AuditXYZ

Compliance Framework

Directive (EU) 2022/2555 — Network and Information Security Directive 2 (NIS2)

NIS2 is the EU directive expanding cybersecurity obligations to more sectors and introducing stricter incident reporting. Learn who it affects and what compliance requires.

$30,000–$250,0006–18 monthsAudit Required2022
Request a ConsultationSee process
Issuing BodyEuropean Parliament and Council of the European Union
First Published2022-12-27
Latest Version2022
Typical Cost$30,000–$250,000
Typical Timeline6–18 months
Audit RequiredYes
Audit FrequencyEssential entities subject to proactive supervisory audits. Important entities subject to reactive supervision upon evidence of non-compliance.
Geographyeuropean-union, eea

NIS2 Directive: EU Cybersecurity Regulation Guide

The NIS2 Directive is the European Union's updated cybersecurity legislation, significantly expanding the scope and stringency of the original 2016 NIS Directive. It establishes cybersecurity risk management and incident reporting obligations for organizations across a wide range of critical and important sectors.

What NIS2 Covers

NIS2 mandates that covered entities implement appropriate and proportionate cybersecurity risk management measures. Specific requirements include risk analysis policies, incident handling procedures, business continuity management, supply chain security, vulnerability management, cybersecurity testing, cryptography policies, human resource security, access control, and asset management.

The directive introduces a tiered incident reporting regime: a 24-hour early warning to the relevant CSIRT, a 72-hour incident notification with initial assessment, and a final report within one month.

Who NIS2 Affects

NIS2 dramatically expanded its scope compared to the original directive. It covers two categories:

Essential entities — Large organizations in high-criticality sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.

Important entities — Medium and large organizations in sectors such as postal services, waste management, chemicals manufacturing, food production, medical device manufacturing, digital providers, and research organizations.

Organizations with 50+ employees or EUR 10M+ turnover in covered sectors are generally in scope. Member states may also designate smaller entities as in scope based on criticality.

Compliance Requirements

  1. Self-assessment — Determine if your organization falls under NIS2 scope
  2. Register — Essential and important entities must register with relevant national authorities
  3. Risk management measures — Implement the cybersecurity measures specified in Article 21
  4. Incident reporting — Establish processes for the 24-hour/72-hour/1-month reporting regime
  5. Supply chain security — Assess and manage risks from suppliers and service providers
  6. Management accountability — Ensure management bodies approve and oversee cybersecurity measures
  7. Training — Provide regular cybersecurity training including for management bodies

Enforcement and Penalties

NIS2 introduced significant penalties: up to EUR 10 million or 2% of worldwide annual turnover for essential entities, and EUR 7 million or 1.4% of turnover for important entities. Management bodies can be held personally liable for compliance failures, marking a notable escalation from the original directive.

Get the NIS2 starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

iso-27001nist-csfdoraiso-22301gdpr

Get matched with a NIS2 auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

DORA
Framework
DORA establishes ICT risk management and resilience requirements for EU financial entities. Learn how to comply with this regulation covering testing, incidents, and third-party risk.
View
GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
ISO 22301
Framework
ISO 22301 is the international standard for business continuity management systems. Learn how to build organizational resilience through structured continuity planning and testing.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
NIST CSF
Framework
The NIST Cybersecurity Framework provides a flexible, risk-based approach to managing cybersecurity risk. Learn how CSF 2.0 helps organizations of all sizes improve their security posture.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View