Compliance Guide

NIS2
Compliance Guide

A comprehensive guide to the Network and Information Security Directive (EU Directive 2022/2555) — who it applies to, what it requires, and how to comply.

What is NIS2?

NIS2 (Directive 2022/2555) is the EU's updated Network and Information Security Directive, replacing the original NIS Directive from 2016. It significantly expands the scope of cybersecurity requirements across the European Union.

Adopted on 14 December 2022, EU Member States had until 17 October 2024 to transpose NIS2 into national law. The directive applies to a much wider range of sectors and introduces stricter requirements, higher penalties, and management body accountability.

NIS2 aims to achieve a high common level of cybersecurity across the EU by harmonising requirements for network and information system security across all Member States.

Essential vs Important Entities

Essential Entities

Sectors of high criticality, subject to proactive supervisory measures:

  • Energy (electricity, oil, gas, hydrogen)
  • Transport (air, rail, water, road)
  • Banking & financial market infrastructure
  • Health
  • Drinking water & wastewater
  • Digital infrastructure & ICT service management
  • Public administration & space

Important Entities

Other critical sectors, subject to reactive supervisory measures:

  • Postal & courier services
  • Waste management
  • Chemicals manufacturing
  • Food production & distribution
  • Manufacturing (medical devices, electronics, etc.)
  • Digital providers (marketplaces, search engines, social networks)
  • Research organisations

Article 21: 10 Minimum Security Measures

Article 21 requires all essential and important entities to implement at least these ten cybersecurity risk-management measures:

1

Policies on risk analysis and information system security

2

Incident handling (prevention, detection, response)

3

Business continuity and crisis management

4

Supply chain security including third-party assessments

5

Security in network and information system acquisition, development, and maintenance

6

Policies and procedures to assess cybersecurity risk-management effectiveness

7

Basic cyber hygiene practices and cybersecurity training

8

Policies and procedures on the use of cryptography and encryption

9

Human resources security, access control, and asset management

10

Use of multi-factor authentication, secured voice/video/text, and secured emergency communications

Article 23: Incident Reporting

NIS2 introduces a multi-stage incident reporting regime with strict deadlines:

24h

Early Warning

Initial notification to the CSIRT or competent authority within 24 hours of becoming aware of a significant incident.

72h

Incident Notification

Detailed notification within 72 hours including initial assessment of severity, impact, and indicators of compromise.

1 mo

Final Report

Comprehensive final report within one month including root cause analysis, mitigation measures, and cross-border impact.

Penalties

Essential Entities

10M EUR

or 2% of total annual worldwide turnover, whichever is higher.

Important Entities

7M EUR

or 1.4% of total annual worldwide turnover, whichever is higher.

NIS2 also introduces personal accountability for management bodies. Senior management can be held personally liable and may face temporary bans from exercising managerial functions.

DORA vs NIS2: How They Relate

DORA is considered lex specialis (a more specific law) in relation to NIS2 for the financial sector. This means that where DORA and NIS2 overlap, DORA takes precedence for financial entities.

In practice, financial entities that comply with DORA are considered to have met the corresponding NIS2 requirements. However, if your organisation falls under both (for example, a company providing both financial and non-financial services), you may need to address NIS2 requirements for the non-financial parts of your business separately.

ComplyShield supports both frameworks simultaneously, allowing you to map controls once and demonstrate compliance against both DORA and NIS2 requirements.

How ComplyShield helps with NIS2 compliance

Art. 21 Risk Management

Map and track all 10 minimum security measures. Assign owners, attach evidence, and monitor implementation status.

Art. 23 Incident Reporting

Automated 24h/72h/1mo deadline tracking with escalation notifications and supervisor-ready PDF reports.

Supply Chain Security

Vendor registry, self-service assessments, contract tracking, and third-party risk scoring.

Board Accountability

Board-level reports, compliance dashboards, and training evidence tracking for management body oversight.

Need help with NIS2 compliance?

Talk to our team for a NIS2 readiness assessment and see how ComplyShield can streamline your compliance efforts.

Request Demo