What Is NIS2? The EU Cybersecurity Directive Explained for Software Vendors
NIS2 is the EU’s most significant cybersecurity legislation in a decade, and it is already affecting how European enterprises evaluate their software vendors. If you sell to organizations in the EU — or to companies that operate there — NIS2 is not a distant regulatory concern. It is a procurement reality shaping the security requirements that end up in vendor questionnaires and RFP compliance sections today.
TL;DR
• NIS2 is an EU directive that significantly expands cybersecurity obligations across critical sectors and their supply chains
• It applies to medium and large organizations in 18 sectors — and indirectly to the software vendors they rely on
• Key obligations include risk management, supply chain security, incident reporting, and board-level accountability
• Software vendors that are not directly in scope still face NIS2 requirements through their customers’ supply chain due diligence
• Compliance evidence — SOC 2, ISO 27001, DORA alignment — increasingly appears as a vendor qualification criterion in EU enterprise procurement
What Is NIS2?
NIS2 — the Network and Information Security Directive 2 — is an EU directive that establishes a common, high level of cybersecurity across the European Union. It replaced the original NIS Directive in January 2023 and required EU member states to transpose it into national law by October 2024. NIS2 substantially expands the scope, obligations, and enforcement mechanisms of its predecessor, addressing the gaps that had emerged as cyber threats evolved and as the original directive was applied inconsistently across member states.
The directive is legally binding on EU member states, which must implement it through national legislation. The specific national laws vary in their detail — Germany’s NIS2UmsuCG, France’s transposition through ANSSI, and other member state implementations introduce local nuance — but the core obligations are common across the EU. For software vendors selling to EU enterprises, understanding the directive itself is the starting point, with national implementation adding specificity for particular markets.
NIS2’s fundamental logic is that cybersecurity is a shared responsibility across entire supply chains, not just the organizations that face the most obvious risks. This is why software vendors that are not themselves in scope as “essential” or “important” entities under NIS2 still encounter the directive’s requirements through the security due diligence that their NIS2-regulated customers perform on them.
Who Does NIS2 Apply To?
NIS2 applies to medium and large organizations operating in 18 sectors across the EU, divided into two tiers: essential entities and important entities. The distinction affects supervision intensity and penalty levels more than the substantive obligations, which are broadly similar for both categories.
Essential entities include operators in energy (electricity, oil, gas, heating, hydrogen), transport (air, rail, water, road), banking and financial market infrastructure, health (hospitals, reference labs, pharmaceutical manufacturers), drinking water, wastewater, digital infrastructure (internet exchange points, DNS providers, TLD registries, cloud providers, data centers, CDNs, trust service providers, electronic communications networks), ICT service management (managed service providers and managed security service providers), public administration, and space.
Important entities include postal and courier services, waste management, manufacture of critical products (chemicals, food, medical devices, computers and electronics, electrical equipment, machinery, motor vehicles, other transport equipment), digital providers (online marketplaces, online search engines, social networking platforms), and research organizations.
The thresholds are medium enterprises (50+ employees or €10M+ annual turnover) and large enterprises (250+ employees or €50M+ annual turnover). Smaller organizations are generally out of scope unless they are in specific high-risk categories. Some sectors — such as DNS providers, TLD registries, and trust service providers — are covered regardless of size.
Software vendors that are not in these sectors are not directly subject to NIS2. But if your customers are essential or important entities, they are subject to NIS2’s supply chain security requirements — and they will pass those requirements to you through contractual obligations and vendor security assessments.
What Are the Core NIS2 Obligations?
NIS2 imposes obligations across four main areas: risk management measures, supply chain security, incident reporting, and governance and accountability. Each area has direct implications for how in-scope organizations manage their technology vendors.
Risk management measures require essential and important entities to implement appropriate and proportionate technical, operational, and organizational measures to manage risks to the security of their network and information systems. NIS2 Article 21 specifies minimum measures including policies on risk analysis and information system security, incident handling, business continuity and crisis management, supply chain security, security in network and information systems acquisition, development and maintenance, policies and procedures to assess the effectiveness of cybersecurity measures, basic cyber hygiene practices and cybersecurity training, cryptography policies, human resources security, access control policies, and asset management.
Supply chain security is where NIS2 most directly affects software vendors. Article 21 explicitly requires organizations to address security in their supply chains, including the security-related aspects of relationships between each entity and its direct suppliers or service providers. This means that NIS2-regulated organizations must assess their software vendors’ security practices and ensure that their vendor relationships do not introduce unacceptable risk. Vendor security questionnaires and contractual security requirements flowing from NIS2-regulated customers are a direct consequence of this obligation.
Incident reporting requires organizations to report significant incidents to their national computer security incident response team (CSIRT) or competent authority within defined timelines: an early warning within 24 hours of becoming aware of a significant incident, a notification within 72 hours, and a final report within one month. For software vendors, understanding these timelines matters because your own breach notification obligations to your NIS2-regulated customers will need to align with their reporting deadlines.
Governance and accountability require management bodies of essential and important entities to approve cybersecurity risk management measures, oversee their implementation, and be liable for infringements. Board members and senior management can be held personally liable for NIS2 violations. This is a significant escalation from the original NIS Directive and has driven board-level attention to cybersecurity across EU enterprises in a way that cascades into their vendor selection criteria.
What Are the NIS2 Penalties?
NIS2 introduced substantially higher penalties than its predecessor, designed to make non-compliance economically irrational. The penalty structure is modelled on GDPR in its scale and approach.
For essential entities, maximum administrative fines are at least €10 million or 2% of total global annual turnover, whichever is higher. For important entities, the maximum is at least €7 million or 1.4% of total global annual turnover, whichever is higher. Member states can impose higher maximums in their national transposition, and several have done so.
Beyond financial penalties, national competent authorities can impose temporary suspensions of management functions for senior managers found personally liable, publication of infringements, and binding instructions to implement specific security measures. The combination of organizational and personal liability has made NIS2 compliance a board-level priority in a way that procurement-facing compliance frameworks rarely achieve.
How Does NIS2 Affect Software Vendors Not Directly in Scope?
The supply chain security obligation in NIS2 Article 21 creates a compliance cascade that reaches software vendors regardless of whether they are themselves essential or important entities. When a regulated customer is required to assess and manage supply chain risk, that requirement manifests as vendor security questionnaires, contractual security clauses, and minimum compliance standards imposed on software providers.
In practice, this means that software vendors selling to EU enterprises in regulated sectors are already encountering NIS2-derived requirements in their commercial relationships. Customers are asking vendors to complete security assessments that cover NIS2-relevant domains: risk management policies, access controls, incident response and notification procedures, business continuity, encryption, and vulnerability management. They are also including NIS2-aligned security requirements in their vendor contracts, requiring vendors to maintain specific security standards as conditions of the commercial relationship.
Vendors who cannot demonstrate adequate security practices through documentation, certifications, or third-party attestations are increasingly being disqualified from EU enterprise procurement processes — not because they violate NIS2 directly, but because they introduce supply chain risk that their customers cannot accept under NIS2’s governance requirements. The reasons enterprises send security questionnaires have become more consequential under NIS2, with regulatory accountability creating genuine downstream pressure.
What Is the Relationship Between NIS2 and ISO 27001?
ISO 27001 is the most directly relevant existing certification for demonstrating NIS2 alignment. The European Union Agency for Cybersecurity (ENISA) has published guidance noting that ISO 27001 certification provides a strong foundation for NIS2 compliance, and several member state implementations explicitly reference ISO 27001 as an accepted means of demonstrating compliance with specific technical and organizational requirements.
ISO 27001’s information security management system (ISMS) framework covers the risk analysis, access control, incident management, business continuity, and supplier security domains that NIS2 requires. An organization with a current ISO 27001 certification has documented and audited controls across most of NIS2’s Article 21 requirements. It does not constitute automatic NIS2 compliance — NIS2’s incident reporting timelines, governance requirements, and sector-specific obligations go beyond what ISO 27001 addresses — but it is the single most useful certification for a software vendor seeking to satisfy NIS2-aligned customer due diligence.
For software vendors without ISO 27001, the combination of a SOC 2 Type II report and documented NIS2-relevant policies provides a credible alternative evidence package. European enterprise buyers, however, increasingly prefer ISO 27001 certification over SOC 2 as their primary vendor security evidence, reflecting the standard’s greater familiarity and regulatory recognition in European markets.
How Does NIS2 Relate to DORA for Financial Sector Vendors?
Software vendors selling to financial institutions in the EU face not only NIS2 but also DORA — the Digital Operational Resilience Act — which entered into application in January 2025. DORA imposes specific operational resilience requirements on financial entities and their critical ICT third-party service providers, with obligations that go significantly beyond NIS2 for the financial sector.
Under DORA, financial entities must ensure their ICT third-party providers meet contractual security requirements, undergo testing and audit obligations, and comply with specific incident reporting and business continuity standards. Critical ICT third-party providers — cloud providers, data analytics services, software vendors with systemic importance to the financial sector — are subject to direct oversight by EU financial regulators including the EBA, EIOPA, and ESMA.
For software vendors selling to banks, insurers, investment firms, and payment service providers in the EU, DORA represents a more demanding compliance environment than NIS2 alone. The security questionnaires and contractual requirements from financial sector customers will increasingly reflect DORA’s specific provisions alongside NIS2’s general obligations.
What Security Evidence Do EU Enterprise Buyers Ask For Under NIS2?
EU enterprise buyers who are NIS2-regulated are asking their software vendors for security evidence that maps to the supply chain security obligations they face. Understanding what they request helps vendors prepare an evidence package that accelerates procurement rather than creating delays.
The most commonly requested documents are ISO 27001 certificates (with the certificate date, scope, and certifying body), SOC 2 Type II reports shared under NDA, penetration test results from accredited assessors, and completed security questionnaires covering NIS2-relevant domains. Some enterprise buyers are beginning to issue NIS2-specific vendor questionnaires that explicitly reference Article 21 requirements — asking vendors to map their controls to each of the minimum security measures specified in the directive.
Beyond documentation, buyers are requesting contractual security commitments: incident notification timelines that align with NIS2’s 24-hour early warning and 72-hour notification requirements, data processing agreements that address NIS2-relevant security obligations, and audit rights that allow the buyer to verify security compliance during the contract term. For specific examples of the questions appearing in these assessments, see common security questionnaire questions.
How Should Software Vendors Prepare for NIS2-Driven Customer Requirements?
Preparation for NIS2-driven vendor requirements follows the same logic as preparation for any enterprise security due diligence: documentation, certification, and process readiness. The NIS2 context adds urgency and specificity to this preparation for vendors with significant EU customer exposure.
The first priority is certification. ISO 27001 is the most recognized credential in EU enterprise security evaluations. If your organization does not hold ISO 27001, the roadmap to certification typically runs six to eighteen months depending on your starting security posture — a timeline that makes starting now relevant for vendors who expect NIS2-related procurement requirements to intensify over the next two to three years.
The second priority is documentation of NIS2-relevant controls. Even without ISO 27001, a vendor can prepare a structured evidence package mapping their security practices to NIS2 Article 21 requirements: risk management policy, incident response plan with defined notification timelines, business continuity and disaster recovery plans, supply chain security policy, access control and encryption policies, and vulnerability management procedures.
The third priority is contractual readiness. Review your standard contract templates for incident notification timelines, security obligation language, and audit rights. Ensure that your notification commitments are achievable given your actual incident detection and response capabilities — committing to notify customers within 24 hours of a significant incident is meaningless without the detection and escalation processes to identify significant incidents within that window.
How Do NIS2 Requirements Appear in RFP and Procurement Processes?
NIS2-related requirements are becoming increasingly visible in RFP and vendor evaluation processes for EU enterprise buyers. The manifestation varies by sector, buyer maturity, and how far along national NIS2 transposition has progressed, but the direction is consistent: security compliance is becoming a qualification threshold rather than a scored criterion.
In the most advanced implementations, EU enterprise buyers are including NIS2-specific sections in their security questionnaires and DDQs, asking vendors to confirm alignment with each Article 21 minimum measure, provide evidence of supply chain security practices, and disclose their own significant incident history. Vendors who cannot provide specific, documented answers to these questions face disqualification from opportunities where they might otherwise be competitive.
For bid managers and proposal teams at software vendors with EU customer exposure, the operational implication is that NIS2-related security content needs to be part of the approved response library — ready to deploy in RFP responses and security questionnaires without requiring security team escalation for every submission.
For teams managing high volumes of security questionnaires and RFP responses that include NIS2-related compliance sections, Steerlab.ai automates the generation of responses from your approved content library — ensuring that your NIS2-aligned answers are accurate, consistent, and deployed from a governed source rather than reconstructed under deadline pressure.
Frequently Asked Questions
What does NIS2 stand for?
NIS2 stands for Network and Information Security Directive 2. It is the second iteration of the EU’s foundational cybersecurity directive, replacing the original NIS Directive that was adopted in 2016. NIS2 was formally adopted in December 2022, entered into force in January 2023, and required transposition into national law by EU member states by October 17, 2024.
Does NIS2 apply to software vendors outside the EU?
NIS2 applies to organizations offering services in the EU, regardless of where they are established. An organization based outside the EU that provides services to essential or important entities within the EU may be required to designate a representative in the EU and may be subject to NIS2 obligations. More practically, software vendors anywhere in the world who sell to NIS2-regulated EU enterprises will encounter NIS2-derived requirements through their customers’ supply chain security obligations, regardless of whether the vendor is directly in scope.
What is the difference between NIS2 essential and important entities?
Essential entities are subject to proactive, ex ante supervision by national competent authorities — meaning regulators can audit and assess them without waiting for an incident. Important entities are subject to reactive, ex post supervision — meaning regulatory action is typically triggered by a complaint or incident rather than proactive audit. Maximum penalty levels are also higher for essential entities. The substantive security obligations under Article 21 are substantially the same for both categories.
How is NIS2 different from GDPR?
GDPR focuses on the protection of personal data and applies to any organization that processes EU residents’ personal data. NIS2 focuses on the cybersecurity of network and information systems and applies to organizations in specific sectors above a size threshold. The two frameworks overlap: a cybersecurity incident that causes a personal data breach triggers obligations under both NIS2 (incident reporting to the CSIRT) and GDPR (breach notification to the supervisory authority and affected individuals). Organizations in NIS2-regulated sectors that also process personal data must manage obligations under both frameworks simultaneously.
Is ISO 27001 certification sufficient for NIS2 compliance?
ISO 27001 certification is the strongest single credential for demonstrating alignment with NIS2’s technical and organizational security requirements, and ENISA has acknowledged its relevance. However, ISO 27001 alone does not constitute NIS2 compliance. NIS2 adds obligations that go beyond ISO 27001’s scope: specific incident reporting timelines to national authorities, board-level governance and personal liability requirements, and sector-specific obligations. Organizations need ISO 27001 as a foundation plus additional measures addressing NIS2’s specific requirements.
Is there software that helps vendors answer NIS2-related security questionnaires?
Yes. As NIS2-derived requirements increasingly appear in enterprise security questionnaires and RFP compliance sections, response automation platforms help vendors maintain a governed library of approved answers covering NIS2-relevant domains. Steerlab.ai automates the generation of security questionnaire responses from your approved content library — so your team can respond quickly and consistently to NIS2-aligned vendor assessments without rebuilding answers for each submission.
When did NIS2 come into effect?
NIS2 entered into force on January 16, 2023, after publication in the EU Official Journal. The deadline for EU member states to transpose it into national law was October 17, 2024. Member state transposition has progressed at different rates — some countries enacted their national implementing legislation by the deadline, others are still completing transposition. The practical effect is that NIS2 obligations are now in force across most EU member states, though the specific implementing rules vary by country.
