FIPS 140-3: Everything you need to know
August 22, 2025Learn what FIPS 140-3 is, how it differs from 140-2, who must comply, and how to simplify cryptographic validation for modern, regulated software.
What is NIS2?
The Chainguard Team
July 29, 2025
ComplianceAppSec
key takeways
NIS2 is the European Union’s updated cybersecurity directive, expanding requirements across a wide range of critical and important sectors beyond the original NIS framework.
The regulation emphasizes risk management, secure software development, supply chain oversight, and transparent incident reporting, with stricter obligations than previous standards.
Non-EU companies operating in or serving the EU may also fall under NIS2, facing penalties of up to €10 million or 2% of global revenue—and executives can be held personally liable.
Chainguard helps organizations meet and exceed NIS2 compliance by providing hardened, zero-CVE container images that secure the software supply chain from the start.
As cybersecurity risks and threats evolve, so do the compliance regulations designed to help ensure that organizations are poised to manage them.
A prime example of such change is the Network and Information Security Directive 2 (NIS2), a legal framework that the European Union implemented to enhance cybersecurity across critical sectors of the economy. Although the NIS2 directive builds upon an existing set of standards rather than establishing completely new regulations, NIS2 includes a variety of novel compliance rules, and requires more rigorous cybersecurity controls than the initial version of NIS.
Keep reading for details as we unpack everything businesses need to know about NIS2, including the cybersecurity measures it includes, which organizations need to comply with NIS2 (hint: it’s not just companies based in the EU), and how to update cybersecurity controls and practices to comply with NIS2.
What is the NIS2 directive?
The NIS2 directive is a European Union regulation that aims to strengthen cybersecurity and resilience capabilities across sectors considered “critical” – such as food production, energy, and finance. The purpose of NIS2 is to help protect businesses in these sectors from cyberattacks, as well as minimize damage and disruptions in the event an incident does occur.
Complying with NIS2 is a legal mandate only for companies that have at least fifty employees and that operate in the EU within a sector of the economy that the directive defines as “critical.” However, the regulation has broader implications because it sets new cybersecurity and resilience standards that businesses of all types will face pressure to meet. This means that it would be wrong to think of NIS2 as a regulation that only affects a relatively small set of EU-based companies; it’s a regulation with major cybersecurity implications for businesses of all types whose operations take place within the EU or impact EU citizens.
NIS2 compliance background
NIS2 builds upon the original NIS framework, known as NIS1, which the European Union introduced in 2016. NIS1 was narrower in that it focused only on a handful of industries that provide essential physical services, like transportation and energy. NIS2 expands coverage to a much wider range of industries deemed essential or important for the European Union's economy and society, including:
Essential sectors:
Energy: Electricity, oil, gas, and district heating and cooling.
Transport: Air, rail, water, and road transport.
Finance: Banking: and financial market infrastructure.
Digital Infrastructure: DNS providers, cloud services, data centers, etc.
Healthcare: Hospitals, healthcare providers, and labs.
Public Administration: Governmental bodies and agencies.
Space: Space-based services and infrastructure.
Water: Drinking water suppliers and wastewater management.
Important sectors:
Digital Providers: Online marketplaces, search engines, social media platforms.
Postal and Courier Services: Postal service providers, including providers of courier services
Waste Management: Organizations carrying out waste management, excluding organizations for whom waste management is not their principal economic activity.
Manufacturing: Includes production, processing, and distribution of chemicals, food, and other critical products like medical devices, computers/electronics, machinery, and vehicles.
Research: Research organizations and education institutions where they carry out critical research activities.
Development of NIS2 began in 2020. Enforcement of the standards began for some companies in 2023, and the law entered into full force – meaning all affected businesses must comply – starting in October 2024.
Responsibility for enforcing NIS2 falls to the governments of individual E.U. member states, which can carry out investigations and enforce penalties when they suspect businesses of failing to comply with the NIS2 standards. NIS2 penalties can total up to €10,000,000 or 2 percent of the business’s global revenue, whichever is greater — meaning that large enterprises are subject to very significant fines. In addition, NIS2 is notable because it includes provisions that allow regulators to hold company executives personally liable if their organizations violate the law’s requirements. Most other compliance regulations only allow for penalties against organizations, not individuals employed by them.
Cybersecurity measures required by NIS2
NIS2 outlines security responsibilities that broadly fall into three main categories: risk management, protective measures, and collaboration and information exchange. Although the directive encompasses a wide range of cybersecurity topics beyond software development, developers are directly impacted by several key requirements in each category:
Risk Management: This area includes the implementation of threat modeling, vulnerability oversight such as CVE tracking, and the development of structured incident response protocols.
Security Measures: Organizations are expected to ensure data protection, promptly report incidents, secure their software supply chains, and maintain robust continuity and recovery plans in case of disruption.
Information Sharing: Emphasis is placed on fostering transparent communication both between organizations and with designated authorities to enhance collective resilience.
NIS2 significantly expands on traditional risk and security expectations by embedding secure software lifecycle practices as a core requirement. There's a heightened focus on delivering trustworthy, high-quality code.
NIS2 introduces stricter oversight of the software supply chain, broadening vulnerability management responsibilities to include third-party tools and requiring more comprehensive risk assessments. Organizations are expected to identify and evaluate potential risks within their software supply chains—such as vulnerabilities in external components—and are encouraged to leverage Software Bills of Material (SBOMs) to gain clearer visibility into software composition.
Developers and application security teams now face updated expectations for vulnerability management, including the adoption of secure development practices, routine risk evaluations, and well-defined processes for vulnerability handling and disclosure—such as timely CVE reporting, patching, and remediation. These measures are all intended to reinforce a secure-by-design approach throughout the software development lifecycle.
As a result of these changes, engineering and security teams must work collaboratively to assess the security practices of third-party vendors, ensure vulnerability disclosure obligations are addressed in contractual agreements, and carry out comprehensive audits of the software supply chain.
For global organizations navigating multiple cybersecurity frameworks, a common strategy is to align with the most stringent standard to ensure broad compliance. In the context of NIS2, NIST 800-53 can be a valuable reference point—especially for organizations that already incorporate it into their security programs. It offers a practical foundation for meeting certain NIS2 requirements, such as implementing FIPS-approved cryptographic modules or leveraging STIGs to address broader cybersecurity controls.
NIS2’s software supply chain security requirements are particularly notable because they make NIS2 one of the first cybersecurity frameworks to treat supply chain risks as a distinct area of concern. This reflects growing awareness of supply chain vulnerabilities following major incidents like those involving SolarWinds and Log4j.
The implications of NIS2 compliance for organizations
As a framework that significantly expands the cybersecurity requirements businesses must have in place across a wide range of industries, NIS2 is poised to help establish a new baseline when it comes to cybersecurity. Again, even businesses that aren’t legally required to comply with NIS2 are likely to leverage the law to help establish the standards they voluntarily follow to minimize their risk of attack.
In addition, as we mentioned, NIS2 stands apart from most other compliance regulations because it includes some novel provisions – such as the ability to hold business executives personally responsible for cybersecurity failures and its special focus on supply chain security.
Meeting—and exceeding—compliance standards with Chainguard
By providing access to container images that are hardened and vulnerability-free, Chainguard helps businesses meet and exceed compliance standards defined in regulations like NIS2. Chainguard manages supply chain risks so you don’t have to, ensuring that the third-party software businesses rely on is secure from the start.
FAQs
NIS2 is a European Union compliance regulation that aims to strengthen cybersecurity for companies that provide services that the EU deems critical – such as those in the finance, transportation, and energy industries.