---
title: "NIS2 vs NIS1"
canonical_url: "https://www.sorena.io/artifacts/eu/nis2-directive/nis2-vs-nis1"
source_url: "https://www.sorena.io/artifacts/eu/nis2-directive/nis2-vs-nis1"
author: "Sorena AI"
description: "A practical comparison of NIS2 vs NIS1: what changed in scope and sectors, how essential vs important works."
published_at: "2026-02-23"
updated_at: "2026-02-23"
keywords:
  - "NIS2 vs NIS1"
  - "Directive 2022/2555 vs 2016/1148"
  - "NIS2 scope changes"
  - "NIS2 reporting 24 hours 72 hours"
  - "NIS2 Article 21 controls"
  - "NIS2 essential vs important"
  - "NIS2 supervision enforcement"
  - "migrate from NIS1 to NIS2"
  - "NIS2"
  - "NIS1"
  - "Comparison"
  - "Supervision"
  - "Incident reporting"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# NIS2 vs NIS1

A practical comparison of NIS2 vs NIS1: what changed in scope and sectors, how essential vs important works.

*Comparison* *EU*

## EU Cybersecurity Law NIS2 vs NIS1

Understand what changed and how to migrate your program.

Output: a migration plan that reuses NIS1 artefacts where possible and closes NIS2 gaps.

NIS2 (Directive (EU) 2022/2555) replaced NIS1 (Directive (EU) 2016/1148) and raised the EU's cybersecurity ambition through wider scope, clearer requirements, stronger governance, and stronger supervision tools. Use this page to map changes into your implementation plan.

## What changed at a high level

NIS2 is broader and more explicit. The biggest practical shift is that compliance must be evidenced with owned controls and repeatable reporting workflows.

- Wider scope and more sectors: NIS2 extends coverage across more critical sectors and digital services.
- Clearer classification: essential vs important entities, with Member State lists and identification mechanisms.
- Stronger governance: management body accountability and training requirements (Article 20).
- Stronger and more specific reporting: Article 23 timelines (24h early warning, 72h notification, final report within 1 month).
- Stronger supervision/enforcement: explicit audit, scan, and enforcement powers with fine thresholds tied to Article 21/23 infringements.

## Controls and evidence (what you need to add if you had a "NIS1 policy binder")

Most NIS1 programs are policy-heavy. NIS2 expects measurable controls, effectiveness testing, and evidence readiness.

- Build an Article 21 control register mapping a-j measures to control IDs, owners, KPIs, and evidence links.
- Add effectiveness testing cadence (Article 21(2)(f)): audits, scans, control tests, and remediation tracking.
- Strengthen supply chain security as a first-class control domain (Article 21(d)).
- Integrate incident reporting templates, decision logs, and evidence capture into operations (Article 23).

## Migration plan (what to reuse vs rebuild)

You can reuse many artefacts - but you must tighten ownership, metrics, and reporting workflows.

- Reuse: incident response policies, asset inventories, BC/DR plans, and vendor management structures.
- Rebuild/upgrade: reporting timelines/templates and triage thresholds; management oversight cadence; evidence vault indexing; control KPIs.
- Add: classification memo (essential vs important), transposition overlays per Member State, and audit-ready control testing evidence.
- Validate: national authority/CSIRT reporting routes and portals before an incident happens.

*Recommended next step*

*Placement: after the comparison section*

## Use EU Cybersecurity Law NIS2 vs NIS1 as a cited research workflow

Research Copilot can take EU Cybersecurity Law NIS2 vs NIS1 from how this topic compares with adjacent regulations or standards to a reusable workflow inside Sorena. Teams working on EU Cybersecurity Law can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for EU Cybersecurity Law NIS2 vs NIS1](/solutions/research-copilot.md): Start from EU Cybersecurity Law NIS2 vs NIS1 and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through EU Cybersecurity Law](/contact.md): Review your current process, evidence gaps, and next steps for EU Cybersecurity Law NIS2 vs NIS1.

## Primary sources

- [Directive (EU) 2022/2555 (NIS2) - Official Journal text (EUR-Lex)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Primary source for NIS2 obligations, supervision, and reporting timelines.
- [Directive (EU) 2016/1148 (NIS1) - Official Journal text (EUR-Lex)](https://eur-lex.europa.eu/eli/dir/2016/1148/oj/eng?ref=sorena.io) - Primary source for the predecessor framework (no longer in force).
- [European Commission - NIS2 Directive overview (policy page)](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Implementation context and summary of major changes introduced by NIS2.

## Related Topic Guides

- [Applicability Test | EU NIS2 Directive (EU) 2022/2555 | In Scope? Essential vs Important?](/artifacts/eu/nis2-directive/applicability-test.md): A grounded NIS2 applicability test: map each legal entity to Annex I or Annex II, apply the NIS2 size-cap rule and regardless-of-size triggers.
- [Article 21 Control Baseline | EU NIS2 Directive (EU) 2022/2555 | Cybersecurity Risk Management Measures](/artifacts/eu/nis2-directive/article-21-control-baseline.md): A practical Article 21 control baseline for NIS2: translate Article 21(2)(a) to (j) into owned controls, KPIs, tests, and evidence.
- [Checklist | EU NIS2 Directive (EU) 2022/2555 | Audit-Ready Owners, Evidence, Acceptance Criteria](/artifacts/eu/nis2-directive/checklist.md): An audit-ready EU NIS2 compliance checklist: scope (Annex I/II + size-cap rules), essential vs important classification, Article 21 control baseline.
- [Compliance Guide | EU NIS2 Directive (EU) 2022/2555 | Build an Audit-Ready Program](/artifacts/eu/nis2-directive/compliance.md): A practical EU NIS2 compliance guide: how to run scope and classification, build Article 21 controls, implement Article 23 reporting workflows.
- [Deadlines and Compliance Calendar | EU NIS2 Directive (EU) 2022/2555 | 16 January 2023, 17 October 2024, 17 April 2025](/artifacts/eu/nis2-directive/deadlines-and-compliance-calendar.md): A practical EU NIS2 deadlines and compliance calendar with the legal anchor dates that matter: entry into force on 16 January 2023.
- [FAQ | EU NIS2 Directive (EU) 2022/2555 | Scope, Essential vs Important, Article 21, Article 23 (24h/72h)](/artifacts/eu/nis2-directive/faq.md): High-intent EU NIS2 FAQ: who is in scope, how essential vs important works, what Article 21 requires.
- [Incident Reporting Workflow | EU NIS2 Directive (EU) 2022/2555 | 24h Early Warning, 72h Notification, Final Report (1 Month)](/artifacts/eu/nis2-directive/incident-reporting-workflow.md): A practical NIS2 incident reporting workflow grounded in Article 23 and Commission Implementing Regulation (EU) 2024/2690: define significant incidents.
- [Management Body Accountability | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Training, Liability](/artifacts/eu/nis2-directive/management-body-accountability.md): A practical Article 20 governance guide for EU NIS2: what the management body must approve and oversee, how liability and training work.
- [National Transposition Tracker | EU NIS2 Directive (EU) 2022/2555 | How to Track Local Laws, Authorities, Portals](/artifacts/eu/nis2-directive/national-transposition-tracker.md): A practical NIS2 national transposition tracker: monitor Member State implementation, find competent authority and CSIRT routes.
- [NIS2 vs ISO/IEC 27001 | How to Reuse Your ISMS for EU NIS2 Directive (EU) 2022/2555](/artifacts/eu/nis2-directive/nis2-vs-iso-27001.md): A practical NIS2 vs ISO/IEC 27001 mapping: how to reuse an ISMS (risk assessment, policies, internal audits, management review.
- [NIS2 vs ISO/IEC 27017 | Cloud Security Mapping for EU NIS2 Directive (EU) 2022/2555](/artifacts/eu/nis2-directive/nis2-vs-iso-27017.md): A practical mapping for cloud teams: how NIS2 Article 21 controls and Article 23 reporting apply to cloud service providers and cloud-dependent organisations.
- [Penalties and Fines | EU NIS2 Directive (EU) 2022/2555 | Article 32-34 Enforcement + Fine Thresholds](/artifacts/eu/nis2-directive/penalties-and-fines.md): A practical NIS2 enforcement guide: how supervision works for essential vs important entities (Articles 32-33), what enforcement measures authorities can use.
- [Requirements | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Article 21 Controls, Article 23 Reporting](/artifacts/eu/nis2-directive/requirements.md): A practical EU NIS2 requirements breakdown grounded in Articles 20 to 23, the Article 3 and Article 4 guidelines, and Implementing Regulation (EU) 2024/2690.
- [Scope: Essential vs Important | EU NIS2 Directive (EU) 2022/2555 | Article 3 Classification + What Changes](/artifacts/eu/nis2-directive/scope-essential-vs-important.md): A practical guide to NIS2 scope classification: how essential vs important entities work (Article 3).
- [Supply Chain Security Program | EU NIS2 Directive (EU) 2022/2555 | Article 21(d) Supplier Risk + Evidence](/artifacts/eu/nis2-directive/supply-chain-security-program.md): A practical NIS2 supply chain security program (Article 21(d)): vendor tiering, security requirements, onboarding/offboarding controls, continuous assurance.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/nis2-directive/nis2-vs-nis1