NIS2 Directive 2025: What It Means for Infrastructure Hardening Across the EU

NIS2 Directive 2025: What It Means for Infrastructure Hardening Across the EU

The Network and Information Security Directive 2 (NIS2) represents the most significant expansion of cybersecurity obligations in the European Union's history. Replacing the original NIS Directive from 2016, NIS2 dramatically broadens the scope of entities required to implement robust cybersecurity measures, introduces personal liability for management bodies, and establishes harmonized penalties across member states.

For IT security teams, the practical question is concrete: what do we actually need to change in our infrastructure to comply? This article examines NIS2's technical requirements through the lens of infrastructure hardening and CIS benchmark compliance, providing a clear-eyed assessment of what the directive demands and how established hardening frameworks help satisfy those demands.

NIS2: Scope and Timeline

Who Is Covered

The original NIS Directive applied to a limited set of "operators of essential services" (OES) and "digital service providers" (DSP). NIS2 replaces these categories with two broader groups:

Essential Entities (higher obligations):

Energy (electricity, oil, gas, hydrogen, district heating)

Transport (air, rail, water, road)

Banking and financial market infrastructure

Health (hospitals, laboratories, pharmaceuticals, medical device manufacturers)

Drinking water and wastewater

Digital infrastructure (IXPs, DNS, TLD registries, cloud providers, data centers, CDNs)

ICT service management (managed service providers, managed security service providers)

Public administration (central government, regional entities at discretion of member states)

Space

Important Entities (lower tier but still significant obligations):

Postal and courier services

Waste management

Chemical manufacturing and distribution

Food production and distribution

Manufacturing (medical devices, computers, electronics, machinery, motor vehicles)

Digital providers (online marketplaces, search engines, social networking)

Research organizations

Size Thresholds

NIS2 applies to organizations with 50+ employees or EUR 10 million+ annual turnover in covered sectors. Some entities (e.g., DNS providers, TLD registries, sole providers of essential services) are covered regardless of size.

Enforcement Timeline

Member states were required to transpose NIS2 into national law by October 17, 2024. While transposition timelines have varied, enforcement is now active across the EU. Organizations that have not yet begun compliance programs face near-term regulatory risk.

Technical Requirements Relevant to Infrastructure Hardening

NIS2 Article 21 establishes the core cybersecurity risk management measures that both essential and important entities must implement. Several directly implicate system hardening:

Article 21(2)(a): Risk Analysis and Information System Security Policies

Entities must adopt policies on risk analysis and information system security. This requires:

Documented security baselines for all system types in the environment

Risk-based approach to determining appropriate security configurations

Regular review and update of security policies as threats evolve

CIS benchmark connection: CIS benchmarks provide the specific, auditable security baselines that this requirement demands. Rather than defining custom configuration standards (which requires deep expertise and ongoing maintenance), organizations can adopt CIS benchmarks as their documented security baseline and reference them in their information security policy.

Article 21(2)(d): Supply Chain Security

NIS2 requires entities to address cybersecurity in their supply chain relationships, including security aspects of the relationship between the entity and its direct suppliers.

CIS benchmark connection: Requiring suppliers and service providers to demonstrate CIS benchmark compliance on systems that process your data provides a measurable, verifiable supply chain security requirement. This is far more effective than vague contractual language about "maintaining appropriate security measures."

Article 21(2)(e): Security in Network and Information Systems Acquisition, Development, and Maintenance

This covers vulnerability handling and disclosure, as well as security throughout the system lifecycle from acquisition through decommissioning.

CIS benchmark connection: CIS benchmarks cover initial system hardening (acquisition/deployment phase), ongoing configuration management (maintenance phase), and specific controls for vulnerability management. Implementing CIS benchmarks across the system lifecycle directly satisfies this requirement.

Article 21(2)(g): Basic Cyber Hygiene Practices and Cybersecurity Training

NIS2 explicitly requires basic cyber hygiene practices. The European Union Agency for Cybersecurity (ENISA) guidance identifies system hardening as a fundamental cyber hygiene measure.

CIS benchmark connection: CIS Level 1 benchmarks are explicitly designed as baseline security hygiene configurations that should be applied to all systems. This is the clearest alignment between NIS2 requirements and CIS benchmark implementation.

Article 21(2)(h): Policies and Procedures Regarding the Use of Cryptography and Encryption

Entities must implement policies on the use of cryptography and, where appropriate, encryption.

CIS benchmark connection: CIS benchmarks for all major platforms include extensive cryptography controls -- TLS configuration, cipher suite selection, certificate management, encryption at rest, and key management. These controls provide the technical implementation of cryptography policies required by NIS2.

Article 21(2)(i): Human Resources Security, Access Control, and Asset Management

This requirement covers access control policies and asset management -- fundamental security domains that CIS benchmarks address comprehensively.

CIS benchmark connection: CIS benchmarks include controls for:

User account management and privilege restriction

Password policies and authentication mechanisms

Service account hardening

Administrative access controls

Asset inventory (through the lens of configuration management)

Penalties and Management Liability

NIS2 introduces penalties that demand attention at the board level:

Essential entities:

Administrative fines up to EUR 10 million or 2% of global annual turnover (whichever is higher)

Important entities:

Administrative fines up to EUR 7 million or 1.4% of global annual turnover (whichever is higher)

Management body liability (Article 20):

Member states must ensure that management bodies of essential and important entities approve cybersecurity risk management measures and oversee their implementation

Management bodies can be held personally liable for infringements

Management bodies must undergo cybersecurity training

This personal liability provision changes the dynamics significantly. CISOs who previously struggled to get board attention for infrastructure hardening programs now have a direct lever: NIS2 makes the board personally responsible for ensuring adequate cybersecurity measures are in place.

Building a NIS2-Compliant Hardening Program

Step 1: Determine Your Classification

Identify whether your organization falls under essential or important entity classification. This determines your obligation level, supervisory regime (ex-ante for essential, ex-post for important), and penalty exposure.

Step 2: Asset Inventory and Scope Definition

NIS2 applies to network and information systems used for the provision of services covered by the directive. This means:

Map all IT assets that support covered services

Include on-premises servers, cloud infrastructure, containers, and managed services

Document the operating systems, platforms, and technologies in use

Identify which CIS benchmarks apply to each asset category

Step 3: Adopt CIS Benchmarks as Your Security Baseline

For each platform in your environment, select the appropriate CIS benchmark and profile:

CIS Level 1: Minimum baseline for all systems supporting NIS2-covered services. These controls are designed to be implementable without significant operational impact.

CIS Level 2: Apply to systems processing sensitive data or providing critical functions. Level 2 controls provide stronger security but may require more careful implementation planning.

Document this selection in your information security policy (satisfying Article 21(2)(a)).

Step 4: Implement Continuous Assessment

NIS2 does not use the word "continuous" explicitly for technical controls, but the directive's emphasis on risk management and the supervisory authority's ability to conduct ad-hoc audits means you must be able to demonstrate compliance at any point in time -- not just during scheduled assessments.

Continuous or frequent automated scanning provides:

Always-current compliance evidence for supervisory authorities

Drift detection that catches configuration changes before they become audit findings

Trend data demonstrating ongoing security management (not just periodic snapshots)

Step 5: Implement Framework Mapping

NIS2 compliance does not exist in isolation. Most organizations subject to NIS2 also need to comply with:

GDPR (data protection)

ISO 27001 (information security management)

SOC 2 (if serving as a service provider)

Sector-specific regulations (e.g., DORA for financial services, EHDS for healthcare)

CIS benchmark controls map to controls in these frameworks, enabling unified compliance management. A single control implementation can satisfy requirements across multiple frameworks simultaneously.

Step 6: Document and Report

NIS2 requires entities to:

Notify significant incidents to the CSIRT within 24 hours (early warning), 72 hours (full notification), and one month (final report)

Report on cybersecurity risk management measures upon request from supervisory authorities

Cooperate with supervisory authorities during inspections and audits

Your hardening program must produce evidence that supports these obligations:

Compliance dashboards showing current and historical posture

Per-system audit trails showing scan results and remediation actions

Exception registers documenting accepted risks with business justifications

Incident investigation data showing system configuration state at the time of security events

Member State Variations to Monitor

While NIS2 establishes a harmonized baseline, member state transposition introduces variations:

Germany (BSI): Has historically been aggressive on critical infrastructure security through IT-Sicherheitsgesetz 2.0. Expect German transposition to include additional technical requirements beyond NIS2 minimum.

France (ANSSI): ANSSI's existing framework for Operators of Vital Importance (OIV) is well-established. French transposition integrates NIS2 with existing OIV obligations.

Netherlands: The Dutch transposition (Cyberbeveiligingswet) closely follows the NIS2 text with limited national additions.

Italy (ACN): Italy's transposition through Legislative Decree 138/2024 introduced a phased registration requirement and specific incident notification procedures.

Organizations operating across multiple member states must track these variations and comply with the most stringent applicable requirements.

Common Misconceptions About NIS2 and Hardening

"NIS2 is just about incident reporting."

Incident notification is the most visible obligation, but Article 21's risk management measures (including system hardening) are the substantive compliance requirements. Supervisory authorities will assess whether you had appropriate measures in place to prevent incidents, not just report them.

"We are ISO 27001 certified, so we are NIS2 compliant."

ISO 27001 certification demonstrates a management system for information security, but NIS2 requires specific technical measures that ISO 27001 addresses at a higher level. CIS benchmark compliance provides the technical implementation detail that bridges this gap.

"NIS2 only applies to critical infrastructure."

The expansion to "important entities" brings manufacturing, food production, waste management, and other sectors under scope. The EUR 10 million turnover / 50 employee threshold captures thousands of mid-market companies that have never been subject to cybersecurity regulation.

"We have until the next audit cycle to comply."

NIS2 obligations are effective now in transposed member states. Supervisory authorities can conduct ad-hoc audits of essential entities. Waiting for the next scheduled audit cycle is not a compliance strategy.

Actionable Takeaways

1. Determine your NIS2 classification immediately -- essential vs. important entity status determines your obligations, supervisory regime, and penalty exposure.

2. Adopt CIS benchmarks as your Article 21 security baseline -- they provide the documented, auditable technical controls that NIS2 requires.

3. Implement continuous compliance assessment -- NIS2 supervisory authorities can audit at any time; periodic assessments create evidence gaps.

4. Brief your management body -- Article 20 makes them personally liable for cybersecurity oversight, and they must undergo training.

5. Map CIS controls to all applicable frameworks -- NIS2, ISO 27001, GDPR, and sector-specific regulations overlap significantly; unified mapping reduces duplication.

CISGuard supports organizations across the EU and Middle East in implementing continuous CIS benchmark compliance across 22 benchmarks and 3,910+ controls. Its built-in mapping to NIST 800-53, ISO 27001, and SOC 2 simplifies multi-framework compliance for NIS2-regulated entities. With fully on-premises deployment and no cloud dependencies, it meets the data sovereignty expectations of European regulators. Explore how CISGuard maps to your NIS2 obligations.