NIS2 Directive Compliance
End-to-end consulting for NIS2 Directive (EU 2022/2555) compliance, mandatory for essential and important entities operating in the European Union.
European Directive
What is the NIS2 Directive?
The NIS2 Directive (EU 2022/2555) is the European legislation establishing cybersecurity requirements for essential and important entities in critical sectors. It replaces the original NIS Directive and significantly expands its scope and requirements.
It came into force in January 2023, and Member States must transpose it by October 2024. It affects sectors such as energy, transport, banking, healthcare, water, digital infrastructure, public administration, and ICT service providers.
Entities Essential
Entities in highly critical sectors: energy, transport, banking, healthcare, water, digital infrastructure.
Proactive supervision, fines up to €10M or 2% of turnover
Entities Important
Entities in other critical sectors: postal services, waste management, manufacturing, food, digital providers.
Reactive supervision, fines up to €7M or 1.4% of turnover
Process
Compliance Process
6 phases to ensure full NIS2 Directive compliance.
APPLICABILITY ANALYSIS
Determining whether the organization is subject to NIS2, classification as essential or important entity.
- Applicability report
- Entity classification
- Defined scope
NIS2 GAP ANALYSIS
Assessment of current compliance status against the requirements of Article 21 of the Directive.
- Gap analysis report
- Compliance level
- Roadmap
RISK MANAGEMENT
Implementation of a risk management framework in accordance with NIS2 Directive requirements.
- Risk methodology
- Risk register
- Treatment plan
MEASURES IMPLEMENTATION
Deployment of technical and organizational measures required by Article 21.
- Security policies
- Technical controls
- Operational procedures
INCIDENT RESPONSE
Establishment of the significant incident notification process in accordance with Article 23.
- Response plan
- Notification procedure
- Established channels
AUDIT & MONITORING
Continuous audit and NIS2 compliance monitoring program.
- Audit plan
- Compliance metrics
- Continuous improvement
Requirements
Key Requirements
The 4 fundamental areas required by the NIS2 Directive.
Risk Management
Art. 21.2(a)
Comprehensive cybersecurity risk analysis and treatment framework with periodic assessments.
Incident Reporting
Art. 23
Early warning within 24h, initial notification within 72h, and final report within 1 month to the competent authority.
Supply Chain Security
Art. 21.2(d)
Assessment and management of risks from suppliers and technology partners.
Business Continuity
Art. 21.2(c)
Continuity plans, disaster recovery, and crisis management.
Deliverables
What You Receive
NIS2 Applicability Report
Detailed applicability analysis and entity classification.
Risk Management Framework
Methodology, risk register, and complete treatment plan.
Policies & Procedures
Complete security policy documentation compliant with NIS2.
Incident Response Plan
Significant incident notification and management procedure.
Continuity Plan
Business continuity strategy and disaster recovery.
Audit Report
NIS2 compliance audit with recommendations and improvement plan.
FAQ
Frequently Asked Questions
The NIS2 Directive (EU 2022/2555) is European legislation establishing cybersecurity requirements for essential and important entities. It replaces the original NIS Directive and significantly expands the scope, obligations, and penalties.
It affects essential entities (energy, transport, banking, healthcare, water, digital infrastructure) and important entities (postal services, waste management, manufacturing, food, digital providers). It also applies to their ICT service providers.
For essential entities: up to €10 million or 2% of global annual turnover. For important entities: up to €7 million or 1.4% of global annual turnover. Additionally, directors can be held personally liable.
The Directive came into force in January 2023. Member States were required to transpose it into national legislation by October 2024. Spain is in the process of transposition. Organizations should start preparing now.
They are complementary frameworks. Having ISO 27001 or ENS covers many NIS2 requirements, but the directive adds specific obligations such as 24-hour incident notification and management accountability. An integrated approach is more efficient.
It depends on the starting point. Organizations with ISO 27001 or ENS can achieve compliance in 3–6 months. Organizations without a prior framework may need 6–12 months. We recommend starting the process as soon as possible.
NIS2 establishes a three-stage process: early warning within 24 hours of becoming aware of the incident, initial notification with assessment within 72 hours, and a detailed final report within a maximum of 1 month.
Explore more services
Ready to protect your business?
Request a free initial assessment and discover how we can strengthen your organization's security. No obligation.
Contact Now