NIS2 for developers: translate 66 pages of EU regulation into 10 technical controls

The NIS2 directive became enforceable in EU member states in October 2024. It applies to roughly 160,000 organizations across Europe — significantly broader scope than its predecessor NIS1. If you work at a company with 50+ employees or €10M+ turnover in one of the covered sectors (and the list is long: energy, transport, banking, health, digital infrastructure, ICT services, public administration, and more), NIS2 probably applies to you.

The directive is 66 pages of legal text. I've read it, and I've spent the past year helping organizations figure out what it actually requires from a technical standpoint. Here's the translation that I wish had existed when I started.

Who actually needs to worry

NIS2 splits covered entities into two tiers:

Essential entities — large organizations in critical sectors (energy, transport, banking, health, water, digital infrastructure, space). Stricter supervision, larger fines (up to €10M or 2% of global turnover).