Cleo
CompanyPricing
Request a Demo
Anaelle GuezNaomie Halioua
Request a Demo
Cleo

AI-powered regulatory intelligence.

contact@cleolabs.co

Solutions

  • Due Diligence
  • Product Compliance

Company

  • About
  • Research
  • Blog

Jurisdictions

  • 🇪🇺 European Union
  • 🇫🇷 France
  • 🇩🇪 Germany
  • 🇬🇧 United Kingdom
  • 🇺🇸 United States

Legal

  • Privacy
  • Terms
  • Security

Events

  • VivaTech ParisJun 11–14, 2026

© 2026 Cleo Labs. All rights reserved.

GDPREU Data
Blog/Compliance
Compliance2026-02-28·9 min read
Anaelle Guez

Anaelle Guez

Co-founder & CEO, Compliance

NIS2 Compliance Guide: What Every EU Business Must Know

NIS2 Compliance Guide: What Every EU Business Must Know

NIS2 is the most significant expansion of cybersecurity obligations in EU history. It applies to an estimated 160,000+ organizations across 18 critical sectors, and introduces personal liability for executives.

Who does NIS2 apply to?

NIS2 divides organizations into "essential" and "important" entities across 18 sectors including energy, transport, banking, health, digital infrastructure, ICT service management, public administration, and space. Medium and large organizations in these sectors are automatically in scope. The key change from NIS1: the scope is dramatically wider, covering an estimated 160,000+ entities across the EU.

18

Sectors

160K+

Entities in scope

€10M

Max fine

24h

Incident reporting

Key NIS2 requirements

1

Risk management measures: implement cybersecurity policies covering incident handling, business continuity, and supply chain security

2

Incident reporting: notify authorities within 24 hours of significant incidents, with a full report within 72 hours

3

Supply chain security: assess and manage risks from direct suppliers and service providers

4

Management accountability: senior management must approve and oversee cybersecurity risk management

Penalties and executive liability

NIS2 penalties reach €10 million or 2% of global annual turnover for essential entities, and €7 million or 1.4% for important entities. Critically, NIS2 introduces personal liability for management bodies. Senior executives can be held individually responsible for compliance failures and may face temporary bans from exercising managerial functions.

Frequently asked questions

What is NIS2 and who does it apply to?

NIS2 (Network and Information Security Directive 2) is an EU directive that sets cybersecurity risk management and incident reporting obligations for organizations across 18 critical sectors, including energy, transport, health, digital infrastructure, ICT service management, and digital providers. It applies to 'essential' and 'important' entities based on sector and size, covering an estimated 160,000+ organizations across the EU.

What are the penalties for NIS2 non-compliance?

Penalties under NIS2 are significant: up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% for important entities. NIS2 also introduces personal liability for management. Senior executives can be held individually responsible for compliance failures.

Related resources

Solutions

Product Compliance Solution

Guides

DORA Compliance Guide

Compliance · 2026-02-16

Cybersecurity Compliance for Tech Companies in the EU: NIS2, DORA and Beyond

Compliance · 2026-02-23

DORA Compliance Deadline Tracker: Key Dates and Action Items for 2026

Try Cleo: free regulatory risk scan

See your regulatory landscape mapped in minutes. No signup, no credit card.

Scan for free
Book a Call
Anaelle GuezNaomie Halioua
Request a Demo