What is NIS2?
6 min · June 2026 · Kardu Team
TL;DR: NIS2 is the European directive that requires critical sectors to demonstrate active cybersecurity. If your company supplies any of them, it already affects you even if you're not on the list: your clients will ask for security evidence before renewing or signing contracts.
What exactly is NIS2?
NIS2 is Directive (EU) 2022/2555 of the European Parliament and Council, in force since January 2023. It is the update to the original 2016 NIS Directive and represents the most ambitious cybersecurity framework the European Union has passed.
Its goal is clear: companies in critical sectors can no longer claim they "didn't know" they had to protect themselves. NIS2 requires active, documented and demonstrable security measures, not just declared ones.
Maximum penalties reach 10 million euros or 2% of global turnover for essential entities.
Which companies does NIS2 directly oblige?
NIS2 applies to companies that meet two conditions: operating in a regulated sector and exceeding at least one of these size thresholds:
- More than 50 employees, or
- More than 10 million euros in annual turnover
Sectors include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration and space.
Micro-enterprises are excluded unless they are sole providers of a critical service to a member state.
Why does NIS2 affect your company even if you're not on the list?
This is the point most SMEs miss.
NIS2 requires directly regulated entities to manage the security risks of their entire supply chain. Article 21 explicitly includes supplier and subcontractor security as one of the minimum required measures.
In practice, this works as follows: if you sell software, cloud services, IT consultancy or any service with access to the systems or data of a NIS2 company, that company has a legal obligation to assess your security before contracting you and on an ongoing basis.
As El Español reported in February 2026, companies that focus on their internal perimeter "play on an interconnected board": the security perimeter of an organisation no longer ends at its own systems, but at those of its suppliers.
The European Commission has gone further: in 2025 it proposed the Cybersecurity Act 2, which includes new certification rules for digital products and services in the supply chain. The regulatory trend is clear: more pressure on suppliers, not less.
How much of NIS2 does implementing ISO 27001 cover?
This is the key question for any company that wants to prepare efficiently.
According to Kardu's internal control mapping (2026), the 93 controls of ISO 27001:2022 cover 76.3% of NIS2 requirements. That means implementing ISO 27001 correctly leaves you with just a quarter of NIS2 requirements still to cover.
Coverage is higher than typical industry estimates (around 60-70%) because Kardu maps against ISO 27001:2022, which incorporated digital resilience controls absent from the 2013 version.
For context, ISO 27001:2022 coverage across other frameworks:
| Framework | Coverage |
|---|---|
| ENS (Basic and Medium categories) | 98.9% |
| DORA | 82.8% |
| NIS2 | 76.3% |
| GDPR | 46.2% |
Source: Kardu internal control mapping, 2026.
The direct implication: if you demonstrate ISO 27001, you have most of the NIS2 work done. And if you use a platform like Kardu, that evidence is reused automatically.
What do NIS2-obligated clients actually ask for?
When a NIS2 company audits its suppliers, the typical security questionnaire covers:
- Documented information security policy
- Access management and authentication controls
- Backup and recovery plan
- Incident management and notification procedure
- Staff cybersecurity training
- Periodic risk assessment
Without a system that centralises this information, answering a questionnaire like this can take weeks. With Kardu, the response comes from the controls and evidence you already have active.
How to prepare if you supply a NIS2 company
The most direct path:
- Identify whether any of your clients is a NIS2 entity. If they operate in energy, banking, health or digital services and have more than 50 employees, they probably are.
- Run a gap analysis against ISO 27001. It covers 76% of NIS2 and is the most efficient starting point.
- Document evidence for each control. The questionnaire you receive will ask exactly that: not that you say you have it, but that you prove it.
- Keep documentation up to date. A control that was active six months ago but has no recent evidence will not satisfy an audit.
Kardu automates steps 2, 3 and 4 so you can respond to any security questionnaire in hours, not weeks.
Information verified as of May 2026. NIS2 transposition is ongoing across EU member states. Always consult the current version on EUR-Lex and the European Commission official page.
Frequently asked questions
What is NIS2? NIS2 (Directive EU 2022/2555) is the most demanding European cybersecurity standard to date. It requires companies in essential and important sectors to implement active security measures and report major incidents within 24 hours.
Which companies does NIS2 directly oblige? Companies with more than 50 employees or more than 10 million euros in annual turnover operating in sectors such as energy, transport, banking, health, digital infrastructure and ICT services. Micro-enterprises are excluded unless they are sole providers of a critical service.
Why does NIS2 affect suppliers not on the list? Directly obligated entities must audit the security of their entire supply chain. In practice, this means security questionnaires sent to their suppliers. Failing to comply can mean losing the contract.
How much of NIS2 does ISO 27001 cover? According to Kardu's internal control mapping (2026), the 93 controls of ISO 27001:2022 cover 76.3% of NIS2 requirements. It is the most efficient starting point: most of what NIS2 requires is already in ISO 27001.
When does NIS2 come into force? The NIS2 Directive entered into force across the EU in January 2023. Member states are transposing it into national law. In the meantime, the directive applies directly to entities in critical sectors.
← Back to blog