What Is NIS2? The EU Cybersecurity Directive Explained for Software Vendors
NIS2 is reshaping how enterprise buyers evaluate software vendors across the European Union. If you sell to EU-based organizations — or to companies that operate in the EU — NIS2 compliance requirements will reach you through procurement questionnaires, contractual obligations, and vendor risk assessments, whether or not you are directly subject to the directive yourself.
TL;DR
• NIS2 is an EU cybersecurity directive that took effect in October 2024, replacing the original NIS Directive from 2016
• It covers a much broader set of sectors and organizations than NIS1, including software and digital service providers
• NIS2 imposes specific security requirements, incident reporting obligations, and supply chain risk management duties
• Even vendors not directly subject to NIS2 will face its requirements through their enterprise customers’ procurement processes
• Demonstrating NIS2-aligned security posture in RFP responses and security questionnaires is now a commercial requirement for EU market access
What Is NIS2?
NIS2 — the Network and Information Systems Directive 2 — is a European Union cybersecurity directive that entered into force in January 2023 and required member states to transpose it into national law by October 2024. It replaces the original NIS Directive of 2016 and significantly expands both the scope of organizations covered and the security obligations they must meet.
Unlike a regulation such as GDPR, a directive does not automatically become law in EU member states — each country must implement it through its own national legislation. This means NIS2 requirements vary slightly in how they are enforced across the EU, but the core obligations are consistent: organizations in scope must implement appropriate technical and organizational security measures, report significant incidents within defined timeframes, and manage the security risks posed by their supply chains.
NIS2 is not optional for organizations in scope. Non-compliance exposes entities to significant fines — up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of global turnover for important entities — as well as personal liability for senior management.
Which Organizations Does NIS2 Apply To?
NIS2 applies to medium and large organizations operating in sectors designated as either essential or important. The scope is substantially broader than the original NIS Directive, which covered only operators of essential services and a narrow set of digital service providers.
Essential entities under NIS2 include organizations in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (including cloud computing providers, data centers, CDN operators, and DNS service providers), ICT service management, public administration, and space. These entities face the strictest obligations and the highest penalties.
Important entities include organizations in postal and courier services, waste management, manufacture of critical products (chemicals, food, medical devices, electronics), digital providers (online marketplaces, online search engines, social networking platforms), and research organizations. The obligations are similar to essential entities but enforcement intensity differs.
Critically for software vendors, NIS2 explicitly includes managed service providers, managed security service providers, and cloud computing service providers in the essential entities category. If your organization provides IT services, security services, or cloud infrastructure to other businesses in the EU at scale, you are likely directly in scope.
What Are the Core Security Requirements Under NIS2?
NIS2 requires in-scope organizations to implement “all appropriate and proportionate technical, operational, and organizational measures” to manage cybersecurity risks. Article 21 of the directive specifies ten minimum security measures that must be in place.
These measures cover risk analysis and information system security policies; incident handling; business continuity, including backup management and disaster recovery; supply chain security; security in network and information systems acquisition, development, and maintenance; policies and procedures to assess the effectiveness of cybersecurity risk management measures; basic cyber hygiene practices and cybersecurity training; cryptography and encryption policies; human resources security, access control policies, and asset management; and the use of multi-factor authentication and secured communications systems.
The directive deliberately avoids prescribing specific technical controls, recognizing that appropriate measures vary by sector, organization size, and risk exposure. This outcomes-based approach parallels the structure of frameworks like ISO 27001 and NIST CSF — and organizations that already hold ISO 27001 certification or demonstrate NIST CSF alignment are well-positioned to evidence NIS2 compliance.
What Are the NIS2 Incident Reporting Obligations?
One of the most operationally demanding aspects of NIS2 is its incident reporting timeline. In-scope organizations must notify their national competent authority and, where applicable, their Computer Security Incident Response Team (CSIRT) within strict windows following a significant incident.
Within 24 hours of becoming aware of a significant incident, the organization must submit an early warning to the relevant authority. Within 72 hours, a more detailed incident notification must follow, including an initial assessment of severity and impact. A final report must be submitted within one month, covering a full description of the incident, root cause analysis, mitigation measures applied, and cross-border impact assessment where relevant.
A significant incident is defined as one that has caused or could cause severe operational disruption, financial loss, or damage to other organizations. For software vendors whose products or services are used by many customers, a single security incident could trigger reporting obligations across multiple customers simultaneously — making incident response planning and inter-organizational communication protocols essential preparation.
How Does NIS2 Affect Supply Chain Security for Software Vendors?
Supply chain security is one of the most consequential aspects of NIS2 for software vendors, even those not directly in scope. Article 21 explicitly requires in-scope organizations to address “security in the supply chain including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.”
This means that enterprise organizations subject to NIS2 are legally obligated to assess and manage the security risks posed by their vendors. They must verify that their technology suppliers meet appropriate security standards and include security requirements in their supplier contracts. For software vendors selling into NIS2-regulated industries, this obligation flows downstream: buyers will impose NIS2-aligned security requirements on you through their procurement processes, contractual terms, and ongoing vendor assessments.
In practice, this manifests as more rigorous security questionnaires during procurement, contractual security annexes requiring specific control implementations, rights to audit vendor security practices, and mandatory breach notification obligations to customer organizations. Vendors who cannot demonstrate NIS2-compatible security posture will face disqualification from enterprise procurement processes in regulated EU sectors.
How Does NIS2 Relate to ISO 27001 and SOC 2?
NIS2 does not mandate specific certifications, but it acknowledges that organizations may use European and international standards to demonstrate compliance with its requirements. ISO 27001 is the most directly relevant standard — its control framework maps closely to the NIS2 Article 21 security measures, and ISO 27001 certification provides the kind of independently verified evidence that national authorities and enterprise buyers will find credible.
ENISA — the EU Agency for Cybersecurity — has published guidance indicating that ISO 27001 certification, combined with appropriate sector-specific extensions, constitutes a strong foundation for NIS2 compliance. Organizations holding a current ISO 27001 certificate with a scope that covers the relevant systems and services are in a strong position when responding to NIS2-oriented questionnaires.
SOC 2 is less directly mapped to NIS2 than ISO 27001, primarily because SOC 2 is a US-origin standard with different trust service criteria. However, a SOC 2 Type II report provides independent evidence of security control effectiveness that European buyers will recognize as meaningful, particularly for software-as-a-service vendors. Holding both ISO 27001 and SOC 2 Type II provides the most comprehensive evidence base for NIS2-oriented enterprise procurement.
What Does NIS2 Mean for RFP Responses and Security Questionnaires?
For vendors selling to EU enterprise organizations in NIS2-regulated sectors, the directive changes what buyers ask for in procurement and what evidence is required to progress through competitive evaluations. The shift is already visible in RFP requirements and security questionnaire content across financial services, healthcare, energy, and public sector procurement in the EU.
Questions that previously addressed general security best practices are being replaced or supplemented by NIS2-specific requirements: evidence of risk management frameworks, documented incident response plans with the required notification timelines, supply chain security policies, and business continuity programs. Buyers ask not just whether you have these things, but whether they meet the specific outcomes NIS2 requires of their own organizations.
Vendors who can answer these questions precisely — with references to specific policies, certifications, and documented procedures — have a clear advantage over those who provide general assurances. The standard of evidence expected in NIS2-influenced procurement is higher than what passed in pre-NIS2 evaluations. See common security questionnaire questions for examples of how these requirements appear in practice.
How Do NIS2 Requirements Differ Between Essential and Important Entities?
NIS2 creates a two-tier system of obligations based on whether an organization is classified as an essential entity or an important entity. Both tiers must implement the same ten security measures under Article 21, but they differ in the supervisory regime they are subject to and the penalties they face.
Essential entities are subject to proactive supervision — national authorities can conduct regular audits, targeted security assessments, and on-site inspections without waiting for an incident to occur. Maximum fines for essential entities reach €10 million or 2% of global annual turnover, whichever is higher. Senior management can be held personally liable for compliance failures.
Important entities face reactive supervision — authorities typically intervene only following a reported incident or credible evidence of non-compliance. Maximum fines are set at €7 million or 1.4% of global annual turnover. The practical day-to-day compliance obligations are similar, but the supervision intensity and penalty exposure differ meaningfully.
For software vendors trying to understand how NIS2 affects their customers, the classification of the customer determines the urgency and rigor of their vendor security requirements. A bank or hospital subject to NIS2 as an essential entity will impose much stricter vendor security requirements than a logistics company classified as important.
How Does NIS2 Affect Non-EU Software Vendors?
NIS2 has significant extraterritorial implications. Non-EU software vendors that provide services to EU-based organizations in NIS2-regulated sectors are affected through two mechanisms.
First, if a non-EU vendor provides services that qualify as digital infrastructure or ICT service management to EU customers, and meets the size thresholds (50+ employees or €10M+ annual turnover), it may be directly subject to NIS2 as an important or essential entity with obligations to designate an EU representative and register with national authorities.
Second — and more commonly for software vendors — non-EU vendors face NIS2 requirements indirectly through the supply chain obligations of their EU customers. Any EU organization subject to NIS2 that purchases software or services from a non-EU vendor must assess and manage the security risk that vendor represents. This assessment will be conducted through security questionnaires, contractual security clauses, and potentially audit rights — all of which require the non-EU vendor to demonstrate NIS2-compatible security practices regardless of their own direct regulatory exposure.
What Steps Should Software Vendors Take to Prepare for NIS2-Influenced Procurement?
Preparation for NIS2-influenced enterprise procurement follows a clear sequence. The goal is to build a documented, evidence-backed security posture that can be presented credibly in procurement evaluations without requiring bespoke effort for each bid.
Start with a gap assessment against the NIS2 Article 21 requirements. Map your current security controls to each of the ten specified measures and identify where documentation is absent, where controls are informal, or where independent verification is lacking. This assessment will surface both genuine security gaps and documentation gaps — both of which need to be addressed before NIS2-oriented procurement questionnaires arrive.
Prioritize ISO 27001 certification if you do not already hold it. It is the single credential most directly valued by EU enterprise buyers evaluating NIS2 compliance, and it provides the governance structure needed to maintain the policy and control documentation that NIS2 requires on an ongoing basis.
Build a governed response library for NIS2-oriented questions. The same questions about incident response timelines, supply chain security policies, business continuity, and access control will appear repeatedly across procurement processes. Pre-approved answers, kept current with your actual posture and reviewed quarterly, enable faster and more consistent responses across all bids.
For teams managing high volumes of RFP responses and the NIS2-oriented security questionnaires that now accompany enterprise procurement in the EU, Steerlab.ai automates the generation of security and compliance answers from your approved content library — so your team responds to NIS2-mapped questions accurately and consistently without rebuilding answers from scratch for every bid.
Frequently Asked Questions
What is NIS2 in simple terms?
NIS2 is an EU law that requires organizations in critical sectors — energy, banking, healthcare, digital infrastructure, and others — to implement strong cybersecurity measures, report security incidents quickly, and manage the security risks posed by their technology suppliers. It replaced the original NIS Directive in October 2024 and covers a much wider range of organizations. For software vendors, it matters because their EU customers must now assess and control vendor security as part of their own legal obligations.
Does NIS2 apply to software vendors outside the EU?
Possibly directly, and almost certainly indirectly. Non-EU vendors that provide digital services to EU organizations at scale may be directly subject to NIS2 and required to designate an EU representative. Even vendors outside direct scope face NIS2 requirements indirectly: EU organizations subject to NIS2 must assess the security of their supply chain, which means imposing NIS2-aligned requirements on their software vendors through procurement questionnaires and contractual security obligations.
What is the difference between NIS2 essential and important entities?
Both categories must implement the same security measures under NIS2, but they differ in how they are supervised and the penalties they face. Essential entities — in sectors like energy, banking, health, and digital infrastructure — face proactive supervision, including regular audits, and fines up to €10 million or 2% of global turnover. Important entities face reactive supervision and lower fines of up to €7 million or 1.4% of global turnover. Software vendors selling to essential entities will face more rigorous procurement security requirements.
How does NIS2 relate to GDPR?
NIS2 and GDPR are complementary but separate regulatory frameworks. GDPR governs the processing of personal data and applies to any organization handling EU residents' personal data. NIS2 governs cybersecurity risk management for critical infrastructure and digital services and applies to organizations operating in designated sectors. Many organizations are subject to both. A cybersecurity incident that triggers NIS2 reporting obligations may also trigger GDPR breach notification requirements — the 72-hour incident notification window in NIS2 mirrors GDPR’s 72-hour breach notification timeline to data protection authorities.
Is there software that helps vendors respond to NIS2 security questionnaires?
Yes. As NIS2-aligned security questionnaires become standard in EU enterprise procurement, purpose-built response automation tools help vendors manage the volume and consistency of these requirements. Steerlab.ai automates the generation of answers to security and compliance questions — including NIS2-mapped questions on incident response, supply chain security, business continuity, and access controls — from a governed content library. This allows security and compliance teams to review and approve responses rather than draft them under deadline pressure.
What is the NIS2 incident reporting timeline?
NIS2 requires a three-stage reporting process for significant incidents. An early warning must be submitted to the national competent authority within 24 hours of becoming aware of the incident. A detailed incident notification — including initial severity assessment and impact analysis — must follow within 72 hours. A final report covering root cause, mitigation measures, and cross-border impact must be submitted within one month. Software vendors whose products are involved in a customer’s significant incident may need to support their customers through this reporting process.
How can a software vendor demonstrate NIS2 compliance in an RFP?
The strongest evidence for NIS2-aligned security posture in an RFP response combines independently verified certifications with documented policies and procedures. ISO 27001 certification is the most directly relevant credential. A current SOC 2 Type II report provides additional independent assurance of control effectiveness. Beyond certifications, evaluators look for documented incident response plans that meet NIS2’s notification timelines, supply chain security policies, business continuity programs, and evidence of regular risk assessments. Self-declarations without supporting documentation carry limited weight in NIS2-influenced enterprise procurement.
