nis2audit

EU NIS2 Directive

NIS2 compliance, without the jargon

NIS2 widens EU cybersecurity rules to thousands more organisations — with real security measures, tight incident-reporting deadlines and personal accountability for management. Find out if you are in scope and how ready you are.

  • Based on Directive (EU) 2022/2555
  • Vendor-neutral
  • Updated 2026

What is NIS2

Europe’s baseline for cybersecurity, dramatically widened

NIS2 is an EU directive that raises and harmonises cybersecurity requirements across far more sectors and organisations than the original NIS rules.

The NIS2 Directive (Directive (EU) 2022/2555) is the EU’s framework for a high common level of cybersecurity. It replaces the original 2016 NIS directive and greatly expands who must comply — covering essential and important entities across around 18 sectors.

In-scope organisations must adopt a defined set of risk-management security measures (Article 21), report significant incidents on a strict timeline (Article 23), register with authorities, and manage supply-chain risk. Crucially, management bodies must approve and oversee these measures — and can be held personally accountable (Article 20).

It is transposed into national law by each member state, so the exact obligations and supervisor differ by country — but the core requirements are common across the EU.

The essentials

What NIS2 actually requires

Four pillars that define your obligations under the directive.

  1. SCOPE

    Wider scope

    NIS2 covers essential and important entities across around 18 sectors, generally from medium size upward — far more organisations than the original NIS directive.

  2. MEASURES

    Ten security measures

    Article 21 sets a baseline of risk-management measures: risk analysis, incident handling, backups, supply-chain security, encryption, access control, MFA and more.

  3. LIABILITY

    Management accountability

    Under Article 20, management bodies must approve and oversee the cybersecurity measures, undergo training, and can be held liable for failures.

  4. REPORTING

    Fast incident reporting

    Significant incidents trigger a strict timeline: an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month.

Are you in scope

Essential, important — or out of scope?

NIS2 classifies in-scope organisations into two tiers, mostly by sector and size. Broadly:

  • Essential

    Essential entities

    Larger organisations in high-criticality sectors — energy, transport, banking, health, water, digital infrastructure and more. Subject to proactive supervision.

    Category: High-criticality sectors (Annex I), generally large entities.

  • Important

    Important entities

    Organisations in other critical sectors — postal, waste, chemicals, food, manufacturing, digital providers, research. Subject to reactive supervision.

    Category: Other critical sectors (Annex II) and medium-sized entities.

  • Size rule

    The size threshold

    Generally, medium-sized organisations and above (roughly 50+ staff or €10M+ turnover) in covered sectors are in scope — with exceptions.

    Category: Some entities are in scope regardless of size.

  • Check

    Not sure?

    Sector, size and national transposition all matter, and some smaller entities are still caught. If in doubt, verify your status rather than assume you are out.

    Category: National rules can extend scope — confirm your status.

Free readiness check

How ready are you for NIS2?

Rate your organisation against the ten Article 21 security measures. The score, band and gaps update live — nothing is sent anywhere.

  • Risk analysis & information security policies Art. 21(2)(a)
  • Incident handling Art. 21(2)(b)
  • Business continuity, backups & crisis management Art. 21(2)(c)
  • Supply-chain security Art. 21(2)(d)
  • Secure acquisition, development & vulnerability handling Art. 21(2)(e)
  • Testing the effectiveness of measures Art. 21(2)(f)
  • Cyber hygiene & security training Art. 21(2)(g)
  • Cryptography & encryption Art. 21(2)(h)
  • Access control & asset management Art. 21(2)(i)
  • Multi-factor authentication & secure communications Art. 21(2)(j)
0% NIS2 readiness · 0 gaps
Early stage

Significant gaps

Several core measures are missing. Prioritise the fundamentals — risk assessment, incident handling, backups and access control — and build a plan against all ten measures.

In progress

Partly there

A foundation exists but with real gaps. Close the partial and missing measures, and document what you have — NIS2 expects evidence, not intentions.

Well advanced

Most measures in place

You cover most of Article 21. Tackle the remaining gaps, test the effectiveness of your measures, and make sure management oversight and reporting processes are documented.

Audit-ready

Strong coverage

You report strong coverage of the measures. Keep it current, evidence it, rehearse incident reporting, and validate with an independent assessment.

Get a NIS2 gap assessment

A self-assessment aid, not a formal audit or legal advice. Exact obligations depend on your sector, size and national transposition of NIS2.

The facts

NIS2 at a glance

A directive that is in force, broad in scope, and backed by real penalties.

~18
sectors are covered by NIS2 — from energy and health to manufacturing, food and digital services.
Source: NIS2 Annexes I & II · EUR-Lex, 2022
Oct 2024
the deadline for member states to transpose NIS2 into national law — it is now being enforced.
Source: EUR-Lex · NIS2, 2022
24h / 72h
to submit an early warning, then a fuller incident notification, for a significant incident.
Source: NIS2 Art. 23 · EUR-Lex, 2022
€10M / 2%
the maximum fine for essential entities — up to €10 million or 2% of global annual turnover, whichever is higher.
Source: NIS2 Art. 34 · EUR-Lex, 2022

Each figure links to its primary source. Exact obligations depend on national transposition; confirm your status with a qualified adviser.

Get compliant

From "are we in scope?" to audit-ready

NIS2 is not a one-off project — it is an ongoing, evidenced risk-management programme that management must own.

Under Article 20 of NIS2, the management bodies of essential and important entities must approve the cybersecurity risk-management measures, oversee their implementation, follow training — and can be held liable for infringements.
NIS2 Art. 20 · EUR-Lex
  • Confirm scope and register

    Determine whether you are an essential or important entity, and meet any national registration requirements.

  • Close the Article 21 gaps

    Assess your coverage of the ten security measures, then remediate the gaps — with documentation, not just intentions.

  • Rehearse incident reporting

    The 24-hour clock starts at awareness. Build and practise the process to detect, decide and report in time.

  • Prove it with testing

    NIS2 expects you to test the effectiveness of your measures. Independent assessment and penetration testing provide that evidence.

Frequently asked questions

Short, clear answers

What is the NIS2 Directive?

NIS2 (Directive (EU) 2022/2555) is the EU’s cybersecurity directive for essential and important entities. It widens scope, sets baseline security measures, mandates incident reporting and makes management accountable. It replaced the original 2016 NIS directive.

Who does NIS2 apply to?

Essential and important entities across roughly 18 sectors — energy, transport, health, banking, water, digital infrastructure, manufacturing, food, waste and more — generally from medium size upward, though some entities are in scope regardless of size. Check who is in scope →

What security measures does NIS2 require?

Article 21 lists ten baseline measures, including risk analysis, incident handling, business continuity and backups, supply-chain security, encryption, access control and multi-factor authentication. See all ten measures →

What are the NIS2 incident-reporting deadlines?

For a significant incident: an early warning within 24 hours of becoming aware, a fuller notification within 72 hours, and a final report within one month.

Can management be held personally liable under NIS2?

Yes. Article 20 requires management bodies to approve and oversee the cybersecurity measures and follow training, and provides that they can be held liable for infringements.

What are the penalties for non-compliance?

For essential entities, fines can reach up to €10 million or 2% of global annual turnover, whichever is higher; for important entities, up to €7 million or 1.4%. Authorities also have supervisory and enforcement powers.

How do we become NIS2 compliant?

Confirm your scope, assess your coverage of the Article 21 measures, close the gaps with documented controls, set up incident reporting, ensure management oversight, and validate with testing. Follow the checklist →