The NIS2 Directive and Your Documents: What EU Businesses Need to Know

What is NIS2 and why does it matter?

The Network and Information Security Directive 2 (NIS2) is Directive (EU) 2022/2555, adopted in December 2022 and in force since January 2023. It replaces the original NIS Directive from 2016. The jump in scope is enormous: NIS1 covered roughly 15,000 entities in 7 sectors. NIS2 covers over 160,000 entities across 18 sectors. That is a tenfold expansion.

Member States were required to transpose NIS2 into national law by October 17, 2024. As of April 2026, 21 of 27 Member States have done so. The European Commission sent reasoned opinions to 19 Member States in May 2025 for failing to notify full transposition. Germany completed its transposition in December 2025. France is expected to finalize its Loi Résilience in mid-2026. Enforcement has already begun.

And yet, according to a CyberSmart survey of 670 business leaders across eight EU countries published in April 2026, only 16% of in-scope businesses are fully NIS2 compliant. The primary barriers are budgetary constraints and lack of guidance on how to implement the measures. This guide addresses the second problem.

Are you in scope?

NIS2 applies to entities that operate in one of the 18 designated sectors AND meet the size threshold. There are two entity classifications: essential (higher obligations, proactive supervision) and important (lighter supervision, but the same core security measures apply).

The general size threshold is medium-sized enterprise or larger: 50 or more employees, OR annual turnover exceeding €10 million, OR annual balance sheet exceeding €10 million. Some entities qualify regardless of size — including DNS providers, TLD registries, trust service providers, and public electronic communications providers.

The 18 sectors are split across two annexes. Both carry the same Article 21 security requirements. The difference is in how supervisory authorities engage with you:

Note: the January 2026 Commission amendment proposal introduces a new "small mid-cap" category for entities with fewer than 750 employees and turnover under €150 million. Under this proposal, small mid-caps would be classified as important rather than essential, even if they operate in Annex I sectors. This is still in legislative negotiations and not yet in force.

The 10 mandatory security measures (Article 21)

Article 21(2) lists ten minimum security measures that every in-scope entity must implement. These are not suggestions — they are legal requirements, further detailed in the Commission Implementing Regulation (CIR) 2024/2690.

The key insight: look at the "Document required" column. Seven of the ten measures are fundamentally about having documented, approved, and auditable policies or procedures. This is where document management becomes directly relevant.

NIS2 is a documentation problem

This is where most NIS2 guides fall short. They explain the 10 measures, list the sectors, and move on. But the actual compliance challenge is not implementing a firewall or enabling MFA — most mid-sized businesses already have those. The challenge is proving it.

Auditors do not check your firewall rules. They check your documentation. They want to see that policies exist, are current (reviewed within the last 12 months), have documented management approval, and are versioned with change history. Under NIS2, the evidence is the compliance.

The Commission Implementing Regulation (CIR 2024/2690) translates Article 21 into approximately 30 specific documents that entities must produce and maintain. These are not optional — they are what supervisory authorities will request during an audit or after an incident.

The recurring theme is traceability. Every document must answer: who created it, when, who approved it, when was it last reviewed, and what changed since the previous version. A folder on a shared drive does not provide this. A DMS with version history and approval workflows does.

Incident reporting: the 24-72-1 rule

Article 23 mandates a three-stage incident reporting process for significant incidents. Missing these deadlines is itself a compliance violation. Every stage requires documented evidence — which means the quality of your incident records is directly tied to your regulatory exposure.

In practice, organizations that lack structured document management scramble to assemble incident evidence under time pressure. Those that maintain organized records — with timestamps, version history, and searchable archives — can produce what regulators need within hours, not weeks.

Where does your country stand?

NIS2 should have been transposed into national law by October 17, 2024. In reality, implementation has been slow. As of April 2026, 21 of 27 Member States have completed transposition according to the ECSO tracker. The European Commission sent reasoned opinions to 19 states in May 2025, giving them two months to complete transposition or face Court of Justice proceedings.

Here is the status of the six largest EU economies:

The penalties are real

NIS2 introduces two tiers of administrative fines, modeled after GDPR’s penalty structure. Member States can set maximums above these floors but not below them.

Article 20 adds personal liability: management bodies must approve cybersecurity risk-management measures and oversee their implementation. Members of management can be held personally liable for non-compliance. In some Member States, including Germany, this extends to temporary bans from holding management positions.

Enforcement is following the early GDPR pattern. Germany’s BSI issued 47 formal notices in Q4 2025 and its first financial penalty (€850,000 against a cloud service provider) in February 2026. France’s ANSSI has opened 14 investigations. Italy’s ACN has focused on registration enforcement. Significant financial penalties are expected to increase through 2026–2027 as national enforcement matures.

The January 2026 simplification proposal

On January 20, 2026, the European Commission published a proposal for targeted amendments to NIS2 as part of a broader cybersecurity package. The stated goal is to simplify compliance, increase legal certainty, and harmonize implementation. The proposal will go through the ordinary legislative procedure, with a political agreement targeted for early 2027.

Here is what may change — and what will not:

The direction is clear: NIS2 is getting simpler to comply with, not weaker. The core obligations remain. If you delay compliance hoping the amendments will exempt you, you are taking a legal risk. The proposal narrows the scope at the edges but does not reduce the requirements for entities that remain in scope.

Practical checklist for SMBs

If you are reading this because your compliance officer said "we might be in scope" — here is the minimum viable path forward. This is not a comprehensive NIS2 implementation plan. It is the set of actions that will get you from zero to audit-ready for the documentation requirements.

How Veluvanto helps with NIS2 documentation

Veluvanto is not a GRC platform. It does not replace your risk assessment methodology or your incident response procedures. What it does is provide the document management layer that makes NIS2 evidence sustainable — the part most businesses struggle with after the initial compliance push.

• ✓Version-controlled document storage: every edit is logged with timestamp, user, and previous version. You can reconstruct the state of any document at any point in time — exactly what auditors require.
• ✓Approval workflows: route policy documents through management sign-off with tracked status. The approval chain creates the evidence trail that Article 20 demands.
• ✓Full audit trail: every document action (upload, view, edit, approve, archive) is logged. No manual tracking required — compliance evidence is generated automatically.
• ✓AI-powered search and organization: find any document in seconds using natural language queries. When an auditor asks for your supplier security assessments from Q3, you can retrieve them immediately rather than searching through folders.
• ✓EU data residency and encryption: documents are stored in the EU with AES-256 encryption at rest and in transit. No data leaves the EU Data Boundary — unlike certain AI-powered tools that route processing through US data centers during peak demand.
• ✓GDPR-compliant by design: per-tenant isolation, SSE-C encryption, and data lifecycle management. NIS2 and GDPR overlap significantly in their documentation requirements — a system that satisfies one gets you most of the way to the other.

The hardest part of NIS2 compliance is not the initial setup — it is maintaining evidence over time. Policies go stale, reviews get skipped, training records disappear. A DMS that enforces version control, tracks approvals, and logs every action turns compliance from a quarterly scramble into a background process.

Sources and further reading

This guide is based on the following primary sources. Dates in parentheses indicate the publication or last-update date of each source.

1. Directive (EU) 2022/2555 (NIS2 Directive) — Full text on EUR-Lex (December 2022)
2. Commission Implementing Regulation (EU) 2024/2690 — Technical measures for NIS2 compliance (October 2024)
3. COM(2026) 13 — Proposal for targeted NIS2 amendments and alignment with the Cybersecurity Act (January 2026)
4. ECSO NIS2 Transposition Tracker — 21/27 Member States transposed as of April 2026
5. European Commission, Reasoned opinion to 19 Member States on NIS2 transposition (May 2025)
6. CyberSmart, "Only 16% of Businesses Are Fully Compliant with NIS2" — Survey of 670 business leaders (April 2026)
7. ENISA, NIS2 Technical Implementation Guidance (2025)
8. Germany BSI — First NIS2 penalty: €850,000 against cloud service provider (February 2026)
9. European Commission Impact Assessment — NIS2 scope: ~160,000 entities across 18 sectors