NIS2 Compliance for Tech Companies

The NIS2 Directive entered into force in January 2023 with a transposition deadline of October 17, 2024. As of 2026, most EU member states have transposed NIS2 into national law and enforcement is active. NIS2 substantially expands the scope of EU cybersecurity regulation compared to its predecessor NIS Directive.

For tech companies operating in the EU, NIS2 may apply alongside GDPR. This page covers who is in scope, what NIS2 requires, and how it interacts with privacy compliance.

Does NIS2 apply to you

NIS2 applies to medium and large entities operating in one of 18 sectors split between two categories.

Essential entities (Annex I sectors):

Energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure (including cloud service providers, data centers, content delivery networks, electronic communications), ICT service management, public administration, space.

Important entities (Annex II sectors):

Postal and courier services, waste management, manufacture and distribution of chemicals, food production processing and distribution, manufacturing of specific products, digital providers (online marketplaces, online search engines, social networking platforms), research.

Size thresholds for medium and large entities follow the EU Recommendation 2003/361/EC: medium entities are 50 or more employees or 10 million euros or more turnover; large entities exceed 250 employees or 50 million euros turnover.

For most tech companies, the relevant sectors are digital infrastructure (cloud providers, data centers, CDNs) as essential entities, and digital providers (marketplaces, search, social) as important entities. SaaS companies generally do not fall directly within these categories, though they may be in scope as ICT service management providers in some interpretations.

What NIS2 requires

NIS2 requires entities to implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. Article 21 lists specific measures including:

  • Policies on risk analysis and information system security

  • Incident handling

  • Business continuity including backup management and disaster recovery

  • Supply chain security

  • Security in network and information systems acquisition, development, and maintenance

  • Policies and procedures to assess effectiveness of cybersecurity risk management measures

  • Basic cyber hygiene practices and cybersecurity training

  • Policies regarding cryptography and encryption

  • Human resources security, access control policies, and asset management

  • Use of multi-factor authentication or continuous authentication solutions

  • Secured voice, video, and text communications

  • Secured emergency communication systems within the entity

Incident reporting

Significant incidents must be reported in stages:

  • Early warning: within 24 hours of becoming aware of a significant incident

  • Incident notification: within 72 hours with an initial assessment

  • Final report: within one month with a detailed description

Significant incidents are those that cause severe operational disruption or financial loss, or affect other natural or legal persons by causing considerable material or non-material damage.

Management body accountability

NIS2 introduces specific accountability for management bodies (the board, executive management). Article 20 requires management bodies to approve cybersecurity risk management measures, oversee implementation, and complete cybersecurity training.

Management body members may be held personally liable for breaches of NIS2 obligations.

Penalties

For essential entities: maximum administrative fines of at least 10 million euros or 2 percent of total worldwide annual turnover.

For important entities: maximum administrative fines of at least 7 million euros or 1.4 percent of total worldwide annual turnover.

Supervisory authorities can also impose temporary suspensions or prohibitions on management body members carrying out functions.

How NIS2 differs from GDPR

NIS2 and GDPR are separate frameworks with different scopes:

NIS2 regulates cybersecurity of essential and important entities in specific sectors. GDPR regulates personal data processing across all sectors.

NIS2 incident reporting covers cybersecurity incidents (whether or not personal data is involved). GDPR breach notification covers personal data breaches specifically.

NIS2 imposes specific management body accountability that GDPR does not.

NIS2 has detailed cybersecurity measure requirements in Article 21. GDPR Article 32 has broader "appropriate technical and organizational measures" without prescriptive specificity.

GDPR has broader extra-territorial reach. NIS2 applies to entities offering services or carrying out activities in the EU.

Where NIS2 and GDPR overlap

The overlap is primarily in security controls. Both require:

  • Risk-based security measures Incident detection, response, and reporting capability Supply chain risk management Training and awareness Access controls and encryption

  • Operationally, most in-scope companies handle NIS2 and GDPR through:

  • Combined cybersecurity and privacy risk management.

  • Coordinated incident response covering both NIS2 cybersecurity incidents and GDPR personal data breaches.

  • Integrated vendor risk management addressing both NIS2 supply chain security and GDPR processor obligations.

  • Joint management body reporting on cybersecurity and privacy posture.

How Engage Compliance helps

For clients in scope of NIS2 (typically cloud providers, data centers, CDNs, and certain digital providers), we provide GDPR compliance and coordinate with NIS2 cybersecurity work. Specific support includes:

  • GDPR compliance for processing of customer and end-user personal data.

  • Coordination between GDPR breach notification and NIS2 incident reporting where incidents affect both.

  • Vendor and sub-processor management coordinated with NIS2 supply chain security requirements.

  • DPA template updates to reflect coordinated security requirements.

  • Management body reporting that addresses both privacy and cybersecurity posture.

For specialist NIS2 cybersecurity implementation, we coordinate with cybersecurity consultancies and managed security service providers.

Get started

If you are a tech company evaluating NIS2 alongside GDPR, book a consultation.