NIS2 Directive Compliance: How to Meet Key Requirements

The EU’s NIS2 Directive represents a significant cybersecurity overhaul, raising baseline standards to strengthen the resilience of critical services across Europe. Designed to close gaps left by NIS1 and address the evolving threat landscape, NIS2 brings a broader scope and stricter requirements.  

NIS2 directly addresses the vulnerabilities that allow attackers to turn security breaches into disruptive disasters, including unchecked lateral movement, insufficient access controls, delayed containment, and more. As a result, modern microsegmentation and robust identity-based access controls now play a central role in meeting the directive’s technical and organizational requirements. 

With NIS2 now in force, covered entities need a path to streamline compliance. We’ll provide a comprehensive overview of the NIS2 Directive, walk through key requirements, and share a practical breakdown of how identity-aligned microsegmentation satisfies key control objectives.  

What Is the NIS2 Directive?  

The Network and Information Systems (NIS) Directive 2022/2555, also known as NIS2, is an EU cybersecurity policy designed to protect networks, systems, and users from cyberattacks with a unified legal framework.  

Replacing the original NIS1 Directive, NIS2 sets a more ambitious baseline for cybersecurity risk management and broadens the scope to 18 “essential” sectors, plus a second tier of “important” sectors, which are also now held to stricter cybersecurity standards.  

Who Must Comply with NIS2?  

Organizations are subject to NIS2 if they operate in the EU (or deliver services into it), fall within a covered sector, and meet size thresholds (50+ employees or €10m+ turnover/assets). Some critical service providers are required to comply with NIS2 regardless of size, meaning smaller entities could be covered if they’re deemed essential to societal or economic stability.  

NIS1 vs. NIS2: Key Updates  

According to the Official Journal of the European Union, NIS1 fell short in reflecting modern operational and economic realities:  

“With the repeal of Directive (EU) 2016/1148, the sectoral scope should be extended to a larger part of the economy to ensure comprehensive coverage of sectors and services of critical importance to essential economic and societal activities in the internal market. This Directive aims, in particular, to overcome the shortcomings of the distinction between operators of essential services and digital service providers, which has proven outdated as it does not reflect the importance of sectors or services to economic and societal activities in the internal market.” 

NIS2 strengthens and expands the original NIS1 Directive in several ways: 

	NIS1	NIS2
Scope	~8 sectors	18 sectors
Management Liability	Limited	Executive accountability is explict
Security Controls	Broad and interpretive	Detailed list under Article 21, including access control, vulnerability management, network security, incident handling, and more
Incident Reporting	Less prescriptive	24-hour early warning, 72-hour notification, 1-month final report
Enforcement	Fines existed but varied	Stronger non-compliance penalties, including higher administrative fines and corrective actions

This shift reflects EU regulators’ acceptance that flat networks and insufficient access controls are major drivers of breach severity. 

NIS 2, DORA, EU Cyber Solidarity, and the Cyber Resilience Act: What Are the Differences?  

The EU has steadily advanced its cybersecurity posture in recent years with multiple regulations, the most recent being the EU Cyber Solidarity Act (Regulation 2025/38). Despite their close connection, each of these measures serves a distinct purpose:  

• NIS2 establishes baseline cybersecurity and risk management requirements for essential and important entities across a wide range of sectors. It focuses on strengthening cyber hygiene, improving incident reporting, and enhancing the resilience of critical services throughout the EU. 
• The Digital Operational Resilience Act (DORA) applies specifically to the financial sector and its information and communication technology (ICT) providers. Its focus is ensuring financial institutions can withstand, respond to, and recover from disruptions, including cyber incidents.  
• The Cyber Resilience Act (CRA) regulates products with digital elements (hardware and software) placed on the EU market, requiring secure-by-design practices and vulnerability management.  
• EU Cyber Solidarity Act aims to strengthen collective detection, awareness, and coordinated EU-level response to major cyber incidents. Where NIS2 covers entity-level obligations, the Cyber Solidarity Act focuses on EU-wide capabilities. 

How to Meet NIS2 Requirements  

NIS2 outlines a clear set of technical and organizational measures designed to strengthen cyber resilience, proactively reduce risks, and ensure cyber incidents are detected and contained faster.  

Take a closer look at some of the key NIS2 requirements and learn how automated, identity-aligned microsegmentation helps achieve them. 

Governance and Management Responsibility (Article 20) 

NIS2 Article 20 requires leadership to approve, oversee, and ensure the implementation of cybersecurity risk management measures.  

A modern microsegmentation solution with real-time network visibility and dynamic policy enforcement helps satisfy governance requirements by enabling organizations to:  

• Implement proactive security controls that provide audit-ready evidence of coverage, effectiveness, and policy enforcement 
• Maintain visibility into network activity to show how security measures operate in practice, reducing lateral movement exposure and restricting internal pathways 

Cybersecurity Risk Management Measures (Article 21(1) and 21(2)) 

Covered entities are required to implement proportionate technical and organizational security measures for prevention, detection, response, and recovery, protecting systems across their full lifecycle.  

With comprehensive microsegmentation and identity-based access controls, organizations can effectively comply with risk management requirements by:  

• Enforcing deterministic isolation across all assets to proactively minimize the attack surface  
• Scaling least privilege access controls across the entire network to enable instant threat containment  

Access Control and Identity Protection (Article 21(2)(g) and 21(2)(i)) 

Access to systems must be restricted authorized users, devices, and services while ensuring privileged access is tightly controlled and protected against misuse. 

An automated microsegmentation solution with robust, identity-aligned policy enforcement reduces credential-based compromise and privilege escalation by:  

• Enforcing least privilege at both the network and identity layers by applying identity-aligned segmentation across human and machine accounts to ensure critical asset access is tightly controlled  
• Strengthening privileged access security with network-layer MFA, even across legacy systems that cannot natively support MFA  

Network and Information System Security (Article 21(2)(f)) 

Organizations must secure internal network communications and prevent lateral movement to preserve system integrity and resilience.  

A multidimensional network security solution streamlines compliance with these requirements by preventing threat propagation and safeguarding critical operations, thanks to capabilities like:  

• Blocking unauthorized east-west traffic to prevent lateral movement and limit unnecessary exposure  
• Proactively isolating critical systems to keep vital operations humming even if an endpoint is breached  

Supply Chain and Third-Party Security (Article 21(2)(e)) 

NIS2 requires the identification, assessment, and minimization of cybersecurity risks arising from suppliers, vendors, and external partners, including the risks associated with their access to internal systems. 

Microsegmentation and comprehensive identity-based controls support supply chain security by:  

• Restricting vendor and third-party access to only necessary systems and ports  
• Enforcing identity segmentation policies that prevent third parties from moving laterally through internal systems  

Incident Handling and Containment (Article 21(2)(b) and 21(2)(c)) 

Covered entities must maintain robust capabilities for detecting, managing, and containing cybersecurity incidents while supporting business continuity. 

Microsegmentation shortens incident duration, prevents escalation, and protects operational continuity during security events by:  

• Allowing real-time isolation of compromised assets without shutting down entire environments  
• Blocking lateral movement to unaffected business units operating normally – even during an active cyber incident 

Vulnerability Handling and Exposure Reduction (Article 21(2)(d)) 

Organizations are required to reduce exposure to known vulnerabilities – especially in cases where patches cannot be applied immediately. 

To minimize exploitation risks, unlock compensating controls for assets that can’t be patched, and prevent vulnerable systems from escalating compromises, security teams can rely on automated microsegmentation to help: 

• Isolate vulnerable, unpatched, or legacy systems automatically 
• Prevent unpatched systems from becoming pivot points by proactively eliminating unnecessary communication pathways 

Business Continuity and Operational Resilience (Article 21(2)(c)) 

NIS2 emphasizes the importance of maintaining essential services during cyber incidents and minimizing operational disruptions, requiring organizations to implement resilience, disaster recovery, and crisis management measures.  

Microsegmentation facilitates a proactive defense strategy, enabling security teams to meet NIS2’s continuity and resilience requirements by:  

• Building a self-defending architecture that prevents threats from spreading and isolates compromised assets  
• Keeping critical systems and services operational while blocking cyber incidents from cascading to sensitive areas of the network  

Incident Reporting Obligations (Article 23) 

Organizations must provide timely and accurate incident reporting, including a 24-hour early warning, a 72-hour notification, and a final report within one month. 

While a microsegmentation solution may not perform regulatory reporting independently, it can dramatically streamline compliance with these requirements by:  

• Providing deep, documented visibility into all network assets and communications  
• Delivering detailed insights into attack paths and containment while supporting faster incident scoping and forensic evidence to meet reporting obligations  

Fast-Track and Future-Proof NIS2 Compliance with Zero Networks  

NIS2 pushes organizations to reach a more ambitious cybersecurity baseline with proactive controls and a focus on cyber resilience. Microsegmentation, identity access controls, and secure remote access capabilities are among the fastest and most defensible ways to meet key NIS2 requirements; Zero Networks delivers them all in a simple, rapid-to-deploy solution.   

By protecting every asset and identity with tailored segmentation policies, enforcing true least privilege across the entire network, and delivering comprehensive visibility into network activity, Zero streamlines compliance with NIS2 and other regulatory requirements.  

To see for yourself how you can enhance compliance initiatives and boost resilience without adding operational complexity, request a demo.