As the transposition of NIS-2 into EU national laws nears completion, organizations should carefully assess whether they fall into scope before a cyber incident occurs.
By James Lloyd, Wolf-Tassilo Böhm, Clemens Ganz, and Ben Leigh
Key Points:
- NIS-2 has a broad extra-territorial reach, and many organizations providing digital or infrastructure services into the EU may be in scope without having assessed their position.
- Non-EU organizations (including US-based businesses) may therefore be unaware that they are in scope until they respond to a cyber incident. Organizations may then need to register with regulators at the same time as submitting incident notifications, leading to significant risk under high operational and reputational pressure.
- Reactive registration in this context can expose compliance gaps to regulators at the point of maximum scrutiny, increasing the likelihood of enforcement action.
- With transposition largely complete and deadlines (including Germany’s July 2026 registration deadline) fast approaching, regulators are increasingly focused on registration compliance.
- Organizations should assess scope and complete registration before any incident arises to avoid being forced into reactive compliance during a live incident response.
Many organizations are unaware that they fall within the scope of the EU’s NIS-2 Directive until a cyber incident occurs. By that point, they may need to register with regulators at the same time as submitting incident notifications, exposing compliance gaps at the point of maximum scrutiny. As enforcement activity accelerates across the EU (and with hard registration deadlines now in place in some Member States), this can turn an operational incident into a broader regulatory issue.1
Below, we set out the NIS-2 background and enforcement regime, as well as the key features that will help organizations assess their exposure and take action before an incident forces the issue.
The Problem: Reactive Registration During a Live Incident
Directive (EU) 2022/2555 (NIS-2), which was adopted in December 2022 and took effect in January 2023, is the EU’s principal, sector-specific cybersecurity framework. It substantially expands the scope and raises the compliance bar set by its predecessor, Directive (EU) 2016/1148 (NIS-1). As NIS-2 addresses cybersecurity at an entity level, it complements Regulation (EU) 2024/2847 (the EU Cyber Resilience Act (CRA)), which establishes mandatory cybersecurity standards for hardware and software products with digital elements sold in the EU.
NIS-2’s extra-territorial reach means that organizations headquartered outside the EU — including US companies providing cloud, digital infrastructure, or managed services to EU customers — may fall within the Directive’s scope. Since the NIS-2 applicability criteria are detailed and sector-specific, the question can be genuinely difficult to assess without focused analysis. In practice, this means the issue may come to light only when a cyber incident has triggered the NIS-2 reporting regime. At that point, the affected entity faces a cascade of concurrent obligations:
- It must report the incident to the relevant national authority within 24 hours (initial warning), provide an update within 72 hours (detailed assessment), and a full report within one month.
- It must retroactively register with the competent authority — an administrative process that should have been completed well before any incident.
- It faces immediate regulatory scrutiny and potential enforcement for the failure to register.
- It must demonstrate compliance with the NIS-2 risk management and governance requirements — which it may not have implemented — under conditions of maximum pressure.
With transposition now complete in the majority of EU Member States and regulators actively enforcing registration obligations, the window for proactive compliance is narrowing. Notably, in Germany, the Federal Office for Information Security (BSI) has set a final deadline for in-scope organizations to complete registrations by July 31, 2026.
Compliance with NIS-2 is safeguarded by a robust enforcement regime: non-compliance may attract fines of up to €10 million or 2% of global annual turnover (whichever is higher). Moreover, NIS-2 introduces personal liability for members of management bodies — a provision that takes on particular significance when a board has failed to ensure that the organization registered and prepared for its NIS-2 obligations before an incident occurred.
State of Transposition
As an EU directive, NIS-2 does not apply directly; it must be transposed into national law by each EU Member State. After the transposition period ended in October 2024, the majority of EU Member States passed national transposition laws. Germany, for example, has adopted the BSI Act (BSI-Gesetz)2 as its primary transposition vehicle. However, four of the 27 EU Member States have not completed the process and are yet to transpose the Directive.
Separately, the UK government is advancing its own Cyber Security and Resilience (NIS) Bill. It should be noted, however, that the scope of the UK Bill differs from NIS-2 in important respects, and a detailed comparison will be merited if the Bill gets adopted.
In-Scope Companies
NIS-2 casts a considerably wider net than NIS-1. The scope tests are complex and require close analysis to correctly determine applicability.
Sector-Specific Application
NIS-2 applies to organizations operating across a broad range of critical sectors offering services to EU users. More specifically, NIS-2 covers a total of 18 sectors, divided into two categories across Annex I and Annex II.
Annex I lists 11 sectors of high criticality:
- Energy (including electricity, district heating and cooling, oil, gas, and hydrogen)
- Transport (air, rail, water, and road)
- Banking
- Financial market infrastructures (such as trading venues and central counterparties)
- Health (including healthcare providers, EU reference laboratories, pharmaceutical manufacturers, and manufacturers of critical medical devices)
- Drinking water
- Waste water
- Digital infrastructure (internet exchange points, DNS service providers, TLD name registries, cloud computing service providers, data center service providers, content delivery network providers, trust service providers, and providers of public electronic communications networks and services)
- ICT service management on a business-to-business basis (covering managed service providers and managed security service providers)
- Public administration
- Space
Annex II lists seven other critical sectors:
- Postal and courier services
- Waste management
- Manufacture, production, and distribution of chemicals
- Production, processing, and distribution of food
- Manufacturing (medical devices and in vitro diagnostics; computer, electronic and optical products; electrical equipment; machinery and equipment; motor vehicles, trailers and semi-trailers, and other transport equipment)
- Digital providers (including online marketplaces, online search engines, and social networking services platforms)
- Research
Size-Cap Thresholds
In addition to sector-based criteria, size-cap thresholds apply. In practice, many businesses operating in or providing services to the covered sectors are at risk of falling within scope. This also includes businesses that are not based in the EU, but offer services to EU users (e.g., US-based cloud service providers). Importantly, NIS-2 applicability is assessed on a per-entity basis: individual group companies may be caught even where the wider corporate group is not, and vice versa.
Extra-Territorial Reach
Companies headquartered outside of the EU may still fall under the scope of NIS-2. An entity generally falls under the jurisdiction of the EU Member State in which it is established. But where an entity provides services, or is established, in more than one EU Member State, it may come under the separate and concurrent jurisdiction of each EU Member State. For example, a company established in the US that provides cloud services to customers in the EU may still be covered by NIS-2 and have to comply with this framework — but it may benefit from a “one-stop shop” mechanism, similar to the one offered under the GDPR.
Obligations Under NIS-2
NIS-2 brings a broad suite of obligations for in-scope entities. The most significant obligations from a practical standpoint are set out below.
New incident reporting regime (Article 23 NIS-2): NIS-2 introduces a new, rigorous incident reporting regime, which represents a significant departure from existing cybersecurity frameworks. In-scope entities must report incidents to the relevant national supervisory authority where those incidents have a “significant impact” on the provision of their services. NIS-2 introduces a multi-staged reporting obligation:
- An initial warning must be submitted within 24 hours of the entity becoming aware of the incident.
- A more detailed report, including an initial assessment, must be filed within 72 hours.
- A comprehensive final report must be submitted within one month of the initial notification.
In-scope entities should align the NIS-2 reporting regime with reporting procedures under other relevant (EU) regimes, such as the GDPR. The CRA introduces a similar reporting regime that will apply as of 11 September 2026.
Cybersecurity risk management measures (Article 21 NIS-2): In-scope entities must implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. The Directive lays down minimum requirements and mandates a cost-to-benefit analysis. In practice, many organizations will be able to build on existing cybersecurity structures. However, in-scope entities should ensure and document that their cybersecurity regime aligns with NIS-2 requirements.
Registration with the relevant national authority (Art. 3 (4) NIS-2): The registration obligation is at the center of the risks outlined above. In-scope entities are required to register with the competent national authority in each Member State where they fall within scope. Where an organization has not yet determined if and how NIS-2 applies, registration will naturally remain incomplete. The consequences of this gap become apparent when a cyber incident occurs. The mandatory incident report draws attention to the entity’s unregistered status. In Germany, the likelihood of enforcement increases significantly upon the expiry of the 31 July 2026 deadline communicated by the BSI. Failure to register can result in high penalties, reputational damage, and heightened scrutiny of the entity’s broader NIS-2 compliance posture.
Designation of an EU representative (Art. 26 (3) NIS-2): Entities that are not established in the EU, but fall within scope of NIS-2, must designate a representative in the EU. This requirement mirrors analogous provisions in other EU regulatory frameworks, including the GDPR.

What Should Organizations Be Doing Now?
The following steps are recommended as immediate priorities, particularly for organizations headquartered outside the EU that have not yet had the opportunity to assess whether NIS-2 applies to their operations:
- Conduct a scoping assessment: Determine whether the organization (and, where relevant, individual group entities) falls within the scope of NIS-2, If so, establish relevant EU Member States and what business activities are specifically covered by NIS-2.
- Analyze registration requirements: Identify the competent national regulators in each relevant EU Member State and submit or update registrations as applicable.
- Establish or optimize incident-reporting processes: Implement procedures for the new multi-stage reporting regime.
- Review risk management frameworks: Assess existing IT security and risk management systems against the requirements and adapt them where necessary.
- Designate an EU representative if the organization is not established in the EU, but is subject to NIS-2.
- Monitor legislative developments: Continue to track transposition activity across relevant Member States, any sector-specific implementing measures, and the advances of the UK’s NIS Bill, as it may impose comparable obligations which organizations should anticipate.
This post was prepared with the assistance of Flore Bourdet in the London office of Latham & Watkins.
- With the German regulator setting a final, hard deadline for mandatory registrations until the end of July 2026 and enforcement activity accelerating across EU Member States, organizations that have not yet assessed their NIS-2 status should consider doing so as a matter of priority. As reported by Heise Online on 18 June 2026, accessible under https://www.heise.de/en/news/NIS2-Reminder-BSI-sets-new-deadline-for-registration-until-end-of-July-11336183.html. ↩︎
- Accessible in German at https://www.gesetze-im-internet.de/bsig_2025/BJNR12D0B0025.html. ↩︎