NIS-2 implementation typically take?

For a mid-market organisation (50-500 employees) with reasonable IT maturity and no prior ISO 27001 certification, expect 14-16 weeks for a credible first iteration of the programme — scoping and governance, risk assessment, core controls, incident reporting capability, supply chain, internal audit, training. Larger or more complex organisations take 6-9 months. Organisations already ISO 27001-certified can compress to 8-10 weeks because most controls and documentation already exist. These figures cover reaching audit-ready state; ongoing maintenance is then continuous, with annual risk reassessment, annual internal audit, quarterly management review, and continuous incident handling and supplier monitoring. The trap to avoid is treating NIS-2 as a finite project rather than a permanent operating system.

Who is responsible for NIS-2 compliance within an organisation?

Three layers, each with a defined role. The management body (board of directors, C-suite) approves the cybersecurity programme, oversees its implementation, completes mandatory training, and is personally liable under Article 32(6) in cases of gross non-compliance. They cannot delegate this accountability away. The operational owner — typically the CISO, head of IT security, or in smaller organisations the IT manager — runs the day-to-day programme, coordinates implementation, and reports up. The functional contributors — DPO, legal, HR, procurement, business continuity manager — own specific controls within their domain. NIS-2 does not require a dedicated “NIS-2 officer” role, but a single named coordinator with management body backing is the practical pattern that works.

What is a “significant incident” under NIS-2?

Article 23 defines a significant incident as one that has caused or is capable of causing severe operational disruption of services or financial loss to the entity, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. The Commission Implementing Regulation (EU) 2024/2690 specifies thresholds for digital infrastructure entities — for example, an incident affecting more than 5% of users for more than 1 hour for cloud computing services. For other sectors, the assessment is contextual: severity, duration, geographical spread, number of affected users, and impact on essential services. The practical implication is that you must define thresholds upfront, document who decides, and document the decision when it happens. An “incident” your team did not classify as significant — but a regulator later disagrees with — is a reporting failure.

Can we use NIS-2 templates from a vendor, or do we need bespoke documentation?

Both approaches are valid; the trap is the third option of generic templates without customisation. A pure bespoke documentation set drafted from scratch by an internal team or consultant takes 3-6 months and €30,000-100,000 in time-cost or fees, depending on entity size. A vendor template kit accelerates that to weeks of customisation work and a fraction of the cost — provided the templates are NIS-2-specific (not generic ISO 27001 repackaged), proportionate to your scope, and customised to your actual operations rather than left in template form. Auditors and regulators accept template-based documentation as long as it reflects how the organisation actually works. They reject documentation that is clearly templated and never adapted: same example servers, same example suppliers, placeholders never replaced. The decision is not template vs bespoke; it is whether the final documentation describes your reality. A good template kit gets you to 80% in days and lets you spend the saved time on the 20% that has to be yours.

Get the complete NIS-2 documentation kit. 77 audit-ready documents covering all eight bundles — governance, risk management, cybersecurity operations, business continuity, supply chain, effectiveness and audit, incident management, corrective actions and training. Lifetime updates included. See the NIS-2 Total Kit →

Sources and further reading

Last updated: 11 May 2026.