Who does the NIS2 Directive apply to?

NIS2 applies to essential and important entities across 18 sectors including energy, transport, banking, health, digital infrastructure, ICT service management, and public administration. It covers medium-sized enterprises (50+ employees or 10M+ EUR turnover) and above in these sectors.

What is the NIS2 incident reporting timeline?

NIS2 requires a 24-hour early warning to the CSIRT after becoming aware of a significant incident, a 72-hour incident notification with initial assessment, and a final report within one month including root cause analysis.

Are executives personally liable under NIS2?

Yes. Under Article 32, management bodies of essential and important entities can be held personally liable for non-compliance with cybersecurity risk management obligations. This includes potential temporary bans from exercising management functions.

What is the difference between NIS2 and ISO 27001?

ISO 27001 is a voluntary international standard for information security management systems. NIS2 is a legally binding EU directive with specific incident reporting timelines, supply chain security requirements, and penalties up to 10 million EUR or 2% of global turnover. ISO 27001 certification helps but does not automatically ensure NIS2 compliance.

What are the penalties for NIS2 non-compliance?

Essential entities face fines up to 10 million EUR or 2% of global annual turnover. Important entities face fines up to 7 million EUR or 1.4% of global annual turnover. Member states may impose additional administrative penalties.

NIS2 Compliance: A Technical Roadmap for IT Leaders

The NIS2 Directive is no longer a future concern — it is the present reality for thousands of organisations across the EU. Yet many IT leaders still struggle to translate the directive's legal language into concrete technical controls. This guide bridges that gap.

Who Is Actually in Scope?

NIS2 significantly expanded the scope of the original NIS Directive. If your organisation operates in one of 18 designated sectors and meets the size thresholds (50+ employees or EUR 10M+ annual turnover), you are almost certainly affected. The directive distinguishes between essential entities (energy, transport, health, digital infrastructure) and important entities (postal services, waste management, manufacturing, food, chemicals, and others).

Key point: Even if you are not directly in scope, your customers may be — and they will cascade NIS2 requirements down to you through supplier contracts.

Mapping NIS2 Articles to Technical Controls

The directive's Article 21 defines ten categories of security measures. Here is how they translate to real-world IT controls:

1. Risk Analysis and Information System Security Policies

Implement a formal risk assessment framework (ISO 27005 or NIST RMF)
Maintain a living asset inventory covering all information systems, not just servers — think SaaS, APIs, and data flows
Document risk acceptance decisions with named owners and review dates

2. Incident Handling

NIS2 imposes strict reporting timelines:

24 hours — early warning to your national CSIRT
72 hours — full incident notification with initial assessment
1 month — final report with root cause analysis and remediation

Technical implication: You need automated detection and triage. A manual ticketing workflow will not meet a 24-hour early warning obligation. Invest in:

SIEM with pre-built detection rules (e.g., Microsoft Sentinel, Splunk)
An incident response playbook that maps severity levels to NIS2 reporting thresholds
Automated alerting to your compliance and legal teams

3. Business Continuity and Crisis Management

RPO/RTO definitions for every critical system, tested quarterly
Immutable backups stored in a separate security boundary (different subscription, different tenant, or offline)
Tabletop exercises at least twice per year — document findings and track remediation

4. Supply Chain Security

This is where NIS2 gets teeth. Article 21(2)(d) requires you to address security in your direct suppliers and service providers.

Practical steps:

Maintain a supplier risk register that scores vendors by criticality and data access
Include security annexes in contracts: patch SLAs, incident notification obligations, right-to-audit clauses
Require evidence of certifications (ISO 27001, SOC 2) or conduct your own assessments for high-risk suppliers
Monitor supplier security posture continuously — tools like SecurityScorecard or RiskRecon can automate this

5. Security in Network and Information Systems Acquisition, Development, and Maintenance

Enforce secure development lifecycle (SDL) practices: threat modelling, SAST/DAST, dependency scanning
Maintain a software bill of materials (SBOM) for all internally developed applications
Require SBOMs from vendors for critical third-party software

6. Vulnerability Handling and Disclosure

Establish a coordinated vulnerability disclosure policy (this is explicitly required)
Run regular vulnerability scans and penetration tests — quarterly at minimum, continuous is better
Define patch SLAs: critical vulnerabilities within 48 hours, high within one week

7. Cybersecurity Risk Assessment Effectiveness

Conduct annual maturity assessments against a recognised framework
Use metrics that matter: mean time to detect (MTTD), mean time to respond (MTTR), patch compliance rate, phishing simulation click rates
Report metrics to the management body — NIS2 explicitly holds management accountable

8. Cryptography and Encryption

Enforce TLS 1.2+ for all data in transit; TLS 1.3 where possible
Implement encryption at rest for all datastores containing personal or business-critical data
Establish a key management policy with defined rotation schedules and hardware security module (HSM) usage for high-value keys

9. Human Resources Security and Access Control

Implement the principle of least privilege across all systems
Deploy multi-factor authentication (MFA) for all administrative access and all remote access
Conduct background checks for roles with privileged access to critical systems
Enforce just-in-time (JIT) privileged access with approval workflows

10. Multi-Factor Authentication and Secure Communication

MFA is not optional — NIS2 explicitly calls it out
Use phishing-resistant MFA (FIDO2, certificate-based) for privileged accounts
Secure internal communications for incident response (out-of-band channels that do not depend on the infrastructure under attack)

The Penalty Reality

NIS2 penalties are substantial and designed to command board-level attention:

Essential entities: Up to EUR 10 million or 2% of global annual turnover
Important entities: Up to EUR 7 million or 1.4% of global annual turnover

More critically, Article 32 allows supervisory authorities to temporarily suspend certifications and even temporarily prohibit individuals from exercising management functions. This is personal liability for executives.

A Practical 6-Month Roadmap

Month 1–2: Assess

Determine your entity classification (essential vs. important)
Conduct a gap analysis against the ten Article 21 measures
Identify your national competent authority and CSIRT

Month 3–4: Remediate

Prioritise gaps by risk and regulatory exposure
Implement quick wins: MFA enforcement, incident response playbook, supplier risk register
Begin procurement for longer-lead items (SIEM, PAM, backup infrastructure)

Month 5–6: Operationalise

Test incident reporting workflows end-to-end
Conduct a tabletop exercise simulating a reportable incident
Establish continuous monitoring and metrics reporting to management
Document everything — regulators assess not just your controls, but your ability to demonstrate them

Where Organisations Struggle Most

From our consulting engagements, the three areas that consistently cause the most difficulty are:

Supply chain security — organisations underestimate the effort required to assess and monitor their entire vendor ecosystem
Incident reporting within 24 hours — without automation and pre-defined playbooks, this deadline is nearly impossible to meet
Management accountability — boards need cybersecurity training, and that requires translating technical risk into business language

Final Thought

NIS2 compliance is not a checkbox exercise. The directive is deliberately outcomes-focused, which means auditors will look at whether your controls actually work, not just whether you have a policy document. Start with risk assessment, build out controls methodically, and invest in the operational capabilities — detection, response, reporting — that will determine whether you can meet your obligations when an incident occurs.

Related Resources

Zero Trust Architecture: From Buzzword to Production in 6 Months — Zero Trust is the foundational security model that supports NIS2 compliance.
ISO 27001 in the Cloud: A Practical Implementation Guide — While not sufficient alone for NIS2, ISO 27001 provides the ISMS backbone.
SIEM & SOAR with Microsoft Sentinel — Implementing the detection and incident response capabilities NIS2 requires.

Disclaimer: This article provides general technical guidance on regulatory requirements and should not be construed as legal advice. Regulations may be subject to updates, national transposition differences, and evolving enforcement interpretations. Always consult qualified legal counsel for compliance decisions specific to your organisation.

If you need help mapping NIS2 requirements to your specific infrastructure, get in touch with our team. We work with organisations across the EU to build compliance programmes that are technically sound and operationally sustainable.