Why Did the EU Repeal NIS 1-and What Changes for Your Organisation Now?
The repeal of the first Network and Information Security Directive (NIS 1) marks far more than an administrative cleanup-it’s the clearest signal yet that the European Union is shifting from a patchwork of national cyber rules to a single, rigorous framework built for resilience and tough scrutiny. For organisations once able to “do the minimum” or point to inconsistent country rules, that era is definitively over.
Repealing yesterday's cyber laws clears space for tomorrow’s resilience-compliance is now proactive, not passive.
Why Now? NIS 1’s Shortcomings and What NIS 2 Demands
NIS 1 suffered from vague boundaries, variable enforcement, and critical scope gaps. Each country could (and did) define who was in and who was out. Many organisations simply went undetected or could check the box with superficial measures. Auditors found it hard to compare security maturity or coordinate remedies across borders. Non-EU service providers evaded oversight entirely. Meanwhile, cyber threats-ransomware, supply chain breaches, critical systems tampering-accelerated to become not just IT problems, but true business and even national security threats.
NIS 2 is an engineered response. Its expanded scope sweeps in sectors ignored by NIS 1: SaaS providers, managed service providers (MSPs), digital infrastructure, and a longer tail of “important” entities-no matter location or ownership. It locks in minimum controls by law, demands auditable evidence for every claim, and-critically-puts responsibility for failures not just on corporate entities, but personally on directors and executives. Complying is no longer about avoiding fines-it’s about earning trust through demonstrated, documented, board-level resilience (ENISA 2023).
| **Expectation** | **NIS 1 Practise** | **NIS 2 Operationalisation** | **ISO 27001 / NIS2 Ref** |
|---|---|---|---|
| Scope & Applicability | Fragmented definitions | Precise sector/size thresholds, pan-EU effect | NIS2 Art 2–3; ISO 27001 clause 4.3 |
| Supply Chain Coverage | Poor, direct only | Full: includes MSPs, SaaS, cloud | NIS2 Art 21, 23; ISO 27001 A.5.19–21 |
| Incident Reporting | Unclear, slow | 24h early warning, 72h disclosure | NIS2 Art 23; ISO 27035 |
| Board Accountability | Corporate only | Personal, with documented training | NIS2 Art 20; ISO 27001 5.1, 7.2 |
| Enforcement | Variable, inconsistent | Doubled fines, transparent inspections | NIS2 Art 33–36; ISO 27001 10.1–2 |
In short: What sufficed under NIS 1 is now obsolete. Moving forward means realigning systems, policies, evidence, and leadership so they stand up to sector-agnostic scrutiny-across the whole EU.
Article 44 in Action: The Legal Switch Date and Its Consequences
October 18, 2024, is not simply another compliance deadline-it’s the day that NIS 1 vanishes from every statute book in every EU country, making way for the full and unqualified application of NIS 2 (EUR-Lex 2024). There is no “phasing in,” no sector carve-outs, and no “wait and see”-every organisation now in scope must conform, regardless of sector, size, or geography.
On the switch date, compliance becomes non-negotiable-every organisation moves in lock-step, or risks being left behind.
Key Transition Realities
- No half-measures: As of October 18, partial, “good enough” compliance is gone. All entities previously covered by NIS 1 must meet NIS 2 requirements-plus all newly covered organisations.
- “Credit” for legacy controls: Organisations aligning their security to NIS 1 can map existing measures to NIS 2 where there are commonalities, but every gap must be filled, and all new requirements-especially around supply chain and board engagement-are mandatory.
- Unified enforcement: Regulatory scrutiny, reporting, and fines are now harmonised. Multinationals will finally escape contradictory local rules, but only if every legal entity can present real, documented compliance (CMS Law).
- Immediate risk: Ignoring these changes is not a delay tactic-it’s a man-made risk event. Regulators are directed to prioritise inspections and penalties on those slow to act (ENISA 2024).
Survival Kit for Transition
- Appoint a cross-functional transition lead-your “NIS 2 champion.”
- Audit your current controls against every single NIS 2 clause-document what maps, what doesn’t, and what needs attention.
- Prepare clear communication to directors, suppliers, and staff on the planned changes and new expectations.
- Set up a pre-switch “war room” with all key stakeholders and vendors-gap remediation is a team sport now.
- Treat migration like a critical incident; rehearsals and test-runs are how you prevent being caught out in October.
A compliance checklist means nothing unless you can show your work-real logs, approvals, and evidence trail all count.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
Organisational Impact: Bridging Legacy Controls Into the NIS 2 Era
While legacy controls and policies shouldn’t be thrown out, they’re no longer enough. NIS 2’s demand for auditable, evidence-backed security means historic “tick-box” approaches-minimal policy statements, static risk assessments, generic playbooks-now risk being red flags in real inspections (Fieldfisher). Every Statement of Applicability (SoA) and control becomes an active, living artefact, reviewed and updated as your risk surface shifts.
Compliance not documented is compliance forgotten-if you can’t prove it, it doesn’t exist.
Essential Control & Practise Upgrades for NIS 2
- Reporting: The clock starts ticking the moment an incident is detected. Early warnings must hit the 24-hour mark, with full disclosures inside 72 hours-no extensions, no local grace (DLA Piper).
- Supply Chain Risk: Vendors, MSPs, even consultants now fall within your duties. Contracts and ongoing reviews must prove diligence, not just trust (K&L Gates).
- Board Engagement: No policy can be entrusted solely to technologists. Board-level review, training, and decision logs are essential (TechNative).
- Wider Scope: If your entity, supply chain, or digital footprint has changed since your last audit, it’s time to review your SoA for coverage (Twilio).
| **Trigger** | **Risk Update** | **Control / SoA Link** | **Evidence Logged** |
|---|---|---|---|
| New reporting deadlines | Incident escalation process | ISO 27035 / NIS2 Art 23 | Incident log, playbook |
| Additional suppliers in | Supplier risk terms, due diligence | ISO 27001 A.5.21 / NIS2 Art 21 | Supplier contracts, assessments |
| Board liability expanded | Board cyber policy, minutes | ISO 27001 5.1, 7.2 / NIS2 Art 20 | Board minutes, training |
| Reclassification of service | SoA update (size/scope) | ISO 27001 4.3 / NIS2 Art 2–3 | Revised SoA, audit log |
Immediate Actions: Map every legacy policy and control against NIS 2 and document all evidence and decisions. Use this mapping to guide board briefings and remediation projects-preparation is now how you prove assurance.
What Boards and Executives Must Prove Under NIS 2
Gone are the days when cyber-security was “outsourced” to IT or infosec-directors and executives now bear personal accountability for cyber resilience. Regulators expect documented engagement and board approval for every major risk, incident response plan, and strategic security direction (White & Case).
Cyber risk is now a director’s risk-board records, training, and personal oversight are the compliance proof.
Board Responsibilities Defined
- Annual (or more frequent) cyber risk reviews-board approved and minuted.:
- Mandatory, role-specific ongoing training-fully logged and evidenced.:
- Incident escalation logs-showing chain of command, decisions made, and actions taken.:
- Scenario testing and post-incident reviews-embedded in board and management cycles.:
| **Director Action** | **Evidence Required** |
|---|---|
| Cyber risk review/approval | Board meeting minutes, signed SoA |
| Training & awareness | Attendance logs/certificates |
| Incident management oversight | Incident log, escalation record |
| Post-incident actions | Management review, corrective logs |
Quick-Check: Can your board demonstrate engagement in the last 12 months-with sign-offs, incident logs, and scenario test results to prove it? If not, you’re exposed.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Harmonisation With GDPR, DORA, and Sector Laws: One Framework to Rule
Repealing NIS 1 is as much about harmonisation as it is about raising the bar. In practise, this means NIS 2 is now “anchored” to privacy (GDPR), financial resilience (DORA), and sectoral rules-so reports, risk processes, and board records feed into every compliance framework you touch (IAPP; Deloitte).
You want one truth across compliance-not three flavours of the same risk.
| **Context** | **NIS 2 Bridge** | **Overlay Law** | **Risk Focus** | **Reference** |
|---|---|---|---|---|
| Data Privacy | Incident reporting | GDPR | Notification compliance | NIS2 Art 23 / GDPR Art 33 |
| Financial Sector | Resilience baseline | DORA | Ops risk + vendor audit | DORA / NIS2 Art 4 |
| General Security | Minimum controls | ISO 27001/NIST | Risk & audit management | ISO 27001, NIST CSF |
ENISA’s Role: ENISA will define audit norms, crisis simulation, and sector-specific best practise. Organisations should monitor ENISA advisories for policy, toolkit, and peer review updates (ENISA).
Enforcement and Inspection: What NIS 2 Brings That NIS 1 Didn’t
Punishments are now harmonised and harsher: fines up to €10 million or 2% of global turnover, with public reporting of major breaches and enforcement actions (Norton Rose Fulbright). Inspections will target real evidence over paperwork: live incident logs, board training records, supply chain audits.
Transparency is the new compliance currency-being ready for enforcement is being ready for market scrutiny.
Common Enforcement Triggers
- Missed incident reporting deadlines.
- Untrained directors.
- Supply chain breaches without diligence records.
- Repeat noncompliance from NIS 1 era.
| **Trigger Event** | **Potential Penalty/Escalation** | **Evidence to Present** |
|---|---|---|
| Slow incident report | Fines, public notice | 24/72h incident log, escalation trail |
| Board missed training | Targeted investigation, D&O scrutiny | Training logs, certificates, sign-in sheets |
| Vendor breach | Audit, possible sanction | Third-party contracts, due diligence checks |
| Prior non-compliance | Higher inspection frequency | Remediation records, action plans |
Set quarterly internal checks-test incident notifications, review supply chain documentation, and rehearse board engagement events before they’re required. The organisations best at self-diagnosis will always be hardest to surprise.
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Turn the NIS 1 Repeal Into Your Board-Level Advantage
Cyber-Security compliance now creates competitive edge, not just peace of mind. Investors, ESG ratings, deal partners, and regulators all link documented resilience to decision making (Accenture). Boards that make NIS 2 part of their operating systems-not just annual reviews-build “resilience capital” and win trust beyond compliance.
The new breed of leaders treat compliance not as a cost-but as evidence of control, trustworthiness, and agility.
Levers to Create Advantage
- MTTR (Mean Time to Respond): Documented playbooks, live logs, and pre-tested plans mean no scrambling mid-crisis and fast audits.
- Audit closure speed: Fast, auditable evidence gives confidence to insurers, regulators, and buyers.
- Staff upskilling and recognition: Resilience is about teams, not tools. Regular scenario drills, recognition of performance, and transparent communication create a culture that goes beyond box-checking.
Be prepared to showcase compliance in board decks and ESG reviews-and leverage your operational discipline as proof of value to stakeholders.
Streamline Your Transition: The ISMS.online Platform Edge
The Article 44 repeal is not just a cue to update paperwork-it demands a living compliance system. ISMS.online is purpose-built to help organisations map old controls to new requirements, document every step, and operate with evidence that’s always ready for inspection or board review.
Every control built under NIS 1 is a stepping stone, not an anchor. Resilience comes from showing-not claiming-your readiness.
ISMS.online’s Role in the NIS 1 to NIS 2 Leap
- Automated Framework Mapping: Map legacy controls to NIS 2, flag gaps instantly, and prevent wasted investment.
- Policy Pack Integration: Unlock ISO-harmonised controls, supply chain vendor toolkit, and incident response playbooks right away for new obligations.
- Evidence and Dashboarding: Real-time dashboards, export-ready reports, and role-based access empower managers, auditors, and boards to see compliance as it happens.
- SOA Traceability: Every policy/control links to NIS 2 and ISO 27001-for every gap, evidence location and remediation status are visible.
- Ongoing Support: Access expert services, peer communities, and latest regulatory updates as soon as they land-no waiting for next year’s audit.
Board Review Coming Up? Make the repeal of NIS 1 your launchpad, not a setback. Lead your organisation to the next level of resilience and trust-with systems, evidence, and leadership that prove it.
Every audit, every board pack, every incident log is now a signal-to the market, to investors, and to regulators-that you are in control. Begin your transition with confidence. ISMS.online can help you own your next compliance narrative-today.
Frequently Asked Questions
What is the real-world impact of Article 44 of NIS 2 for organisations that were previously “compliant” with NIS 1?
Article 44 of Regulation EU 2024-2690 doesn’t just tidy up old rules-it formally repeals NIS 1 and forces a total reset in how compliance is defined, measured, and enforced for digital organisations across the EU. If your organisation built its security posture, audits, or contracts around NIS 1, you are now accountable at a higher, broader, and more aggressively enforced standard. The old “NIS 1 compliance” badge is now obsolete: every board, DPO, IT lead, and compliance head must prove readiness under NIS 2 from the day Article 44 takes effect.
Where NIS 1 targeted essential operators and left gaps in scope and accountability, NIS 2 expands blanket coverage to nearly all mid–large digital organisations, injects hard board-level liability, and directly harmonises fines and audit procedures EU-wide (ENISA NIS2 Guidance, 2023). Instead of periodic, tick-box reviews, expect continual scrutiny and real-time compliance proof-“audit as the new normal.” Your previous self-assessments, incident drills, and risk registers must be re-cast in NIS 2’s playbook and terminology, with fresh board sign-off and supplier mapping.
Compliance isn’t yesterday’s paperwork-it’s now a live contract with regulators and your board.
NIS 1 vs NIS 2: Compliance Reset Table
| Scope | NIS 1 (Repealed) | NIS 2 (Now in Force) |
|---|---|---|
| Covered Entities | Limited, sectoral | Nearly all digital organisations |
| Board Liability | Weak, indirect | Explicit, personal, direct |
| Enforcement | Fragmented, national | Harmonised, larger fines |
| Supply Chain Duties | Implicit, sector-specific | Explicit, central to compliance |
| Incident Reporting | 72h, generic | 24h initial notice, granular detail |
| Audit Baseline | Minimal, periodic | Continuous, exportable, traceable |
How does the end of NIS 1 reshape compliance, audit cycles, and risk accountability?
With Article 44’s effect, all legacy compliance programmes are sunsetted overnight-“grandfathering” is dead. Supervisory authorities, auditors, and even insurers now measure every control, policy, and decision against the live language and obligations of NIS 2. Evidence that covered you last year may now be a liability if it isn’t traceably mapped to new requirements. Board meeting minutes, Statements of Applicability (SoA), and risk maps must be updated in substance and format; incident registers and supply chain logs need to be NIS 2–ready for instant query.
No organisation can rely on legacy audit cycles-“static compliance windows” are closed. Instead, your teams will need to operate under continuous oversight, granular post-incident reporting, and board-level signoff on everything from incident rehearsals to risk methodology (EU Transitional Guidance, 2024).
Your compliance narrative isn’t annual. It’s always-on; defensibility is your only safe default.
Compliance Traceability Table: Post–Article 44
| Trigger/Event | Risk or Process Updated | NIS 2 Article(s) | Evidence to Log |
|---|---|---|---|
| NIS 1 repeal recognised | Gap analysis, board review | Arts. 20, 21, 23 | Board update, risk register |
| Annual review scheduled | Revised SoA, controls check | Arts. 21, 23; ISO A.15 | Revised SoA, supply chain logs |
| Incident simulation held | Incident plan and reporting | Art. 23, ISO A.17 | Playbook, drill logs, debrief |
| Supply chain mapping | Supplier SLAs updated | Arts. 21, 23; ISO A.15 | Contract annexes, notification evidence |
What new legal, operational, and cyber risks will organisations now face under NIS 2?
After Article 44, the “complacency buffer” is gone. Any delay or misinterpretation now creates enforceable legal risks for the organisation and direct liability for senior management and the board. Over half of companies previously outside the regime are now in scope, according to DLA Piper’s NIS 2 Enforcement Brief, 2024. The threat matrix expands:
- Personal liability: Directors and officers are on the hook for oversight and real-time accountability. Fines hit up to €10m or 2% of global turnover.
- Supply chain exposure: Vendors, contractors, and third parties now create secondary risk-if they default, your organisation is exposed.
- Insurance disputes: D&O and cyber liability insurers may deny claims if NIS 2 standards aren’t shown in evidence (Marsh D&O Insights, 2023).
- Operational & reputational fallout: Failing to update evidence can stop contracts or trigger regulatory fines and public breach notifications.
The audit shield now covers only those who are proactive-every board, IT chief, and compliance lead must shift from paperwork to active, live risk reduction.
Key Risk Response Moves:
- Urgently rescore risk landscape for NIS 2 scope-especially supply chain, board, and business continuity exposures.
- Revisit insurance and contract terms: ensure they explicitly match new legal definitions.
- Preempt future claims by documenting new controls and training at every level.
What concrete steps must compliance, IT, and legal teams take to align controls and contracts with NIS 2?
Every team must start by re-mapping existing controls, contracts, and evidence to NIS 2’s articles, annexes, and new terminology-especially those involving risk, incident, supply chain, and governance. This is best achieved by adopting clause libraries, contract schedules, and workflow tools mapped to each legal requirement. In practise, that means:
- IT and InfoSec: implement new incident reporting workflows (24h notice windows), update SoA and risk registers with NIS 2 referents, and extend supplier monitoring to cloud and digital services.
- Compliance and Legal: must draught or amend contracts to mandate vendor and partner NIS 2 compliance (including breach notifications), ensure role-based evidence export, and keep “living” indices for audits.
- Procurement: formalises supplier validation, triggers, and penalties for late notification or risk non-compliance.
ENISA, in its 2024 sectoral assessment, notes organisations leveraging ISMS platforms with live audit controls, automated versioning, and exportable proof are 80% more likely to pass a first-cycle NIS 2 audit (ENISA, 2024).
ISO 27001/NIS 2 Implementation Bridge Table
| Compliance Expectation | Example Control, Practise | NIS 2/ISO Ref |
|---|---|---|
| Supplier NIS 2 adherence | Contract addendum (24h breach, audit) | NIS 2 Arts. 21, 23; ISO A.15 |
| Incident Response | Automated 24/72h notice, training logs | NIS 2 Art. 23; ISO A.17 |
| Board oversight | Annual ISMS review, minutes, D&O brief | NIS 2 Arts. 20, 21; ISO 5.2 |
| Exportable evidence | Role/versioned logs, SoA by date/control | NIS 2, ISMS.online |
What are the legal, regulatory, and insurance consequences for failing to act on Article 44?
Non-compliance after NIS 1’s repeal means exposure on three fronts:
- Regulator action: EU-wide, authorities are now empowered to coordinate investigations, demand public disclosures, and impose heavy fines or temporary ban on vendors.
- Insurance ineligibility: Both D&O and cyber insurance may be voided if organisations cannot provide live, NIS 2–aligned evidence for incident management and compliance oversight.
- Reputational/operational harm: Missed or incomplete reporting can result in cancelled supplier/customer contracts and conditions for investor or shareholder actions.
Being ‘nearly compliant’ is the new weakest link-regulatory and insurance scrutiny now demands defensible, not just documented, proof.
Board and Leadership Oversight Audit Table
| Governance Trigger | Evidence to Produce | Reference (NIS 2/ISO) | Frequency |
|---|---|---|---|
| Board ISMS review | Minutes, sign-in, SoA update | ISO 27001 9.3, NIS 2 Art.20–21 | Annual / Q3 |
| Incident test (fire drill) | Playbook, responses, debrief log | NIS 2 Art.23, Audit Committee | Quarterly |
| D&O Liability briefing | Attendance log, SoA update | Board pack/renewal docs | Annual |
| Supply chain simulation | Supplier risk analysis, contracts | NIS 2 Arts.21, 23 / ISO A.15 | Semi-annual |
How can boards and cyber leaders prove oversight and resilience under NIS 2?
Regulators, auditors, and insurers now expect not just “involvement,” but documented board engagement: every ISMS review, incident simulation, and risk management discussion must be formally logged, timestamped, and exportable. D&O and audit committees should schedule and document these governance events-showing “leadership from the front” rather than delegation.
A “pre-approved” audit calendar is your safety net: plan and log management reviews, incident tests, and D&O sessions for the year ahead (see EcoDa Board Guidance, 2024).
| Event Type | Audit Evidence Example | NIS 2 Article / ISO Ref | Timing |
|---|---|---|---|
| ISMS review (board, CISO) | Minutes, SoA, attendance | ISO 27001 9.3; NIS 2 Art.20 | Annually |
| Incident simulation | Test report, response log | NIS 2 Art.23 | Quarterly |
| D&O insurance review/briefing | Attendance, SoA update | Board docs | Annually |
| Supply chain risk test | Supplier log, contracts | NIS 2 Arts.21, 23 | Semiannual |
Boards who proactively log their involvement are statistically more likely to pass first-cycle audits and preserve liability coverage.
What actionable steps should every organisation take in the first 90 days to transition from NIS 1 to NIS 2-without audit or operational blindspots?
- Trigger a compliance “gap” sprint: Recognise the legal moment-Article 44 as enforcement trigger.
- Remap stakeholders and controls: Update role registers, risk maps, and evidence logs for the expanded scope.
- Redraft the Statement of Applicability (SoA): Ensure versioning, Board sign-off, and risk references point to NIS 2 articles.
- Run supply chain and incident table–top drills: Document test runs and map evidence to updated obligations.
- Automate evidence workflows: Leverage or deploy an ISMS or compliance platform equipped for versioning, cross-departmental approvals, live reporting, and board-ready exports.
- Schedule and document board-level training, reviews, and simulations: Every engagement needs an audit trail.
Transition isn’t a one-off project-switch to perpetual audit readiness and operational certainty.
Sample 90-Day Audit-Ready Checklist
- Stakeholder and asset registers updated for NIS 2
- New SoA approved by Board
- All contracts refreshed for NIS 2 clauses
- Supply chain / backup / training logs referenced to NIS 2
- Incident simulation documented and lessons logged
- Evidence versioning enabled for every policy, control, and board event
How can ISMS.online and similar compliance platforms accelerate and harden NIS 2 transition and ongoing audits?
Leading platforms like ISMS.online turn compliance from “annual dread” into continuous readiness. They automate mapping controls to NIS 2 articles, generate SoA/risk register exports on demand, and link contracts, incidents, and supplier audits to board and regulator KPIs. Role-based dashboards, automated reminders, and traceable logs compress the “MTTR”-mean time to readiness-for every audit, investigation, or board inquiry ((https://www.isms.online/nis2-transition-kit/)).
Features proven to reduce transition pain:
- Automated evidence versioning and export for every artefact (risk, contract, board review, incident log)
- Role-specific dashboards and KPIs for stakeholders, from practitioner to board
- Ready-made NIS 2–mapped contract clauses and SOA templates
- Link supply chain logs and audit workpapers directly to compliance points
- Audit trail for every training, incident, and engagement
The gold standard is operational resilience-evidence always ready, never an afterthought.
ISMS.online Platform Actions Table
| Transition Gap/Goal | Platform Feature/Action | Audit Outcome Delivered |
|---|---|---|
| Close legacy/NIS 2 compliance gap | Pre-built transition kit, dashboard | Milestones and roles mapped/exported |
| Prove controls at audit | Exportable logs, SoA, risk | Audit defensibility in hours |
| Board compliance visibility | Board pack, role-based dashboard | Compliance minutes/KPIs tracked |
| Supply chain readiness | Embedded supplier attestation | Breach notifications, vendor mapped |
| Staff readiness | Training module integration | Attendance, completion, audit-ready |
Where can organisations find reliable, actionable guides, legal templates, and best-practise playbooks for NIS 2?
Prioritise sources with direct regulatory and case-proven insights:
- ENISA – NIS2 Directive Toolbox & Sector Guides
- European Commission – NIS 2 Official Guidance
- DLA Piper – Legal Enforcement Briefings
- ISMS.online – NIS2 Transition Kit, Peer Examples & Demo
- Marsh – D&O and Cyber Liability Risk Trends
- European Confederation of Directors’ Associations (EcoDa): Board Oversight Guidance
Connecting with these resources gives you ready-to-use legal templates, audit checklists, and operational playbooks that take you from regulatory intent to day-one evidence, faster and with greater certainty.
Make the first move toward NIS 2: turn compliance from catch-up into operational trust. In the post–NIS 1 era, those who prove, not just claim, readiness set the standard for the new digital normal.
