Frequently asked, plainly answered.

NIS2 entered into force on 17 October 2024. Member States had to transpose it by that date. National enforcement varies by country, but the substantive obligations apply now to in-scope entities.

Essential entities operate in the most critical sectors (energy, transport, banking, health, public administration above thresholds, etc.) and are subject to ex-ante supervision. Important entities are subject to ex-post supervision but face the same baseline obligations under Article 21.

Generally NIS2 applies to medium and large entities (>50 employees or >€10M turnover) in covered sectors. Some entities are in scope regardless of size — DNS providers, TLD registries, and certain critical providers.

Up to €10M or 2% of worldwide annual turnover for essential entities, whichever is higher. Up to €7M or 1.4% for important entities. Directors can be held personally liable.

No. NIS2 only requires notification of significant incidents — those that have caused or are capable of causing severe operational disruption or financial loss, or have affected other natural or legal persons.

They overlap but cover different angles. GDPR protects personal data. DORA targets the financial sector specifically. CRA covers products with digital elements. NIS2 sets the baseline cybersecurity obligations for in-scope organisations across 18 sectors.