NIS2
Getting Started Guide

Network and Information Security Directive 2

Sweeping EU cybersecurity directive impacting critical infrastructure and their supply chains.

Audit Effort6–9 months for program alignment
Key FactDirect management liability and fines up to €10M or 2% of global turnover.

What Is NIS2?

The NIS2 Directive is an EU-wide cybersecurity legislation designed to establish a higher, more uniform level of cybersecurity across Member States. It replaces the original NIS Directive, expanding the scope from pure critical infrastructure (like energy and water) to include 'Important Entities' like postal services, waste management, and digital providers.

NIS2 establishes strict requirements for incident reporting (an early warning within 24 hours), supply chain security, and basic cyber hygiene. It is a legal directive, meaning each EU Member State must transpose it into their own national laws.

A terrifying aspect for executives: NIS2 introduces direct management liability. C-level executives can be held personally liable and even temporarily suspended from their roles if their organization is found grossly negligent in its cybersecurity duties.

Does NIS2 Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

Essential & Important Entities in EU

Medium and large enterprises operating in sectors like energy, transport, banking, health, digital infrastructure, and manufacturing in the EU.

Mandatory

B2B SaaS serving EU Enterprises

Due to strict supply chain requirements, EU enterprises must audit their SaaS vendors to ensure they meet NIS2 cyber hygiene standards.

Mandatory

Managed Service Providers (MSPs)

MSPs and MSSPs are explicitly brought into the scope of NIS2 as Essential Entities due to their systemic risk.

Mandatory
You probably don't need NIS2 if:
  • Small or micro-businesses (generally under 50 employees and <€10M turnover), unless they operate in a highly critical sector like telecom or trust services.
  • Organizations with no operations, customers, or supply chain links in the European Union.

Why NIS2 Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

National Transposition Deadline

EU Member States were required to transpose NIS2 into national law by October 2024, meaning active enforcement and auditing are beginning.

Supply Chain Audits

EU companies are currently rewriting their vendor contracts to mandate NIS2-aligned security controls. If you sell to Europe, you will see these requirements in RFPs now.

Management Liability

Boards are suddenly paying attention because NIS2 makes them personally liable for cyber failures. They are pushing this pressure down to the IT and Security teams.

The Requirements

The core security controls and evidence parameters audited for NIS2.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for NIS2.

1
Weeks 1-4

Applicability & Gap Analysis

Determine if you fall under 'Essential' or 'Important' categories. Conduct a gap assessment against ISO 27001 (which heavily overlaps with NIS2).

Key Deliverable:Applicability statement, Gap analysis report
2
Weeks 5-8

Incident Response Overhaul

Rewrite your Incident Response Plan to support the aggressive 24-hour/72-hour reporting windows required by national CSIRTs.

Key Deliverable:Updated IR Plan, Tabletop exercise report
3
Weeks 9-16

Supply Chain & Hygiene Rollout

Enforce MFA globally. Launch a formal vendor risk management program to audit your own downstream suppliers.

Key Deliverable:Vendor risk methodology, Technical hygiene dashboards
With Existing Certifications

6-8 weeks: If you have a mature ISO 27001 ISMS, you meet ~80% of NIS2 requirements. Focus purely on the 24-hour reporting workflows and the board liability/training documentation.

Starting from Scratch

6-9 months: Establishing an enterprise-grade incident response, backup, and vendor risk program from zero requires major operational shifts.

The Mistakes That Delay Most NIS2 Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Assuming US compliance is enough

Why it happens:

US companies think their SOC 2 covers NIS2. It doesn't. SOC 2 doesn't mandate 24-hour reporting to a government CSIRT, nor does it carry management liability.

How to avoid it:

Map your SOC 2 controls to NIS2 specifically. You will need to build EU-specific reporting workflows.

Ignoring the supply chain

Why it happens:

Companies secure their own network but get breached via a small SaaS vendor. NIS2 penalizes you for not auditing your vendors.

How to avoid it:

Implement a strict vendor onboarding process. Do not allow procurement to sign software contracts without a security review.

Failing to train the Board

Why it happens:

Security teams update the policies but fail to formally train the C-suite, violating the explicit management training requirement of NIS2.

How to avoid it:

Hold a 1-hour cybersecurity briefing for the executive team annually and document their attendance.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

NIS2 Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

NIS2 Checklist

Assess your baseline control posture against NIS2 criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about NIS2 compliance and certification processes.