EU NIS2 Directive: Why US Companies Need to Care

#The regulation US companies aren't reading

In our experience working with mid-market clients, the gap is always wider than the paper-based assessment suggests.

The Network and Information Security Directive 2 (NIS2) replaced the original NIS Directive in the European Union. Member states had until October 17, 2024 to transpose NIS2 into national law. Enforcement began shortly after.

NIS2 is Europe's most significant cybersecurity legislation since GDPR. Where GDPR focused on personal data, NIS2 focuses on operational resilience. Can the entities providing critical services to European citizens withstand cyberattacks?

The scope is broad. 100,000+ entities across 18 sectors are "essential" or "important" under NIS2 and subject to specific obligations. More surprisingly: the directive reaches non-EU companies that provide services to EU customers in covered sectors. Many US companies have discovered they're regulated without having realized it.

This post covers what NIS2 requires, who's subject to it, the penalties for non-compliance. And the practical steps for US companies that might be affected.

#Who's in scope

NIS2 applies to two categories of entities:

#Essential entities

Larger organizations in sectors deemed critical:

• Energy (electricity, oil, gas, district heating, hydrogen)
• Transport (air, rail, road, waterway)
• Banking (financial institutions)
• Financial market infrastructures
• Health (healthcare providers, pharmaceutical manufacturers, medical device manufacturers)
• Drinking water
• Wastewater
• Digital infrastructure (DNS, TLDs, cloud computing, data centers, content delivery networks, trust services, public electronic communications)
• ICT service management (managed service providers, managed security service providers)
• Public administration (central government, regional government bodies)
• Space

#Important entities

Medium-sized organizations (50+ employees or €10M+ turnover) in:

• Postal and courier services
• Waste management
• Manufacture, production, and distribution of chemicals
• Production, processing, and distribution of food
• Manufacturing (medical devices, computer/electronic/optical products, electrical equipment, machinery, motor vehicles, other transport equipment)
• Digital providers (online marketplaces, online search engines, social networking platforms)
• Research

The thresholds for "essential" vs "important" depend on size and sector. Both categories have obligations. Essential entities have additional scrutiny.

#The jurisdictional reach

Where US companies get surprised. NIS2 applies to:

EU-established entities in scope sectors. Obvious.

Non-EU entities that provide services to EU customers in scope sectors. This is the key expansion. Examples:

• A US-based managed service provider serving EU hospitals → subject to NIS2
• A US-based cloud provider with EU customers → subject to NIS2 (as a digital infrastructure entity)
• A US-based online marketplace with EU users → subject to NIS2 (as an important entity)
• A US-based DNS provider with European customers → subject to NIS2 (as a digital infrastructure entity)

The threshold for "provides services" is loose. If you've EU customers in a covered sector and your services relate to the sector's critical infrastructure, you're likely in scope.

#What NIS2 requires

Essential and important entities must implement:

#Risk management measures (Article 21)

A comprehensive cybersecurity framework including:

• Policies on risk analysis. Formal risk assessment methodology
• Incident handling. Detection, response, reporting
• Business continuity. Backup, disaster recovery, crisis management
• Supply chain security. Vendor risk management
• Secure network/system acquisition, development, and maintenance. SDLC security
• Basic cyber hygiene practices and training. Security awareness
• Cryptography and encryption. Data protection
• Human resources security, access control policies, and asset management
• Multi-factor authentication or continuous authentication solutions
• Security of procurement. Vendor security
• Secure use of communications. Video, voice, text where applicable

Intentionally broad. The specifics are determined at national-implementation level and through guidance from EU cybersecurity agencies (ENISA and national CSIRTs).

#Incident reporting (Article 23)

Early warning: within 24 hours of becoming aware of a significant incident.

Incident notification: within 72 hours, with initial assessment.

Final report: within one month, with detailed description and response.

"Significant incident" is defined as one that has caused or may cause:

• Severe operational disruption of the service
• Financial loss
• Affect other persons by causing considerable material or non-material damage

Incident notifications go to the national CSIRT (Computer Security Incident Response Team) of the member state where the affected service is provided.

#Vulnerability disclosure

Essential and important entities must:

• Establish a coordinated vulnerability disclosure process
• Cooperate with researchers reporting vulnerabilities
• Report known vulnerabilities to national authorities

#Supply chain obligations

Essential entities must:

• Assess supply chain risks
• Implement controls for supply chain security
• Include cybersecurity requirements in contracts with service providers

Where US companies frequently encounter NIS2 even if they're not themselves NIS2-regulated. Their EU customers impose NIS2 requirements on them via contract.

#The penalty structure

NIS2 has teeth:

For essential entities: up to €10 million or 2% of global annual turnover (whichever is higher).

For important entities: up to €7 million or 1.4% of global annual turnover (whichever is higher).

For reference, these thresholds are roughly comparable to GDPR penalties (€20M or 4% of global turnover). Like GDPR, enforcement is handled by national authorities, so the penalty depends on which member state is enforcing.

Personal liability for management is also explicit. Company directors can be personally liable for NIS2 non-compliance in some member states' implementations.

#National implementation variations

NIS2 is a directive, not a regulation. Meaning each EU member state transposes it into national law with some variation. As of April 2026:

• Germany. BSIG (BSI Act) amendments, strict enforcement
• France. Transposed with additional requirements, ANSSI as lead regulator
• Netherlands. Cyber Security Act (Cyberbeveiligingswet)
• Italy. Legislative Decree 138/2024
• Spain. Royal Decree transposition
• Belgium. Transposed with notable expansion to more sectors
• Poland. Transposed with specific implementation regulations

Each member state has:

• Its own penalty thresholds (within NIS2 minimums)
• Its own incident reporting authority
• Its own registration process for NIS2-regulated entities
• Its own specific interpretation of requirements

For a US company with pan-European customers, you may need to comply with multiple national implementations simultaneously.

#How NIS2 compares to US frameworks

If you're US-based and used to US cybersecurity frameworks, NIS2 has overlaps and differences:

#Similarities to US frameworks

• Risk management basis. Similar to NIST CSF
• Incident response requirements. Similar to SEC 4-day rule
• Supply chain security. Similar to CMMC 2.0
• Multi-factor authentication requirement. Similar to HIPAA proposed rules
• Board-level accountability. Similar to NY DFS, SEC rules

#Differences from US frameworks

• Broader sectoral coverage. NIS2 covers sectors US lacks equivalents for (food production, chemicals, postal services)
• Stricter timelines. 24-hour early warning vs US norms
• EU-wide enforcement. 27 national authorities coordinating
• Personal liability. More explicit than most US frameworks
• Extraterritorial reach. Broader than most US cybersecurity laws

#What US companies need to do

If you think NIS2 might apply:

#Step 1: Determine applicability

Questions to answer:

1. Do I have EU customers? Check your customer lists, invoices, data residency.
2. Are any of those customers in NIS2 sectors? Healthcare, energy, transport, banking, digital infrastructure, manufacturing, research, food, chemicals, etc.
3. Are my services related to the critical nature of their business? Supporting a pharmaceutical manufacturer's IT operations = yes. Selling them office supplies = no.
4. Am I providing services in "digital infrastructure" sectors? Cloud, CDN, DNS, data centers, trust services, online marketplace, search, social media.

If yes to 1+2+3 or 1+4, you're likely in scope. Get legal analysis specific to your situation.

#Step 2: Register

NIS2-regulated entities must register with national cybersecurity authorities in the member states where they operate. Requirements vary:

• Some member states have self-registration portals
• Others require formal applications
• Some require appointing a designated representative in the EU

Registration is an ongoing obligation, not one-time.

#Step 3: Conduct NIS2-aligned risk assessment

The specific requirements vary, but generally:

• Document all EU-facing services
• Identify threats specific to your services and their users
• Assess the impact of disruption
• Prioritize controls based on risk

This isn't substantially different from a NIST-aligned risk assessment for your overall operations. The difference is specificity. NIS2 expects you to assess risks specifically from the perspective of your EU customers' critical operations.

#Step 4: Implement required controls

The "baseline" NIS2 controls align with most established security frameworks:

• MFA on privileged and sensitive access
• Encryption at rest and in transit
• Incident response plan with tested procedures
• Backup and recovery
• Security awareness training
• Supply chain security assessment
• Access controls aligned with least privilege

If you've a mature NIST CSF / ISO 27001 / SOC 2 program, you're mostly already implementing NIS2 baseline controls. The gap is documentation and EU-specific reporting/notification processes.

#Step 5: Establish incident response with EU reporting

Your incident response plan must include:

• Detection capabilities for NIS2-reportable incidents
• 24-hour early warning pathway to relevant national CSIRT(s)
• 72-hour notification procedure
• 1-month final report procedure
• Documentation retention for reporting purposes

Multi-member-state exposure requires coordinating notifications to multiple CSIRTs simultaneously. This is a non-trivial logistics problem.

#Step 6: Document everything

Compliance evidence matters. Document:

• Risk assessments (dated, versioned)
• Control implementations with evidence
• Training records
• Incident response drills
• Supply chain security assessments
• Vulnerability management processes

Expect regulator scrutiny. Documentation is your defense during audits.

#The cost

For US companies newly discovering they're in NIS2 scope, typical costs:

Small US company (50-200 employees) with EU customers in covered sectors:

• Initial gap assessment: $15K-$30K
• Remediation and implementation: $50K-$200K
• Annual maintenance: $50K-$100K/year

Mid-size US company (200-1,000 employees):

• Initial gap assessment: $30K-$80K
• Remediation and implementation: $200K-$1M
• Annual maintenance: $100K-$300K/year

Large US company (1,000+ employees):

• Initial gap assessment: $100K+
• Remediation and implementation: $1M-$10M+
• Annual maintenance: $500K+

Most significant costs:

• Incident response capability upgrades (faster detection, faster reporting)
• Supply chain security program establishment/expansion
• EU representation (legal, operational)
• Documentation and compliance infrastructure

#The penalty exposure

If you're subject to NIS2 and don't comply:

Scenario 1: You don't register. Some member states have active enforcement. Fines in the hundreds of thousands of euros for registration failure alone.

Scenario 2: You have an incident and don't report within timelines. Fines up to the maximums (€7M or €10M depending on category) for late reporting.

Scenario 3: Your risk management is inadequate. Regulator audits reveal gaps. Fines proportional to gaps and the regulator's assessment.

Scenario 4: Supply chain failure. Your EU customer has an incident traced to you. Your customer is fined, potentially passes costs to you via contract, plus you face direct NIS2 penalties as their supplier.

Enforcement is still ramping up in 2026. Several enforcement actions have been announced. More are expected as member states establish operational enforcement capacity.

#Practical scenarios for US companies

#Scenario 1: US SaaS company with EU healthcare customers

You run a SaaS product used by EU hospitals for patient management. Your product is a "digital infrastructure" provider to healthcare entities.

Implications:

• Likely in scope as a digital infrastructure important entity
• Your hospital customers are essential entities under NIS2 healthcare sector
• Your customers will contractually require NIS2 compliance from you
• You need to comply with NIS2 directly and support customer NIS2 obligations

Priorities:

• Register with relevant national CSIRTs
• Implement NIS2 risk management
• Upgrade incident response to 24/72-hour reporting
• Update customer contracts to reflect NIS2 security requirements
• Document supply chain security

#Scenario 2: US cloud provider with EU financial services customers

You provide cloud infrastructure to EU banks and payment providers.

Implications:

• Digital infrastructure provider, essential entity in scope
• Your banking customers are essential entities
• Banking regulators may have additional requirements beyond NIS2
• Performance/SLA obligations may interact with NIS2 incident reporting

Priorities:

• Register with relevant authorities in all EU member states where customers operate
• Implement NIS2 controls at essential-entity level
• Build incident notification infrastructure supporting parallel 24-hour reporting to multiple national CSIRTs
• Coordinate with banking regulators for layered compliance

#Scenario 3: US online marketplace with EU users

You run a consumer marketplace (think: specialized e-commerce) with significant EU user base.

Implications:

• Online marketplace = NIS2 important entity category
• Direct consumer services, not B2B, but still in scope
• Digital Services Act (DSA) also applies for online platforms
• GDPR already applies (assumed)

Priorities:

• Register with relevant national authorities
• Implement important-entity NIS2 controls
• Coordinate compliance with DSA, GDPR, NIS2 obligations
• Consumer-facing incident communication alongside regulator reporting

#Scenario 4: US managed security services provider with EU customers

You provide MSSP services (SOC, incident response, vulnerability management) to various EU customers.

Implications:

• ICT service management = essential entity
• Your customers will include NIS2-regulated entities
• You're both subject to NIS2 directly AND providing services that support customer compliance

Priorities:

• Become exemplar of NIS2 compliance (your customers will rely on your posture)
• Build capabilities to help customers meet their NIS2 obligations
• Document supply chain security rigorously

#How to approach the gap

If NIS2 is new to you:

#Month 1: Discovery

• Identify EU customers in covered sectors
• Understand which national implementations apply
• Identify existing frameworks you can use (NIST CSF, ISO 27001, SOC 2)
• Gap analysis against NIS2 requirements

#Month 2-6: Implementation

• Build or upgrade incident response for EU reporting timelines
• Document risk management processes
• Implement supply chain security
• Establish EU registration (formal applicant process)

#Month 6-12: Maturation

• First tabletop exercise with EU incident reporting
• Customer contract updates
• Documentation refinement
• Internal training

#Ongoing

• Quarterly compliance review
• Incident reporting drills
• Regulator relationship maintenance

#For companies with existing EU operations

If your company already has GDPR compliance, SOC 2, ISO 27001, or similar, NIS2 is a gap-filling exercise than a ground-up build. The main deltas:

• Faster incident reporting than GDPR (GDPR is 72 hours; NIS2 is 24 hours for early warning)
• Broader sectoral focus. Cyber resilience, not personal data
• Supply chain obligations more explicit than GDPR
• Operational security focus than data privacy focus

Most well-built security programs can be extended to meet NIS2 with 3-6 months of targeted work than full multi-year implementation.

#The coordination question

For companies with EU operations, layering NIS2 on top of existing frameworks creates complexity:

• NIS2 (operational resilience for critical services)
• GDPR (personal data protection)
• Digital Operational Resilience Act (DORA) (financial sector, overlapping with NIS2)
• Digital Services Act (DSA) (online platforms, content moderation)
• AI Act (AI systems, phased enforcement)
• Cyber Resilience Act (connected products, phasing in)

Each has its own scope, requirements, penalties. Some overlap substantially. Coordinated compliance programs are more efficient than parallel siloed efforts.

#For Valtik clients

Valtik provides NIS2 readiness consultations for US companies with EU operations:

• NIS2 scope assessment. Is your company subject, and in which categories?
• Gap analysis against NIS2 requirements based on your existing security posture
• Implementation roadmap with prioritization and resource estimates
• Incident response uplift for 24/72-hour EU reporting timelines
• Customer contract review for NIS2 flow-down requirements

For US companies that have discovered NIS2 applies or suspect it might, reach out via https://valtikstudios.com.

#The honest summary

NIS2 is the EU's major cybersecurity regulation for operational resilience. Its reach into non-EU companies via the "services to EU customers in covered sectors" criterion catches many US companies unaware.

If you've EU customers and your services support any critical sector function, NIS2 likely applies. The penalties are real (€7-10M or 1.4-2% of global turnover). Enforcement is ramping up through 2026.

The actions are familiar. Risk management, MFA, incident response, supply chain security, documentation. The specificity of timelines (24/72 hours) and the EU registration requirements are the distinctive pieces.

If you haven't assessed your NIS2 exposure, do it now. Regulators are moving from "enforcement ramp-up" to "active enforcement" through 2026-2027. The question isn't whether NIS2 enforcement will affect US companies. It's which US companies get made examples of first.

#Sources

1. NIS2 Directive. Official Text
2. ENISA NIS2 Implementation Guidance
3. NIS2 National Transposition Status
4. German BSI NIS2 Guidance (English)
5. ANSSI NIS2 Resources (France)
6. NIS2 Sector Definitions. Annex I and Annex II
7. European Cyber Security Month Reports
8. DORA Overview (Financial sector overlap)
9. Digital Services Act (Online platforms)
10. Cyber Resilience Act