NIS 2 Guides

Complete guides to NIS 2 Directive compliance, cybersecurity requirements, incident reporting, and supply chain security for essential and important entities.

What is NIS 2? A Complete Guide for Organizations

The NIS 2 Directive (Directive (EU) 2022/2555) is the European Union's updated cybersecurity legislation that establishes a high common level of cybersecurity across all member states. It replaces the original NIS Directive from 2016 and significantly expands the scope, requirements, and enforcement mechanisms for organizations operating in the EU.

Who Needs NIS 2 Compliance?

NIS 2 applies to a broad range of organizations across the European Union, significantly expanding the scope of the original NIS Directive. Understanding whether your organization falls within scope is the first step toward compliance, and the answer depends on your sector, size, and the nature of the services you provide.

NIS 2 Essential vs Important Entities: Key Differences

NIS 2 classifies organizations into two categories: essential entities and important entities. While both must meet the same cybersecurity requirements, the supervision model, enforcement approach, and penalty levels differ significantly between the two. Understanding your classification is critical for planning your compliance strategy.

NIS 2 Requirements: What Organizations Must Implement

Article 21 of the NIS 2 Directive outlines the cybersecurity risk-management measures that all in-scope entities must implement. These requirements form the foundation of NIS 2 compliance, covering everything from risk analysis to incident handling and supply chain security. This guide breaks down each requirement and what it means in practice.

NIS 2 Incident Reporting: Timelines and Obligations

One of the most significant changes in NIS 2 compared to the original directive is the introduction of a strict, multi-stage incident reporting framework. Organizations must report significant cybersecurity incidents to their national Computer Security Incident Response Team (CSIRT) or competent authority within specific timeframes. Understanding these obligations is essential for compliance.

NIS 2 Supply Chain Security Requirements

Supply chain security is one of the most significant additions in NIS 2 compared to the original directive. Article 21(2)(d) specifically mandates that organizations address cybersecurity risks in their relationships with suppliers and service providers. This reflects the growing recognition that an organization's security is only as strong as its weakest link in the supply chain.

NIS 2 Penalties and Enforcement: What You Need to Know

NIS 2 introduces a harmonized enforcement framework with significant penalties for non-compliance. Unlike the original NIS Directive, which left enforcement largely to member states' discretion, NIS 2 establishes minimum fine levels, personal management liability, and specific supervisory powers. Understanding the enforcement landscape is critical for prioritizing your compliance efforts.

NIS 2 Compliance Checklist: A Step-by-Step Guide

Achieving NIS 2 compliance requires a structured approach covering governance, technical measures, incident response, and supply chain management. This checklist provides a practical roadmap for organizations working toward compliance with the directive's requirements.

NIS 2 Risk Assessment: How to Evaluate Cybersecurity Risks

Risk assessment is the foundation of NIS 2 compliance. Article 21 requires organizations to take a risk-based approach to cybersecurity, meaning all security measures must be proportionate to the risks identified. A structured risk assessment process helps you identify threats, evaluate vulnerabilities, and prioritize your cybersecurity investments effectively.

NIS 2 Compliance Cost: What to Budget

Understanding the financial investment required for NIS 2 compliance helps organizations plan effectively and allocate resources appropriately. Costs vary significantly based on your organization's current security maturity, size, sector, and whether you already hold certifications like ISO 27001.

NIS 2 vs ISO 27001: How They Complement Each Other

NIS 2 and ISO 27001 are two of the most important cybersecurity frameworks for organizations operating in Europe. While NIS 2 is a regulatory requirement and ISO 27001 is a voluntary certification standard, they share significant common ground. Understanding how they relate helps organizations build an efficient compliance strategy that satisfies both.

NIS 2 vs GDPR: Understanding the Overlap

NIS 2 and GDPR are two of the most significant EU regulations affecting organizations' security and data practices. While NIS 2 focuses on cybersecurity of network and information systems and GDPR focuses on personal data protection, they share common ground and organizations subject to both must understand how to coordinate their compliance efforts.

NIS 2 for Startups: What Growing Companies Need to Know

Most startups fall below the NIS 2 size thresholds and are not directly subject to the directive. However, as your company grows or if you operate in specific sectors, NIS 2 compliance can become relevant quickly. Even if you are not directly in scope, your enterprise customers may impose NIS 2-aligned requirements through their supply chain obligations. Understanding NIS 2 early helps you build security practices that scale.

NIS 2 Management Liability: What Leaders Need to Know

NIS 2 introduces a groundbreaking provision in EU cybersecurity regulation: personal accountability for members of management bodies. Article 20 explicitly requires management to approve cybersecurity measures, oversee their implementation, and undertake training. Failure to fulfill these obligations can result in personal sanctions, including temporary bans from exercising management functions.

NIS 2 Business Continuity Requirements

Business continuity and crisis management are core requirements under NIS 2. Article 21(2)(c) specifically mandates that organizations implement business continuity measures, including backup management, disaster recovery, and crisis management procedures. These requirements ensure that critical services can be maintained or quickly restored after a cybersecurity incident.

NIS 2 Cyber Hygiene and Training Requirements

Article 21(2)(g) of the NIS 2 Directive requires organizations to implement basic cyber hygiene practices and cybersecurity training. Combined with Article 20's management training obligation, this creates a comprehensive framework for building cybersecurity awareness at every level of the organization. These requirements recognize that human factors remain one of the most significant cybersecurity risks.

NIS 2 National Transposition: How Member States Implement the Directive

NIS 2 is an EU directive, meaning it sets minimum requirements that each member state must transpose into national law. Unlike an EU regulation (such as GDPR), which applies directly, a directive gives member states flexibility in how they implement the requirements. This creates variations across the EU that organizations must navigate, particularly those operating in multiple countries.

NIS 2 Sectors Covered: Complete Guide to the 18 Sectors

NIS 2 significantly expands the scope of EU cybersecurity regulation by covering 18 sectors across two categories. Annex I lists 11 sectors classified as "highly critical" (whose entities become essential entities), while Annex II lists 7 sectors classified as "other critical" (whose entities become important entities). This guide provides a detailed breakdown of every sector and sub-sector covered by the directive.

NIS 2 Vulnerability Management and Disclosure

NIS 2 addresses vulnerability management on two levels: as a required cybersecurity measure for individual organizations (Article 21) and as a coordinated vulnerability disclosure framework at the EU level (Articles 12-13). Together, these provisions create a comprehensive approach to identifying, managing, and sharing information about cybersecurity vulnerabilities.

Maintaining NIS 2 Compliance: Ongoing Requirements

Achieving initial NIS 2 compliance is only the beginning. The directive requires organizations to maintain their cybersecurity measures on an ongoing basis, adapt to evolving threats, and demonstrate continuous compliance to supervisory authorities. This guide covers the ongoing activities, reviews, and processes necessary to sustain NIS 2 compliance over time.

Ready to get NIS 2 certified?

Let our experts guide you through NIS 2 certification. We'll handle the complexity so you can focus on your business.

Talk to an expert

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company