NIS2 Compliance for US Companies with EU Operations: 2026 Guide

NIS2 compliance for US companies is no longer a planning exercise. The NIS2 Directive (EU 2022/2555) — the European Union's updated Network and Information Security regulation — entered enforcement on October 18, 2024, the day it formally repealed its predecessor, NIS1. Any US organization operating in the EU, serving EU customers, or running EU subsidiaries in a covered sector is now subject to mandatory cybersecurity requirements, a 24-hour incident reporting clock, and fines reaching €10 million or 2% of global annual turnover — whichever is higher. Germany's Federal Office for Information Security (BSI — Bundesamt für Sicherheit in der Informationstechnik) issued 47 formal notices in Q4 2025 for registration failures alone. France's national cybersecurity agency ANSSI (Agence nationale de la sécurité des systèmes d'information) has opened investigations into 14 entities. The enforcement curve is steepening.

This guide covers who is in scope, how the essential and important entity classification affects your obligations and fine exposure, what the ten mandatory security controls require, and how to structure an NIS2 compliance program before financial penalties accelerate through 2026 and 2027.

// 01 Does NIS2 Apply to US Companies? Extraterritorial Scope Explained

The NIS2 Directive applies extraterritorially. A US organization is in scope if it meets any of the following conditions:

• Operates a subsidiary, branch, or office in an EU member state that functions in a covered sector
• Provides digital services (cloud, managed services, CDNs, DNS) to EU customers — regardless of where the parent company is headquartered
• Runs critical IT infrastructure used by EU regulated entities in sectors such as energy, transport, banking, or health
• Delivers managed security services (MSSP) to EU organizations subject to NIS2

The directive does not require a company to be incorporated in the EU. If your SaaS platform serves EU healthcare systems, your logistics subsidiary ships through Germany, or your managed detection and response (MDR) team holds contracts with EU financial institutions, you are likely in scope.

The EU representative requirement: US entities that provide in-scope services in the EU but have no EU establishment must designate an EU representative — a legal entity or individual located in a member state who can receive regulatory communications on the company's behalf. The member state where the representative is established becomes the jurisdiction for regulatory oversight. Crucially, failure to appoint a representative does not exempt an organization from NIS2 obligations; enforcement proceeds regardless.

Covered sectors fall under two annexes of the directive:

• Annex I (high-criticality sectors): Energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure (including cloud computing, data centres, content delivery networks, internet exchange points), ICT service management (managed service providers and MSSPs), public administration, space
• Annex II (other critical sectors): Postal and courier services, waste management, chemicals, food production and distribution, manufacturing of medical devices, computers and electronics, machinery, and motor vehicles; digital providers including online marketplaces, search engines, and social networking platforms; and research institutions

// 02 Essential vs Important Entity: Which Classification Applies to You

NIS2 creates two compliance tiers. Your classification determines your fine ceiling, the intensity of regulatory supervision, and the documentation burden regulators will expect.

Essential entities are large organizations in Annex I sectors meeting at least one of these thresholds:

• 250 or more employees
• Annual turnover of €50 million or more
• Annual balance sheet total of €43 million or more

Essential entities face proactive supervision: national competent authorities (NCAs) can audit and inspect without waiting for a reported incident. Fine ceiling: €10 million or 2% of total worldwide annual turnover, whichever is higher.

Important entities are medium-sized organizations in Annex I sectors, or organizations of any qualifying size in Annex II sectors:

• 50 to 249 employees
• Annual turnover between €10 million and €50 million

Important entities face reactive supervision: regulators investigate after an incident or complaint. Fine ceiling: €7 million or 1.4% of total worldwide annual turnover, whichever is higher.

Size-independent scope: Certain provider types are classified as essential entities regardless of headcount or revenue. These include DNS service providers, top-level domain (TLD) name registries, cloud computing service providers, data centre operators, CDN providers, managed service providers (MSPs), managed security service providers (MSSPs), and trust service providers. A five-person DNS startup with two EU customers is in scope as an essential entity.

Entity Classification Quick Reference
────────────────────────────────────────────────────────────────────────
Sector          │ Size threshold (any one)          │ Classification
────────────────────────────────────────────────────────────────────────
Annex I         │ ≥250 employees                    │ Essential
Annex I         │ ≥€50M turnover or ≥€43M balance   │ Essential
Annex I         │ 50–249 employees or €10–50M rev   │ Important
Annex II        │ ≥50 employees or ≥€10M revenue    │ Important
DNS/TLD/Cloud   │ Any size                          │ Essential (auto)
CDN/MSP/MSSP    │ Any size                          │ Essential (auto)
────────────────────────────────────────────────────────────────────────

The following decision tree shows the classification path for a US company assessing its NIS2 exposure:

// 03 Article 21: The 10 Mandatory Cybersecurity Controls

Article 21(2) of NIS2 mandates ten minimum cybersecurity measures. Implementation is expected to be proportionate to entity size, risk profile, and classification — but all in-scope organizations must address every control area. NCAs can request evidence of implementation during audits or investigations.

1. Risk analysis and information security policies — Documented risk assessment covering the organization's assets, the threat landscape relevant to its sector, and the risk treatment decisions made. Policies must be reviewed at defined intervals and updated after significant changes to the operating environment.

2. Incident handling — Written incident response procedures covering detection, containment, eradication, recovery, and post-incident review. Procedures must name responsible personnel, escalation paths, and the NIS2 reporting obligations triggered by significant incidents (see Section 4).

3. Business continuity, backup management, and crisis management — Tested backup regimes with defined recovery time objectives (RTOs) and recovery point objectives (RPOs), disaster recovery plans with named owners, and a crisis management structure for major incidents. "Tested" means documented results, not a planned test that has not yet run.

4. Supply chain security — Assessment of direct suppliers and service providers, with contractual clauses for audit rights, incident notification obligations, and subcontractor approval requirements. This is Article 21(2)(d) and is increasingly the control where US companies face the most contractual pressure from EU customers (see Section 6).

5. Secure development practices and vulnerability handling — Security requirements embedded in software procurement and development lifecycles, including a documented vulnerability disclosure policy. SBOMs (Software Bill of Materials — an inventory of all software components and dependencies used in a product) are becoming a standard deliverable regulators expect for software-based services.

6. Effectiveness assessment — Periodic testing of cybersecurity controls through penetration testing, internal audits, or independent assessments. NCAs can request evidence of effectiveness testing results. Essential entities face higher expectations: annual penetration tests and independent audits are the baseline expectation in most member states.

7. Cyber hygiene and training — Basic security practices applied consistently: documented patch management schedules, password and access policies, phishing awareness programmes. Mandatory cybersecurity training for all staff and for management is an explicit requirement — completion records must be maintained.

8. Cryptography and encryption — Documented policies governing cryptographic controls, including encryption standards for data at rest and in transit, key management procedures, and approved algorithm lists. The policy must address when encryption is required and what minimum standards apply.

9. Access control, human resources security, and asset management — Policies covering onboarding and offboarding procedures (joiners-movers-leavers), privileged access management (PAM — controls over accounts with elevated system permissions), and a maintained asset register. Background check requirements vary by member state.

10. Multi-factor authentication and secure communications — MFA (Multi-Factor Authentication — a login process requiring at least two forms of verification, typically a password and a one-time code or biometric) or continuous authentication is required for accessing sensitive systems. Encrypted channels for voice, video, text, and emergency communications are also mandated.

Framework alignment: NIS2 does not prescribe a specific framework, but organizations certified to ISO 27001:2022 will find significant coverage. Gap assessments typically surface shortfalls in supply chain documentation, board governance records, and effectiveness testing cadence. NIST CSF 2.0 users will find the control areas map closely to its six functions (Govern, Identify, Protect, Detect, Respond, Recover).

// 04 NIS2 Incident Reporting: The 24-72-30 Hour Obligation

Article 23 of NIS2 establishes a three-stage incident reporting process. The clock starts when your organization becomes aware of a significant incident — not when root cause is confirmed, containment is complete, or legal has been briefed.

What constitutes a "significant incident"? One that:

• Causes or is capable of causing severe operational disruption to the affected entity's services
• Causes significant financial loss to the organization, or
• Has caused or is capable of causing considerable material or non-material damage to other persons (customers, partners, other regulated entities)

If the incident is unresolved at 30 days, submit a progress report at the 30-day mark and a final report within 30 days of resolution.

Reports go to the national CSIRT (Computer Security Incident Response Team — the government entity responsible for responding to and coordinating cybersecurity incidents within a member state) in the jurisdiction where your EU operations are established. For Germany: BSI. For France: ANSSI. For Ireland: NCSC Ireland. For Italy: ACN (Agenzia per la Cybersicurezza Nazionale). For the Netherlands: NCSC-NL.

The operational gap most US teams face: Most enterprise incident response programs run on 72-to-96-hour internal escalation timelines before external notification is considered. NIS2's 24-hour early warning window requires a pre-positioned triage workflow that can classify an incident as NIS2-significant within the first few hours. That means incident classification criteria must be written down, communicated to tier-1 SOC analysts, and tied directly to an escalation path to the regulatory notification function.

// 05 NIS2 Compliance for US Companies: Board Accountability Under Article 20

NIS2 compliance for US companies introduces a governance requirement that most US security programs are not built for: personal director liability.

Article 20 of NIS2 requires the management body — the board of directors, executive committee, or equivalent governing body — of both essential and important entities to:

• Approve the organization's cybersecurity risk-management measures before implementation
• Oversee their ongoing implementation and effectiveness
• Complete mandatory cybersecurity training of a nature and frequency appropriate to their oversight role
• Bear personal liability for failures to comply with NIS2 obligations

This is not a delegable obligation. Article 20 frames it explicitly as individual director accountability, not just corporate liability. A director cannot satisfy NIS2 by pointing to a CISO or appointing a cybersecurity committee. Member states may impose remedies including public censure, temporary suspension from exercising management roles, and formal disqualification — against individual named directors, not just the organization as a legal entity.

Documentation that management bodies must maintain:

• Minutes of cybersecurity risk review meetings showing active engagement (not rubber-stamp approval of delegated decisions)
• Formal records of cybersecurity measure approvals, with the specific measures described
• Training completion logs for each board member and executive
• Evidence of executive-level involvement in incident response oversight

For US companies with EU subsidiaries, this has a specific structural implication: EU subsidiary board members — which frequently includes US executives serving in dual roles — carry personal NIS2 liability under the laws of the relevant member state. Legal and governance teams should assess whether existing D&O (Directors and Officers) liability insurance policies cover NIS2 regulatory enforcement actions, including potential fines levied directly against individuals.

The GDPR comparison: GDPR (the EU General Data Protection Regulation) created organizational liability for data protection failures. NIS2 goes further by placing the obligation directly on named individuals at the top of the organization. The enforcement trajectory matters: GDPR enforcement began with process failures (missing impact assessments, inadequate consent mechanisms) before escalating to substantive data breach fines. NIS2 regulators are following the same pattern — registration and governance failures are being prosecuted first.

// 06 Supply Chain Requirements: What US Vendors Must Deliver

Article 21(2)(d) makes supply chain security a first-class obligation. EU-regulated entities must assess their direct suppliers and service providers — and must demonstrate that assessment through contractual protections and documented risk management. For US vendors, this creates a downstream compliance requirement even when the vendor is not itself directly in NIS2 scope.

What EU essential and important entity customers will require from US vendors in 2026:

Contractual clauses — expect new or amended MSAs (Master Service Agreements) requiring:

• Right-to-audit provisions: direct audit rights or via accredited third parties, at minimum annually and ad hoc following significant incidents
• Incident notification obligations: the vendor must notify the EU customer of security incidents affecting the customer's data or systems, typically within timeframes matching or shorter than the customer's NIS2 reporting window
• Subcontractor disclosure: the vendor must identify critical subcontractors (fourth-party suppliers) and their security baseline
• Change approval requirements: prior written consent before adding, replacing, or removing critical subcontractors or infrastructure components

Security evidence — ISO 27001:2022 certificates, SOC 2 Type II reports, penetration test executive summaries, and supply chain risk assessment documentation are standard evidence requests. Essential entity customers under proactive supervision face NCA scrutiny of their supplier assessments and will pass that scrutiny requirement downstream to their vendors.

NIS2 Supply Chain Readiness — US Vendor Checklist
─────────────────────────────────────────────────────────
☐  Audit all EU customer contracts for incoming NIS2 audit clauses
☐  Confirm SOC 2 Type II or ISO 27001:2022 coverage is current
☐  Document subcontractor inventory (Tier 1 and Tier 2 critical suppliers)
☐  Build 24-hour incident notification workflow for EU customers
☐  Assign a named point of contact for EU regulatory inquiries
☐  Review MSA templates for NIS2-required contractual language
☐  Brief legal on Article 21(2)(d) right-to-audit obligations
☐  Assess whether current penetration testing frequency meets audit evidence needs
─────────────────────────────────────────────────────────

// 07 NIS2 Fines 2026: Penalty Tiers and Real Enforcement Actions

Fine Structure

The percentage clause is the operative ceiling for most large organizations. A US company with €500 million in global revenue classified as an essential entity faces a potential fine of €10 million (the fixed cap) — but at 2% of revenue, the percentage figure is also €10 million. At €600 million in revenue, the 2% calculation produces €12 million, exceeding the fixed cap. Member states may set higher maximums in their national transposition legislation; the figures above are EU-mandated minimums.

Personal liability under Article 20 adds to these fines. A director can face individual enforcement action in addition to or instead of the corporate fine.

2025-2026 Enforcement Activity

Germany — The BSIG (IT Security Act 3.0), Germany's NIS2 transposition law, took effect December 6, 2025. The BSI issued 47 formal notices in Q4 2025 for registration failures and missing designated points of contact. Approximately 18,500 companies missed Germany's entity registration deadline of March 6, 2026. The BSI's enforcement escalation path leads directly to administrative fines under §65 BSIG.

France — ANSSI opened investigations into 14 entities in the healthcare and digital infrastructure sectors for inadequate cybersecurity governance, and issued 23 remediation orders to energy and transport sector organizations for insufficient risk management practices. France's national NIS2 transposition law is expected in late 2026.

Netherlands — The Dutch NCSC completed compliance assessments of 120 essential entities and found that 38% lacked adequate incident reporting procedures, and 52% had no board-approved cybersecurity policy.

European Commission — On May 7, 2025, the Commission issued reasoned opinions (the formal step before infringement proceedings) to 19 member states for incomplete NIS2 transposition. As of May 2026, 21 of 27 EU member states have fully transposed NIS2; France, Spain, the Netherlands, and three others are completing national legislation.

The enforcement timeline below shows the regulatory ramp-up from NIS2's legislative passage through the current enforcement phase:

Enforcement trajectory: The pattern mirrors GDPR. Early enforcement targeted process failures — missing registrations, absent governance structures — before escalating to substantive security failure fines. GDPR's first major financial penalty arrived roughly 14 months after enforcement began. NIS2's first substantive security-related fines are expected to follow the same curve through late 2026 and into 2027.

// 08 NIS2 Compliance Roadmap: 12 Steps for US Organizations

• Determine scope — Map all EU legal entities, subsidiaries, and branches. Identify service delivery streams to EU customers. For each, determine whether the sector of operation falls under Annex I or Annex II.

• Classify entity type — Apply the employee and revenue thresholds. Determine essential or important classification. Check whether the size-independent provisions apply (DNS, cloud, CDN, MSP, MSSP — these override general thresholds).

• Designate an EU representative — If the organization has no EU establishment but delivers in-scope services to EU customers, appoint a named legal entity or individual in a member state. This is a legal requirement, not a best practice.

• Register with the relevant NCA — Essential and important entities must self-register with their member state's competent authority. Germany's BSI, France's ANSSI, Ireland's NCSC, the Netherlands' NCSC-NL, and equivalents all operate registration portals. Deadlines vary by member state; Germany's passed in March 2026.

• Conduct an Article 21 gap assessment — Audit all ten mandatory control areas against the current security posture. ISO 27001 and NIST CSF mappings are useful starting points but consistently surface gaps in supply chain documentation, board governance records, and MFA coverage.

• Update board governance — Assign cybersecurity as a standing board agenda item. Document approvals of risk management measures. Begin mandatory director cybersecurity training. Review D&O insurance for NIS2 regulatory enforcement coverage.

• Build the incident reporting workflow — Define internal "significant incident" triggers. Create a triage checklist calibrated to the 24-hour early warning window. Pre-identify the CSIRT reporting contact for each relevant member state. Conduct a tabletop exercise against the 24-72-30 timeline before an incident occurs.

• Update supply chain contracts — Audit existing MSAs for NIS2-required clauses. Negotiate audit rights, incident notification obligations, and subcontractor disclosure requirements with Tier 1 suppliers. Maintain a register of supply chain risk assessments.

• Implement MFA across sensitive systems — Article 21(2)(j) makes this a regulatory requirement, not a recommendation. MFA must cover remote access, administrative accounts, and access to systems processing customer or operational data.

• Establish backup and business continuity — Test RTOs and RPOs with documented results. Assign named owners to disaster recovery runbooks. Crisis management structure must exist on paper before the NCA asks for it.

• Deploy cyber hygiene and training — Implement a documented patching schedule with defined SLAs by severity. Deliver cybersecurity awareness training to all staff. Maintain completion records; NCAs have requested these during compliance assessments.

• Schedule ongoing effectiveness assessment — NIS2 requires evidence of control effectiveness, not just evidence of control implementation. Budget for annual penetration tests, audit cycles, and periodic risk assessments. Document the methodology, not just the results.

// 09 Conclusion

NIS2 compliance for US companies with EU operations is an active regulatory obligation. Germany and France are already issuing formal notices and remediation orders; 21 member states have fully transposed the directive; and financial penalties are expected to escalate substantially through 2026 and 2027. The board liability provisions under Article 20 are the element most US leadership teams are unprepared for — the obligation is personal, not just corporate, and it cannot be delegated to a CISO.

Organizations that act now — registering with relevant NCAs, updating board governance, auditing supply chain contracts, and implementing the Article 21 controls — will be positioned to demonstrate compliance before regulators shift from governance failures to financial penalties for security failures. Waiting for a regulator's letter is not a strategy; the enforcement curve NIS2 is following is the same one GDPR traced between 2018 and 2020.

See our compliance automation guide → How to Automate Compliance Evidence Collection (Drata & Vanta 2026)

See also:

• Drata vs Vanta vs Tugboat Logic: Compliance Automation Comparison 2026
• How to Pass SOC 2 Type II in 90 Days: 2026 Cost Breakdown by Company Size