The NIS2 Directive in the EU is the most significant expansion of European cybersecurity law in a decade, and as of July 2026 it is finally reaching the point where it changes what organisations must actually do. It replaces an earlier directive from 2016, widens the range of sectors covered, and, for the first time, attaches serious financial and personal consequences to getting cybersecurity wrong.
If you run infrastructure for a business that operates in Europe, the question is no longer whether NIS2 matters, but whether it applies to you, and what it demands if it does. This guide answers both, in plain terms, and marks honestly where the boundaries of infrastructure end and organisational responsibility begins.
One thing to establish at the outset: no hosting provider, and no dedicated server, can make an organisation compliant with NIS2. Compliance is a programme, not a purchase. What infrastructure does is form one piece of it, and we will be precise about which piece.
📖 Where data residency fits in
NIS2 sits alongside the data protection rules many businesses already follow. Read Dedicated Servers and GDPR: What You Need to Know, which explains how hosting location affects regulatory obligations under EU law.
What the NIS2 Directive Actually Is
NIS2 is formally Directive (EU) 2022/2555, which entered into force on 16 January 2023. It succeeds the original NIS Directive of 2016, the first EU-wide attempt to raise the baseline of cybersecurity across critical industries. The original proved too narrow and too unevenly applied, and NIS2 is the correction.
A directive is not a law by itself. It is an instruction to the 27 member states, each of which must write the directive into its own national legislation through a process called transposition. This distinction matters enormously in practice, because it means NIS2 does not arrive everywhere at once, nor in identical form. The core obligations are consistent across the Union, but the penalties, the supervising authorities, and some sector details vary from one country to the next.
The transposition deadline was 17 October 2024. Most member states missed it. The delay has been widespread enough that the European Commission has opened infringement proceedings against the majority of them, and the legal landscape through 2025 and 2026 has been a patchwork of countries at very different stages.
Who NIS2 Covers
This is the question most organisations need answered first, and the directive uses a clear, if unfamiliar, test.
An organisation falls within scope when three conditions are met together. It operates in one of the sectors listed in the directive’s annexes. It qualifies as a medium or large enterprise by European definitions. And it provides services within the European Union.
The sectors are grouped into two annexes. Annex I lists sectors of high criticality: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space. Annex II lists other critical sectors: postal services, waste management, chemicals, food, manufacturing of certain products, digital providers, and research.
Essential and Important Entities: The Thresholds
Within scope, the directive sorts organisations into two categories, and the thresholds are worth stating precisely. According to the Dutch government’s own guidance, an important entity is a medium-sized organisation with at least 50 employees, or an annual turnover or balance sheet total above 10 million euros. An essential entity is a large organisation with more than 250 employees, or a net turnover above 50 million euros together with a balance sheet total above 43 million euros.
There is a common misunderstanding worth correcting here. The distinction between essential and important entities affects supervision and enforcement far more than it affects the security obligations themselves. As the law firm Kennedy Van der Laan notes in its analysis of the Dutch transposition, the significance of the distinction is relatively small and concerns mainly supervision, while the sector an enterprise operates in is more decisive to the substance of its obligations. In other words, both categories must meet substantially the same security bar. Essential entities simply face more proactive oversight and, in some cases, heavier consequences.
Some categories fall in regardless of size. Providers of public electronic communications and certain digital infrastructure operators are covered even when small, because the service they provide is too important to the wider network to exempt.
📖 The infrastructure underneath compliance
Security obligations rest on how your servers are configured and isolated. Read What Is Server Hardening?, on reducing the attack surface that any risk-management programme has to account for.
What NIS2 Requires of Those It Covers
The obligations fall into two broad duties, and the directive is deliberately outcome-focused rather than prescriptive. It tells organisations what to achieve, not which product to buy.
The first is a duty of care. Covered entities must take appropriate and proportionate technical, operational, and organisational measures to manage the risks to the networks and information systems they rely on. The directive’s Article 21 lists the areas these measures must address, and the list is a fair summary of modern security practice: risk analysis and information system security, incident handling, business continuity and backup management, supply chain security, security in the acquisition and maintenance of systems, policies to assess whether the measures work, basic cyber hygiene and training, cryptography and encryption, human resources security and access control, and the use of multi-factor authentication.
The second is a duty to report. When a significant incident occurs, the clock starts, and it runs faster than most organisations expect. An early warning is due within 24 hours of becoming aware of the incident. A fuller notification, with an initial assessment, is due within 72 hours. A final report follows within one month. The European Union Agency for Cybersecurity, ENISA, provides guidance supporting these obligations across member states.
Underlying both duties is a shift that NIS2 introduces deliberately: accountability moves to the top. Management bodies are made responsible for overseeing and approving the security measures, and they can be held personally accountable for failures. This is not rhetorical. The Dutch transposition allows a fine of up to 25,000 euros to be imposed directly on individual board members for failing to meet their obligations to understand the risks they oversee.
What Happens When an Organisation Fails to Comply
NIS2 gives regulators genuine force, and this is the part that has moved cybersecurity onto boardroom agendas across Europe.
For essential entities, fines can reach 10 million euros or 2 percent of total worldwide annual turnover, whichever is higher. For important entities, the ceiling is 7 million euros or 1.4 percent of worldwide turnover. Turnover-based penalties of this kind will be familiar to anyone who has dealt with GDPR, and the parallel is deliberate: the EU has learned that fines calculated as a percentage of global revenue concentrate attention in a way that fixed sums never did.
Beyond fines, supervisory authorities can issue binding instructions, conduct audits and inspections, and publish enforcement decisions. For essential entities, the powers reach further still, extending in extreme cases to the temporary suspension of certifications and even a temporary ban on individuals holding management roles. A regulator comparing non-compliance to a tax obligation captured the spirit precisely: an organisation does not get to decide for itself whether the rules apply.
The Netherlands: A Case Study in Timing
The Dutch experience illustrates how uneven this rollout has been, and it is directly relevant to any business hosting in the country.
The Netherlands, like most member states, missed the October 2024 deadline. For much of 2025 and into 2026, the country operated under its older NIS1-based framework while the replacement worked through parliament. Then, on 7 July 2026, the Dutch Senate adopted the Cybersecurity Act, the Cyberbeveiligingswet, which transposes NIS2 into national law. According to the law firm Bird & Bird, the Act enters into force on 15 August 2026, and it arrives without a grace period. Organisations in scope are expected to comply from day one.
The timing produced a striking irony. The European Commission had been pursuing the Netherlands, among other members, for its delay. The Dutch resolution arrived just as that pressure peaked, transforming the country in a matter of weeks from a laggard into one of the states with a clear, enacted framework in place.
For a business hosting its infrastructure in the Netherlands, the practical consequence is favourable. The jurisdiction now has a settled, published implementation of NIS2 rather than the uncertainty that lingers in states still mid-transposition. The rules are knowable, which is itself a form of stability.
Where Infrastructure Fits, and Where It Does Not
This is the section most articles on the subject avoid, because it is easier to imply that the right server solves the problem. It does not, and being honest about that is more useful.
Why No Server Delivers Compliance
NIS2 is a management framework. Its heart is risk assessment, governance, accountability, incident response, and continuous improvement. No piece of hardware delivers those. An organisation with the finest infrastructure in Europe and no risk-management programme is not compliant, and one with a rigorous programme running on modest infrastructure may well be.
What Infrastructure Genuinely Contribute
What infrastructure does is provide the foundation on which several of the Article 21 measures rest. Access control, encryption, network security, and business continuity all run somewhere, and the properties of the underlying server shape how well they perform. Full root access allows an organisation to configure security controls to its own policy rather than a provider’s defaults. Single tenancy on bare metal removes the shared-tenancy risks that complicate isolation. Hosting within the European Union simplifies the data residency questions that intersect with both NIS2 and GDPR.
But these are enabling conditions, not compliance itself. The honest formulation is this: good infrastructure makes compliance achievable and removes obstacles from the path. It does not walk the path. That work, the assessment, the policies, the training, the reporting procedures, belongs to the organisation, and no provider can take it on for you.
If a hosting company tells you its servers make you NIS2 compliant, that is the clearest possible signal to be sceptical of everything else it claims.
European infrastructure, in a clear jurisdiction
Swify operates dedicated servers from a Netherlands data centre connected to AMS-IX, with full root access, GDPR data residency by default, and enterprise SSD storage. Infrastructure you control is one part of a security programme, and we give you the control to build on. From €120/month.
→ Explore Swify Dedicated ServersFrequently Asked Questions
What is the NIS2 Directive in simple terms?
The NIS2 Directive is a European Union law that requires organisations in critical sectors to manage cybersecurity risk properly and to report significant incidents quickly. Formally Directive (EU) 2022/2555, it replaced an earlier 2016 directive, widened the range of covered sectors, and introduced serious penalties, including fines tied to global turnover and personal accountability for company directors.
Each EU member state writes NIS2 into its own national law, so the exact rules and enforcement vary by country while the core obligations stay consistent. Read Dedicated Servers and GDPR: What You Need to Know for how another major EU regulation interacts with hosting choices.
Who has to comply with NIS2?
An organisation must comply with NIS2 when it meets three conditions together: it operates in a sector listed in the directive’s annexes, such as energy, transport, health, digital infrastructure, or manufacturing; it is a medium or large enterprise; and it provides services in the EU. Medium means at least 50 employees or over 10 million euros in turnover. Large means over 250 employees or turnover above 50 million euros.
Organisations below these thresholds are generally excluded, though some critical service providers are covered regardless of size. The directive sorts those in scope into essential and important entities, a distinction that mainly affects how strictly they are supervised. Read What Is Server Hardening? for the technical groundwork any covered organisation will need.
When does NIS2 take effect?
NIS2 had an EU transposition deadline of 17 October 2024, by which each member state was meant to have written it into national law. Most missed that deadline, so the effective date varies by country. The Netherlands, for example, adopted its Cybersecurity Act in July 2026, with entry into force on 15 August 2026 and no grace period for organisations in scope.
Because the timeline differs across the EU, an organisation must check the status in each country where it operates. Hosting in a jurisdiction that has already completed transposition offers a more settled legal picture. Read Dedicated Server Netherlands for what hosting in the country involves.
What are the penalties for NIS2 non-compliance?
For essential entities, NIS2 penalties reach up to 10 million euros or 2 percent of total worldwide annual turnover, whichever is higher. For important entities, the ceiling is 7 million euros or 1.4 percent of worldwide turnover. Beyond fines, regulators can issue binding instructions, conduct audits, publish enforcement decisions, and, for essential entities, even suspend certifications or temporarily bar individuals from management roles.
Notably, company directors can be held personally accountable, with some national laws allowing fines levied directly on board members. The turnover-based structure mirrors GDPR, which has proven how effective percentage-of-revenue penalties are at focusing attention. Read Understanding Server Uptime, SLAs, and Reliability Metrics for how availability commitments relate to continuity obligations.
Does hosting on a dedicated server make me NIS2 compliant?
No. No hosting product, dedicated server included, makes an organisation NIS2 compliant. Compliance is a management programme built on risk assessment, governance, incident response, and continuous improvement, none of which hardware provides. Any provider claiming its servers deliver NIS2 compliance is misrepresenting how the directive works.
What good infrastructure does is enable several of the required security measures. Full root access, single tenancy, and EU data residency make controls like access management, encryption, and network security easier to implement correctly, but implementing them remains the organisation’s responsibility. Read How Dedicated Servers Improve Data Security for what infrastructure genuinely contributes.
How is NIS2 different from GDPR?
GDPR governs the protection of personal data: how it is collected, processed, and transferred. NIS2 governs the cybersecurity and resilience of networks and information systems in critical sectors. GDPR protects individuals’ privacy; NIS2 protects the continuity and security of services that society and the economy depend on. An organisation can easily fall under both.
The two share a family resemblance in enforcement, using turnover-based fines to compel attention, and they intersect on measures like encryption and access control. Hosting within the EU simplifies obligations under both at once. Read Dedicated Servers and GDPR: What You Need to Know for the data protection side of the picture.

