EU cybersecurity for essential and important entities. Implement security measures, manage incidents, and ensure supply chain resilience.
The NIS2 Directive (Directive 2022/2555) is the EU's updated cybersecurity legislation that significantly expands the scope of the original NIS Directive. It establishes cybersecurity risk management obligations and incident reporting requirements for essential and important entities across 18 sectors.
NIS2 introduces a two-tier system: essential entities (energy, transport, health, banking, digital infrastructure) face stricter oversight, while important entities (postal services, food production, manufacturing, digital providers) have lighter supervision. Both must implement comprehensive cybersecurity measures.
Member states were required to transpose NIS2 into national law by October 2024. Management bodies can be held personally liable for non-compliance, and fines can reach EUR 10 million or 2% of global turnover for essential entities.
The most important articles and obligations you need to address.
Mandatory technical, operational, and organizational measures based on an all-hazards approach to cybersecurity.
Ten specific measures required: risk analysis, incident handling, business continuity, supply chain security, network security, and more.
Significant incidents must be reported to the CSIRT within 24 hours (early warning), 72 hours (notification), and 1 month (final report).
Management bodies must approve cybersecurity measures, oversee implementation, and undergo cybersecurity training. Personal liability applies.
Organizations must assess and manage cybersecurity risks in their supply chain, including direct suppliers and service providers.
Essential entities: up to EUR 10M or 2% of turnover. Important entities: up to EUR 7M or 1.4% of turnover.
Key enforcement milestones
Jan 2023
NIS2 Directive entered into force
In effectOct 2024
National transposition deadline
In effectApr 2025
Entity registration deadline
Oct 2025
Full enforcement by national authorities
Purpose-built features to get you from zero to compliant.
Pre-built checks for all ten Art. 21(2) minimum measures: risk analysis, incident handling, BCM, supply chain, and more.
Assess and document cybersecurity risks from suppliers and service providers with structured risk assessments.
Test strategies and execution cycles for validating cybersecurity controls. Results feed into compliance evidence.
Track and document security incidents with the structured reporting timelines NIS2 requires.
Board-level compliance overview showing cybersecurity posture across all covered entities and measures.
Generate compliance reports for national supervisory authority audits in PDF, Excel, or Word format.
NIS2 significantly expands scope from ~100 to ~160,000 entities across the EU. It adds 7 new sectors, introduces personal liability for management, harmonizes incident reporting timelines (24h/72h/1 month), and increases maximum fines from unspecified to EUR 10M or 2% of turnover.
Generally, NIS2 applies to medium and large enterprises. However, micro and small enterprises can be included if they operate in certain critical sectors (DNS services, TLD registries, trust service providers, or sole providers of essential services in a member state).
NIS2 introduces personal liability for management bodies. Senior management must approve cybersecurity measures, oversee implementation, and undergo training. Failure can result in temporary bans from exercising management functions.
Significant incidents must be reported in three stages: an early warning within 24 hours, a detailed incident notification within 72 hours, and a final comprehensive report within one month of the incident.
complixo provides pre-built NIS2 compliance checks covering all ten minimum security measures from Art. 21(2), supply chain risk assessment tools, incident management tracking, and audit-ready documentation for national authority inspections.
Pre-built checks, structured evidence, and audit-ready reports. No credit card required.