Artifact GuideEU

NIS2 vs NIS1 what changed in EU cyber compliance

Use this comparison to separate current NIS2 obligations from the repealed NIS1 framework, especially scope, entity classification, governance, risk-management controls, incident reporting, registration, and supervision.

Grounded in the NIS2 Directive, the NIS1 Directive, and the European Commission NIS2 overview.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

NIS2 is not a light refresh of NIS1. Directive (EU) 2022/2555 replaced Directive (EU) 2016/1148, broadened the EU cybersecurity framework, created essential and important entity categories, added management-body governance, expanded risk-management and incident-reporting duties, and repealed NIS1 from 18 October 2024. Use this page to decide which legacy NIS1 records can still support evidence and which decisions must be rerun under NIS2.

Side-by-side comparison

NIS2 vs NIS1: practical compliance differences

Use this comparison to separate current NIS2 duties from legacy NIS1 records and to decide which older evidence needs remapping.

Review all sources
First framework
NIS2 Directive

The current EU cybersecurity framework for essential and important entities, with Article 20 governance, Article 21 risk-management measures, Article 23 reporting, registration, and differentiated supervision.

Second framework
NIS1 Directive

The earlier EU cybersecurity directive for operators of essential services and digital service providers; repealed from 18 October 2024 but still useful for interpreting legacy records.

Comparison row 1

Scope and covered activity

NIS2 Directive

Applies to public or private entities of types listed in Annex I or Annex II that meet the size-cap rule, plus specific regardless-of-size categories and Member State special cases.

Directive (EU) 2022/2555 (NIS2)Sources 1
NIS1 Directive

Applied to Member State-identified operators of essential services and to digital service providers in the NIS1 service model.

Directive (EU) 2016/1148 (NIS1)Sources 1
Operational implication

Rerun scoping under NIS2 Article 2 and Article 3; a NIS1 operator designation is useful context but not enough for current classification.

Directive (EU) 2022/2555 (NIS2)Sources 1Directive (EU) 2016/1148 (NIS1)Sources 2
Comparison row 2

Who must act

NIS2 Directive

Essential and important entities must act, and their management bodies must approve cybersecurity risk-management measures, oversee implementation, and follow training.

Directive (EU) 2022/2555 (NIS2)Sources 1
NIS1 Directive

Operators of essential services and digital service providers carried the security and notification duties, while Member States, competent authorities, single points of contact, and CSIRTs ran the national framework.

Directive (EU) 2016/1148 (NIS1)Sources 1
Operational implication

Add board or management-body ownership to the NIS2 evidence map instead of leaving the program solely with security operations or compliance.

Directive (EU) 2022/2555 (NIS2)Sources 1Directive (EU) 2016/1148 (NIS1)Sources 2
Comparison row 3

Trigger or threshold

NIS2 Directive

The trigger starts with Annex I or Annex II entity type, medium-sized-or-larger status unless an exception applies, essential or important classification, and any national registration or list process.

Directive (EU) 2022/2555 (NIS2)Sources 1
NIS1 Directive

The trigger depended on Member State identification of operators of essential services and on whether a provider fell within the NIS1 digital service provider category.

Directive (EU) 2016/1148 (NIS1)Sources 1
Operational implication

Do not rely on the old national identification process alone; document the current NIS2 sector, size, special-case, and Member State facts.

Directive (EU) 2022/2555 (NIS2)Sources 1Directive (EU) 2016/1148 (NIS1)Sources 2
Comparison row 4

Core obligations

NIS2 Directive

NIS2 combines governance, Article 21 cybersecurity risk-management measures, Article 23 significant-incident reporting, information-sharing rules, registration duties for specified entities, and supervisory evidence.

Directive (EU) 2022/2555 (NIS2)Sources 1
NIS1 Directive

NIS1 required appropriate and proportionate technical and organisational security measures and incident notification for operators of essential services and digital service providers.

Directive (EU) 2016/1148 (NIS1)Sources 1
Operational implication

Map each reused NIS1 control to a specific NIS2 Article 21 item, then separately check Article 20 governance and Article 23 reporting evidence.

Directive (EU) 2022/2555 (NIS2)Sources 1Directive (EU) 2016/1148 (NIS1)Sources 2
Comparison row 5

Evidence and records

NIS2 Directive

Keep Article 2 and Article 3 classification, entity-list or registration details where applicable, Article 20 approvals and training, Article 21 control evidence, Article 23 reports, supplier-risk evidence, and supervision correspondence.

Directive (EU) 2022/2555 (NIS2)Sources 1
NIS1 Directive

Keep NIS1 national designation records, lists of essential services, security policies, audit evidence, incident notifications, and communications with competent authorities or CSIRTs.

Directive (EU) 2016/1148 (NIS1)Sources 1
Operational implication

Label each legacy record as reused for a current NIS2 duty, superseded by NIS2, or retained only for historical audit traceability.

Directive (EU) 2022/2555 (NIS2)Sources 1Directive (EU) 2016/1148 (NIS1)Sources 2
Comparison row 6

Timing and cadence

NIS2 Directive

Member States had to adopt and publish NIS2 transposition measures by 17 October 2024 and apply them from 18 October 2024. Article 23 uses a 24-hour early warning, 72-hour incident notification, and final-report sequence for significant incidents.

Directive (EU) 2022/2555 (NIS2)Sources 1
NIS1 Directive

NIS1 required Member States to transpose by 9 May 2018, identify operators of essential services by 9 November 2018, and use national incident-notification rules before repeal.

Directive (EU) 2016/1148 (NIS1)Sources 1
Operational implication

Close legacy NIS1 deadlines as historical milestones and run current incident clocks against NIS2 Article 23 and national transposition law.

Directive (EU) 2022/2555 (NIS2)Sources 1Directive (EU) 2016/1148 (NIS1)Sources 2
Comparison row 7

Enforcement or assurance route

NIS2 Directive

NIS2 gives competent authorities supervisory and enforcement powers for essential and important entities, with proactive-style powers for essential entities and ex post supervision for important entities.

Directive (EU) 2022/2555 (NIS2)Sources 1
NIS1 Directive

NIS1 gave competent authorities powers to assess operators of essential services and take ex post action for digital service providers, with penalties set through national implementing rules.

Directive (EU) 2016/1148 (NIS1)Sources 1
Operational implication

Use the current national NIS2 competent authority route for supervision questions and keep NIS1 enforcement material only as background.

Directive (EU) 2022/2555 (NIS2)Sources 1Directive (EU) 2016/1148 (NIS1)Sources 2
Comparison row 8

Overlap and reuse

NIS2 Directive

NIS2 maps many NIS1 topics forward: security measures, incident notification, competent-authority requests, standards, penalties, and review all have correlation-table links to NIS2 articles.

Directive (EU) 2022/2555 (NIS2)Sources 1
NIS1 Directive

NIS1 evidence may support continuity because the correlation table links earlier security and notification provisions to NIS2 Article 21 and Article 23.

Directive (EU) 2016/1148 (NIS1)Sources 1
Operational implication

Reuse older evidence only after confirming the current NIS2 article, national rule, owner, and evidence quality; do not treat correlation as automatic compliance.

Directive (EU) 2022/2555 (NIS2)Sources 1Directive (EU) 2016/1148 (NIS1)Sources 2
Comparison row 9

Practical decision rule

NIS2 Directive

For NIS2, write the current sector, entity classification, Member State, national law or authority path, Article 20/21/23 duties, evidence owner, and reassessment trigger.

Directive (EU) 2022/2555 (NIS2)Sources 1
NIS1 Directive

For NIS1, write what the record proves historically: operator or digital-service-provider status, security measure, incident notification, authority correspondence, or old national deadline.

Directive (EU) 2016/1148 (NIS1)Sources 1
Operational implication

Close the migration only when every legacy NIS1 item is either remapped to a current NIS2 duty, retained as historical evidence, or removed from the active compliance plan.

Directive (EU) 2022/2555 (NIS2)Sources 1Directive (EU) 2016/1148 (NIS1)Sources 2
Practical decision rule

How should teams use NIS1 records under NIS2?

  • Treat NIS2 as the current directive for planning, controls, incident reporting, supervision, and national-law follow-up.
  • Use NIS1 only to explain legacy scope decisions, previous authority interactions, or evidence that may be remapped.
  • Rerun scope under NIS2 Article 2 and Article 3 before relying on any old operator-of-essential-services designation.
  • Escalate when a legacy record lacks an owner, source, national-law link, or clear NIS2 article mapping.
Directive (EU) 2022/2555 (NIS2)Sources 1Directive (EU) 2016/1148 (NIS1)Sources 2
Section 1

The short answer for NIS2 and NIS1

NIS1 was the EU's first horizontal cybersecurity directive for network and information systems. It relied on Member States identifying operators of essential services and also regulated digital service providers. NIS2 replaced that model with a broader framework for essential and important entities in Annex I and Annex II sectors.

For compliance planning after 18 October 2024, treat NIS2 as the current EU directive. Keep NIS1 records only as historical evidence or as a pointer to controls that need to be remapped to NIS2 Article 20, Article 21, Article 23, registration, supervision, and national transposition requirements.

  • Use NIS2 for current entity classification, sector mapping, risk-management measures, incident reporting, and supervision.
  • Use NIS1 to understand older operator-of-essential-services and digital-service-provider records that may still exist in audits, registers, or control libraries.
  • Do not assume a NIS1 designation or exemption settles NIS2 scope; rerun the Annex I or Annex II, size-cap, and special-case analysis.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Binding NIS2 text for scope, essential and important entity classification, Article 20 governance, Article 21 risk-management measures, Article 23 reporting, supervision, enforcement, transposition, and repeal of NIS1.
Directive (EU) 2016/1148 (NIS1)
Binding NIS1 text for operators of essential services, digital service providers, security requirements, incident notification, national implementation, and historical comparison with NIS2.
Section 2

What changed from NIS1 to NIS2?

The European Commission describes NIS2 as raising the EU cybersecurity ambition through a wider scope, clearer rules, and stronger supervision tools. The directive extends the compliance conversation beyond NIS1's operator and digital-service-provider categories into a larger set of critical sectors, with medium-sized and large entities generally in view unless a special rule applies.

NIS2 also moves accountability upward. Management bodies of essential and important entities must approve cybersecurity risk-management measures, oversee implementation, and follow training, while Article 21 lists a minimum set of measures covering risk analysis, incident handling, business continuity, supply chain security, vulnerability handling, effectiveness assessment, cyber hygiene, cryptography, access control, asset management, and authentication.

  • Replace NIS1 operator-of-essential-services checks with NIS2 essential-or-important entity classification.
  • Add management-body approval, oversight, and training evidence where NIS2 applies.
  • Map each technical control to the relevant Article 21 measure instead of citing a generic NIS security program.
  • Use the current Article 23 incident sequence instead of legacy 'without undue delay' language from NIS1.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Binding NIS2 text for scope, essential and important entity classification, Article 20 governance, Article 21 risk-management measures, Article 23 reporting, supervision, enforcement, transposition, and repeal of NIS1.
European Commission - NIS2 Directive overview
Commission overview explaining that NIS2 replaced NIS1, broadened scope, strengthened supervision, and repealed NIS1 from 18 October 2024.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
Commission implementing regulation setting technical and methodological requirements for selected NIS2 digital infrastructure and ICT service management entities.
Section 3

Where the NIS2 scope check starts

Start with NIS2 Article 2 and Article 3: identify whether the entity is public or private, whether it belongs to a type in Annex I or Annex II, whether the size-cap rule applies, and whether a special rule brings the entity in regardless of size. Then classify the entity as essential or important under Article 3.

NIS1 evidence can help identify legacy services and national authority history, but it cannot replace the current NIS2 classification. NIS2 also requires Member States to establish and update lists of essential and important entities and entities providing domain name registration services.

  • Record the Annex I or Annex II sector, subsector, and entity type.
  • Document the size-cap conclusion and any special case that applies regardless of size.
  • Identify the Member State jurisdiction, registration route, and authority contact when applicable.
  • Trigger reassessment when services, countries, customers, suppliers, or corporate size facts materially change.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Binding NIS2 text for scope, essential and important entity classification, Article 20 governance, Article 21 risk-management measures, Article 23 reporting, supervision, enforcement, transposition, and repeal of NIS1.
European Commission - NIS2 Directive overview
Commission overview explaining that NIS2 replaced NIS1, broadened scope, strengthened supervision, and repealed NIS1 from 18 October 2024.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
Commission implementing regulation setting technical and methodological requirements for selected NIS2 digital infrastructure and ICT service management entities.
ENISA - NIS2 technical implementation guidance
ENISA guidance with practical evidence examples for the NIS2 implementing regulation; advisory rather than legally binding.
Section 4

Evidence to keep when migrating from NIS1 records

A NIS1-era control library may still contain useful security policies, audit results, incident logs, and authority correspondence. The migration task is to relabel each item against the current NIS2 duty it supports, or mark it as historical only.

For NIS2, keep entity classification, registration details where required, management-body approval and training records, Article 21 control evidence, supplier-risk files, incident-notification clock logs, final reports, and supervision correspondence. The evidence owner should be able to retrieve the record and explain the source-linked reason it exists.

  • Separate legal interpretation ownership from operational control ownership.
  • Attach the NIS2 article, national transposition reference, or authority request to each evidence item.
  • Keep legacy NIS1 records with a status label: reused under NIS2, superseded, or retained for history.
  • Make incident evidence show the 24-hour early warning, 72-hour notification, intermediate updates if requested, and final report when Article 23 applies.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Binding NIS2 text for scope, essential and important entity classification, Article 20 governance, Article 21 risk-management measures, Article 23 reporting, supervision, enforcement, transposition, and repeal of NIS1.
European Commission - NIS2 Directive overview
Commission overview explaining that NIS2 replaced NIS1, broadened scope, strengthened supervision, and repealed NIS1 from 18 October 2024.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
Commission implementing regulation setting technical and methodological requirements for selected NIS2 digital infrastructure and ICT service management entities.
Recommended next step

Use this NIS2 vs NIS1 guide as a cited implementation workflow

Sorena can help convert legacy NIS1 records into NIS2 scope decisions, owner assignments, Article 21 evidence requests, incident-reporting workflows, and national-transposition review steps.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about NIS2 vs NIS1, entity classification, incident reporting, supervision, and evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through EU NIS2 vs NIS1 implementation

Review your NIS2 migration workflow, legacy NIS1 records, source gaps, and next implementation steps with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2016/1148 (NIS1)
eur-lex.europa.eu
Referenced sections
  • Binding NIS1 text for operators of essential services, digital service providers, security requirements, incident notification, national implementation, and historical comparison with NIS2.
"security of network and information systems"
Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Binding NIS2 text for scope, essential and important entity classification, Article 20 governance, Article 21 risk-management measures, Article 23 reporting, supervision, enforcement, transposition, and repeal of NIS1.
"high common level of cybersecurity across the Union"
European Commission - NIS2 Directive overview
digital-strategy.ec.europa.eu
Referenced sections
  • Commission overview explaining that NIS2 replaced NIS1, broadened scope, strengthened supervision, and repealed NIS1 from 18 October 2024.
"NIS2 Directive"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.