NIS 2 vs NIS 1

NIS 2 vs NIS 1: what actually changed

Article 41 of Directive (EU) 2022/2555 repealed the NIS 1 Directive with effect from 18 October 2024. This page describes what that means in practice.

Simon OrzelSimon Orzel·

Overview

NIS 1 was Directive (EU) 2016/1148. It covered seven sectors and split addressees into 'operators of essential services' (OES) and 'digital service providers' (DSP). Member States designated OES individually.

NIS 2 is Directive (EU) 2022/2555. It covers 15 sectors in Annex I and 7 sectors in Annex II, replaces the OES/DSP split with 'essential entities' and 'important entities', and uses an explicit size criterion (50 or more staff, or annual turnover above 10 million euro).

Article 41 of NIS 2 repealed the NIS 1 Directive with effect from 18 October 2024. Where Member State law still references the old directive, those references now point to NIS 2. National transposition statutes (such as the German BSIG in its NIS 2 version) replace the earlier IT-Sicherheitsgesetz 2.0 architecture.

Legal anchors
Three layers of text define the migration: the EU directive that repeals NIS 1, the Commission implementing regulation that adds detail for digital infrastructure, and the national statute that transposes the directive.

Directive (EU) 2022/2555 Article 41

Directive (EU) 2016/1148 is repealed with effect from 18 October 2024.

The repeal date is also the transposition deadline. References to NIS 1 in other EU acts are read as references to NIS 2.

Commission Implementing Regulation (EU) 2024/2690

This Regulation lays down the technical and the methodological requirements of the measures referred to in Article 21(2) of Directive (EU) 2022/2555 [...]

The CIR specifies the Article 21(2) measures for a narrow set of digital infrastructure entity types. The Article 21 catalogue itself applies to all NIS 2 entities.

Germany: BSIG (NIS 2 version)

Gesetz uber das Bundesamt fur Sicherheit in der Informationstechnik (BSI-Gesetz).

Germany transposes NIS 2 by amending the BSIG. The earlier IT-Sicherheitsgesetz 2.0 architecture (KRITIS operators only) is replaced by a wider scope that includes essential and important entities.

Three structural changes
Most of what changed between NIS 1 and NIS 2 falls into three buckets: who is in scope, what they must do, and how enforcement works.
Scope

From 7 sectors and OES designation to 15 plus 7 sectors with a size rule

NIS 1 covered seven sectors and required Member States to designate OES one by one. NIS 2 lists 15 sectors in Annex I (essential) and 7 sectors in Annex II (important), and applies automatically to entities of these sectors that meet the size criterion (50 or more staff or more than 10 million euro turnover). Several entity types are in scope regardless of size.

Obligations

From Article 14 high-level measures to Article 21 with 10 measure areas plus Article 20 and Article 23

NIS 1 Article 14 required appropriate and proportionate measures in fairly general terms. NIS 2 Article 21(2) names 10 specific measure areas (risk analysis, incident handling, business continuity, supply chain, vulnerability handling, effectiveness, basic cyber hygiene and training, cryptography, access control and asset management, multi-factor authentication and secure communications). Article 20 adds explicit management body duties, Article 23 adds a structured reporting cascade, and Article 27 adds registration of entity data with the competent authority.

Enforcement

From Member State discretion to EU-wide minimum penalty ceilings

NIS 1 left penalties largely to national law and produced wide variation between Member States. NIS 2 Article 34 sets EU-wide minimum ceilings: for essential entities at least 10 million euro or 2 percent of total worldwide annual turnover, whichever is higher; for important entities at least 7 million euro or 1.4 percent. Article 32 and Article 33 also give supervisory authorities a longer list of powers.

What carries over, what does not
Some pieces of a NIS 1 programme remain useful under NIS 2. Others must be rebuilt because the legal structure is different.

Technical measures broadly carry over

An entity that already implemented Article 14 NIS 1 measures will recognise much of Article 21(2) NIS 2: incident handling, business continuity, supply chain, basic cyber hygiene and training are present in both texts. The labels and depth changed, the underlying idea did not.

Governance and reporting are new

Article 20 makes the management body responsible for approving cybersecurity risk-management measures, overseeing their implementation, and undergoing training. Article 23 introduces a three-step cascade (early warning within 24 hours, incident notification within 72 hours, final report within one month). Neither construct existed in NIS 1 at this level of detail.

National view
NIS 2 is a directive, so what an entity actually deals with is the national transposition statute. Three reference points help orient the migration.
DE

Bundesamt fur Sicherheit in der Informationstechnik (BSI)

The BSI is the competent authority under the BSIG. For the migration it operates an entity register, publishes Handreichungen on management body training and other duties, and supervises essential and important entities. KRITIS operators continue to exist as a subset with additional duties.

EU

European Union Agency for Cybersecurity (ENISA)

ENISA publishes the Technical Implementation Guidance for Article 21(2) measures and runs the European vulnerability database under Article 12. Its texts are non-binding but supervisory authorities cite them as the practical baseline.

DE

BSIG replaces IT-Sicherheitsgesetz 2.0 architecture

Germany transposes NIS 2 by amending the BSIG. The earlier IT-Sicherheitsgesetz 2.0 model focused on KRITIS operators. The NIS 2 version of the BSIG extends scope to essential and important entities and adds Article 20 management duties, Article 23 reporting and Article 27 registration.

Common pitfalls
Three assumptions show up repeatedly in the migration from NIS 1 to NIS 2 and lead to the wrong conclusion.

  • Our NIS 1 documentation carries over to NIS 2.

    Technical measures broadly carry over, but the legal envelope does not. NIS 2 introduces management body duties (Article 20), a three-step reporting cascade (Article 23), entity registration (Article 27) and a structured Article 21(2) catalogue. Old NIS 1 documentation usually has gaps in governance, reporting timelines and the supply chain section. Treat NIS 1 papers as a starting point, not as a completed file.

  • It is the same regulator, so it is the same regime.

    In several Member States the supervisor for NIS 1 also supervises NIS 2 (in Germany, the BSI). The institution stayed the same; its statutory powers and the catalogue of supervised entities did not. Articles 32 and 33 NIS 2 give supervisory authorities a longer list of inspection, audit and enforcement powers, and Article 34 sets EU-wide minimum penalty ceilings that did not exist under NIS 1.

  • Nothing material changed.

    Scope (15 plus 7 sectors with a size rule), governance (Article 20 management duties), reporting (Article 23 cascade), registration (Article 27) and penalties (Article 34 ceilings) all changed. The same wording 'appropriate and proportionate' appears in both directives, but the catalogue around it is much more specific in NIS 2.

Practitioner view

In practice the migration is rarely a clean restart. Most entities reuse parts of their NIS 1 risk register, incident playbook and supplier list, then add the new pieces: a management body decision on Article 21(2) measures, an Article 23 reporting workflow with the 24 hour, 72 hour and one month timestamps, an Article 27 registration entry, and a supply chain section that matches Article 21(2)(d).

The most common visible change is reporting. The single 'without undue delay' notification of NIS 1 becomes three separate documents in NIS 2, each with its own deadline and its own audience inside the entity. Practitioners usually rebuild the incident workflow first, because that is where the new timing rules bite quickly.

How this platform handles the migration

The obligation register is structured around the NIS 2 articles. Article 21(2) measures are tracked as individual requirements, Article 23 reporting timelines are tracked as a three-step incident workflow, Article 27 registration is tracked as a separate record, and the Article 20 management body decision is tracked as a sign-off.

If an entity already has NIS 1 evidence, it can be attached to the corresponding NIS 2 requirement. The platform does not assume carryover; each requirement is reviewed and marked as satisfied, partially satisfied, or open, with a date and a responsible person.

Sources
  • Directive (EU) 2022/2555, Article 41 (repeal of Directive (EU) 2016/1148), Articles 20, 21, 23, 27, 32, 33, 34, Annex I and Annex II (EUR-Lex).
  • Directive (EU) 2016/1148, Article 14 (security requirements for OES) and Article 16 (security requirements for DSP) (EUR-Lex).
  • Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024, recitals and Annex (EUR-Lex).
  • Bundesamt fur Sicherheit in der Informationstechnik (BSI), NIS 2 information pages and BSIG references (bsi.bund.de).
  • ENISA, Technical Implementation Guidance on Article 21(2) NIS 2 (enisa.europa.eu).
Check whether NIS 2 applies to your entity
The applicability check uses the Annex I and Annex II sectors and the size criterion in Article 2 of NIS 2.
Start the applicability check