If you work in IT or cybersecurity within the European Union, NIS2 has probably come up in your meetings repeatedly over the past year. The directive entered into force on January 16, 2023, and EU member states had until October 17, 2024 to transpose it into national law. Some countries met that deadline. Many didn’t. But regardless of where your national legislation stands, the requirements are clear and the clock is ticking.
The NIS2 Directive (Network and Information Security Directive 2) is the EU’s updated cybersecurity framework for member states. It replaces the original NIS Directive from 2016, expanding scope from a few hundred organizations per country to thousands - potentially tens of thousands - across the EU. Requirements are tighter, and the penalties are real.
Below: who it applies to, what Articles 20–21 actually ask for, how it lines up with ISO 27001, and what I’d prioritize if I were starting from scratch today.
If you already know you’re in scope and want checkboxes, use the NIS2 compliance checklist (there’s a one-page printable version too). On ISO 27001 already? The NIS2 ↔ ISO mapping article saves a lot of duplicate work. For a quick gut-check, the NIS2 readiness tool takes about 15 minutes.
To see the framework loaded in a GRC tool, poke around the CISO Assistant demo — NIS2 is pre-configured there.
Who must comply with NIS2?
NIS2 covers far more organizations than the original directive. The question isn’t just what sector you’re in - it’s also how big your organization is.
Entity classification
NIS2 divides organizations into two categories, each with different supervision regimes:
Essential entities face stricter supervision, including proactive inspections and audits. These include:
- Energy (electricity, oil, gas, district heating, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Healthcare (hospitals, laboratories, medical device manufacturers)
- Drinking water and wastewater
- Digital infrastructure (DNS, TLD registries, cloud providers, data centers, CDNs, trust services)
- ICT service management (managed service providers, managed security service providers)
- Public administration (central government)
- Space
Important entities face lighter, reactive supervision - typically investigated only after an incident or evidence of non-compliance:
- Postal and courier services
- Waste management
- Chemical manufacturing, production, and distribution
- Food production, processing, and distribution
- Manufacturing (medical devices, computers, electronics, machinery, motor vehicles)
- Digital providers (online marketplaces, search engines, social networking platforms)
- Research organizations
Size thresholds
Within these sectors, NIS2 generally applies to organizations that are:
- Medium-sized or larger: 50+ employees, or €10M+ annual turnover, or €10M+ balance sheet total
- Some entities are covered regardless of size - DNS providers, TLD registries, trust service providers, and certain digital infrastructure operators
If your company operates in one of these sectors and meets the size threshold, NIS2 applies to you. There’s no registration or opt-in - it’s automatic.
What NIS2 requires
Article 21 is the heart of NIS2’s technical requirements. It mandates that essential and important entities implement appropriate and proportionate cybersecurity risk management measures. In practice, that breaks down into ten areas.
Risk management measures (Article 21)
NIS2 requires at minimum these cybersecurity measures:
- Risk analysis and information system security policies - documented policies governing how you assess and manage cyber risk
- Incident handling - processes for detecting, managing, and reporting incidents
- Business continuity and crisis management - backup management, disaster recovery, and crisis response plans
- Supply chain security - security measures covering your relationships with direct suppliers and service providers, including vulnerability management
- Security in network and information systems acquisition, development, and maintenance - including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk management measures - essentially, auditing yourself
- Basic cyber hygiene practices and cybersecurity training - security awareness for all staff
- Policies on the use of cryptography and encryption - where appropriate
- Human resources security, access control policies, and asset management - who has access to what, and inventory of critical assets
- Multi-factor authentication (MFA) or continuous authentication solutions, secured communications, and secured emergency communication systems
If this list looks familiar, it should. Most of these requirements map directly to ISO 27001 controls. We’ll cover the exact overlap later in this article.
Incident reporting obligations (Article 23)
NIS2 introduces a mandatory, multi-stage incident reporting regime. Most organizations I work with aren’t set up for this out of the box:
| Timeline | Requirement | What to include |
|---|---|---|
| 24 hours | Early warning to CSIRT/competent authority | Whether the incident is suspected to be caused by unlawful or malicious acts, whether it could have cross-border impact |
| 72 hours | Incident notification | Initial assessment of severity and impact, indicators of compromise where applicable |
| 1 month | Final report | Detailed description of the incident, root cause analysis, mitigation measures applied, cross-border impact if any |
These timelines start from when the entity becomes aware of the significant incident. A “significant incident” is one that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other persons by causing considerable material or non-material damage.
For essential entities, this isn’t optional. Missing the 24-hour early warning window alone can trigger supervisory action.
Supply chain security
Supply chain requirements deserve special attention because they’re often the hardest to implement. NIS2 requires you to:
- Assess the cybersecurity practices of your direct suppliers and service providers
- Consider the overall quality of products and services, including embedded cybersecurity features
- Account for vulnerabilities specific to each supplier and the results of cybersecurity audits
- Identify and manage risk from the supply chain as a whole, not just individual vendors
This means your vendor security management process needs to be formalized, documented, and actively maintained. A spreadsheet of vendor names won’t cut it - you need structured assessments with tracked remediation.
Governance and management liability
This is where NIS2 gets teeth. Article 20 makes management bodies directly responsible for cybersecurity:
- Management must approve the cybersecurity risk management measures
- Management must oversee their implementation
- Management members must undergo cybersecurity training
- Management can be held personally liable for non-compliance
Under NIS1, cybersecurity was often delegated entirely to IT teams. NIS2 makes it a board-level responsibility. If your CEO hasn’t been briefed on your NIS2 compliance status, close that gap now.
NIS2 vs ISO 27001: how they overlap
If your organization already holds ISO 27001 certification or is working toward it, you’re well positioned for NIS2. The overlap is substantial - roughly 70-80% of NIS2 requirements map to existing ISO 27001 controls.
Overlap matrix
| NIS2 requirement (Article 21) | ISO 27001 Annex A controls | Coverage |
|---|---|---|
| Risk analysis and security policies | A.5.1, A.5.2, A.6.1 | Full |
| Incident handling | A.5.24, A.5.25, A.5.26, A.6.8 | Partial (NIS2 adds strict timelines) |
| Business continuity | A.5.29, A.5.30, A.8.13, A.8.14 | Full |
| Supply chain security | A.5.19, A.5.20, A.5.21, A.5.22, A.5.23 | Full |
| Network and system security | A.8.8, A.8.9, A.8.20, A.8.21 | Full |
| Effectiveness assessment | A.5.35, A.5.36 (monitoring, compliance) | Full |
| Cyber hygiene and training | A.6.3, A.7.2 | Full |
| Cryptography | A.8.24 | Full |
| HR security and access control | A.6.1-6.7, A.8.2-8.5 | Full |
| MFA and secure communications | A.8.5, A.8.20 | Partial (NIS2 is more specific) |
Where NIS2 goes beyond ISO 27001
Despite the overlap, NIS2 adds requirements that ISO 27001 alone doesn’t cover:
- Mandatory incident reporting with fixed timelines (24h/72h/1 month) - ISO 27001 requires incident management but doesn’t mandate reporting to authorities within specific timeframes
- Deeper supply chain security - NIS2 expects more granular vendor assessment than ISO 27001’s supplier relationship controls
- Management body liability - ISO 27001 requires management commitment, but NIS2 introduces personal liability
- Sector-specific requirements that may be layered on top by national transposition laws
- Cross-border coordination - obligation to consider and report incidents with potential cross-border impact
The practical takeaway
If you’re ISO 27001 certified, you’re not starting from zero. Your ISMS covers the majority of NIS2 requirements. The gaps are primarily around incident reporting procedures (adding the 24h/72h timelines), deepening your supply chain assessments, formalizing management oversight, and ensuring your incident classification considers the NIS2 “significant incident” threshold. For a detailed control-by-control mapping with specific Annex A references, see our guide on implementing NIS2 using your existing ISO 27001 controls.
If you’re not yet ISO 27001 certified, implementing NIS2 and ISO 27001 simultaneously makes sense - the work largely overlaps, and having the ISO certification demonstrates compliance maturity to regulators.
Timeline and what matters in 2026
At EU level, NIS2 has been in force since January 2023. Member states were supposed to transpose it by 17 October 2024. Plenty missed that date; most have national law in place by now anyway. What actually bites for you is national law + your sector regulator — not the EU PDF on its own.
| When | What happened |
|---|---|
| Jan 2023 | NIS2 in force at EU level |
| Oct 2024 | Transposition deadline (many countries late) |
| 2024–2026 | National laws, registration rules, supervision ramp up |
| Now | If you’re in scope, treat 24h / 72h / 1-month incident reporting as live |
The obligations that show up in audits and incident post-mortems tend to be the same everywhere: documented risk measures (Art. 21), board sign-off and training (Art. 20), supplier due diligence, and CSIRT reporting on a clock. I keep a working copy of our evidence in the NIS2 checklist — it’s the list I actually tick through with clients.
Don’t guess your national dates. Check your competent authority (BSI, ANSSI, NASK, ACN, etc.) for registration deadlines and any sector-specific rules. Poland, Germany, France, Netherlands, and Italy all moved at different speeds; the directive text is stable, the paperwork isn’t.
National transposition reality
Several EU member states missed the October 2024 deadline. As of early 2026:
- Germany - The NIS2 Implementation Act (NIS2UmsuCG) went through multiple drafts and was adopted in 2025. BSI (Federal Office for Information Security) is the primary supervisory authority.
- France - ANSSI oversees implementation. France was among the more prepared member states.
- Poland - The amendment to the National Cybersecurity System Act (KSC) implementing NIS2 was adopted, with NASK and sector-specific CSIRTs as responsible bodies. Polish organizations should pay particular attention to the national-level specifics.
- Netherlands - Adopted the Cybersecurity Act (Cbw) transposing NIS2.
- Italy - Transposed NIS2 in 2024, with ACN (National Cybersecurity Agency) as the competent authority.
Even in countries where transposition was delayed, organizations should be implementing NIS2 requirements now. The directive’s requirements are clear regardless of national legislation details, and retroactive enforcement from the transposition deadline is possible.
Penalties for non-compliance
NIS2 introduces penalties on a scale similar to GDPR:
| Entity type | Maximum fine |
|---|---|
| Essential entities | €10,000,000 or 2% of total worldwide annual turnover (whichever is higher) |
| Important entities | €7,000,000 or 1.4% of total worldwide annual turnover (whichever is higher) |
Beyond financial penalties, supervisory authorities can:
- Issue binding instructions and orders
- Order the implementation of security audit recommendations
- Order measures to bring entities into compliance within a deadline
- Impose periodic penalty payments until compliance is achieved
- Temporarily suspend certifications or authorizations for essential entities
- Temporarily ban individuals from exercising managerial functions at essential entities
That last point matters most in practice - NIS2 gives authorities the power to temporarily bar C-suite executives from their roles for serious non-compliance. Combined with the management liability provisions, this makes NIS2 compliance a personal concern for every board member.
How to implement NIS2 with CISO Assistant
CISO Assistant ships with the NIS2 framework pre-loaded, including all Article 21 requirements mapped to assessable controls.
NIS2 framework mapping
When you create a new compliance assessment in CISO Assistant and select the NIS2 framework, you’ll see all requirements organized by article and topic. Each requirement can be assessed as compliant, partially compliant, non-compliant, or not applicable (with justification).
The platform tracks your overall compliance percentage and highlights areas that need attention. If you’re also running ISO 27001, CISO Assistant’s cross-framework mapping shows you which NIS2 requirements your existing ISO 27001 controls already satisfy - so you’re not doing the same work twice.
Risk assessment aligned to NIS2
NIS2 Article 21 starts with risk analysis for a reason. In CISO Assistant, you can build a risk assessment that directly feeds into your NIS2 compliance:
- Identify assets - network infrastructure, information systems, and data within scope
- Map threats using the built-in threat catalog or your own
- Assess risks - probability and impact, linked to NIS2-relevant scenarios
- Apply controls - map mitigating controls to both your risk scenarios and NIS2 requirements simultaneously
This creates a single source of truth where risk treatment decisions are directly linked to NIS2 compliance evidence.
Incident management workflow
CISO Assistant doesn’t have a dedicated incident management module, but you can use the platform to:
- Document your incident classification criteria aligned to NIS2’s “significant incident” definition
- Map your incident response procedures to NIS2 Article 23 reporting timelines
- Track evidence of incident response capability through compliance assessments
- Link incident management controls to both NIS2 and ISO 27001 requirements
For actual incident ticketing and workflow, integrate with your existing ITSM or SIEM tools. CISO Assistant’s API makes this straightforward.
Supply chain management
Use CISO Assistant’s third-party risk management capabilities to address NIS2’s supply chain requirements:
- Register all direct suppliers and service providers
- Conduct structured security assessments per vendor
- Rate vendor criticality based on access to your systems and data
- Track remediation of identified risks
- Generate reports demonstrating ongoing supply chain oversight
Where I’d start if you’re behind
Figure out if you’re in scope. Sector list + size (50+ people or €10M turnover in most cases). When in doubt, assume yes and treat it as a security program upgrade — the work is worth doing even if a lawyer later narrows scope.
Honest gap assessment next. Walk Article 21 against what you already do. Most teams I’ve worked with are partially there; the gaps are usually documentation, supplier reviews, and incident reporting to the CSIRT — not “we have zero security.” Load NIS2 in CISO Assistant or use the readiness tool. The compliance mapping guide is how I run these sessions.
Fix the scary stuff first. Incident playbooks that can hit 24 hours. Management actually approving the policy (minutes, not a vague email). MFA on admin and remote access. A supplier list with someone assigned to review the critical ones. Everything else can queue behind that.
Then fill in the ISMS-shaped holes: risk register, BCP tested at least once, access reviews, training records. If you’re on ISO 27001, don’t rebuild parallel — extend what you have (mapping guide).
Keep it alive. Tabletop an incident once a year. Re-read supplier tiers when you onboard someone new. Brief the board when something material changes — Article 20 isn’t a one-off checkbox.
Closing thoughts
NIS2 isn’t a voluntary framework. If you’re in scope, national law will expect evidence, not slide decks.
ISO 27001 still gets you most of the way — call it 70–80% overlap — but NIS2 adds hard edges: CSIRT clocks, management liability, deeper supply chain questions. That’s where auditors and regulators spend their time.
The checklist article and printable PDF are what I send clients before a workshop. The demo is for clicking through controls. If you want someone to deploy CISO Assistant with NIS2 and ISO loaded properly, that’s our deployment work — or get in touch if you just need a second pair of eyes on the roadmap.