Classify your entity, track Article 21 cybersecurity risk-management measures, and meet NIS2's 24-hour, 72-hour and 30-day incident-reporting deadlines — in one workspace.
Who must comply
Medium & large entities in Annex I/II sectors (50+ staff or €10M+ turnover)
In force since
National transposition from 17 October 2024
Maximum fines
Up to €10M or 2% of global annual turnover
Scope follows Article 2 read with Annexes I and II. Some entities — such as DNS and TLD name registries and qualified trust service providers — are covered regardless of size. This is guidance, not legal advice; confirm your status with counsel.
NIS2 raises the bar on cyber risk management and incident reporting for in-scope organisations across the EU. The core duties:
Put in place appropriate technical, operational and organisational measures — risk analysis, incident handling, business continuity, encryption, access control and more — proportionate to the risks you face.
Notify your CSIRT or competent authority on a strict clock: an early warning within 24 hours, a full notification within 72 hours, and a final report within one month of a significant incident.
Management bodies must approve the risk-management measures, oversee their implementation and follow training — and can be held liable for non-compliance.
Assess and address cybersecurity risks across your supply chain and supplier relationships, including the security practices of your direct ICT providers.
Turn the directive into a tracked, evidence-backed programme — without spreadsheets.
Track each baseline risk-management measure against your current posture, with evidence and clear gap visibility.
Log significant incidents and get the 24h / 72h / 30-day clocks computed automatically, with pre-filled authority notifications routed to your CSIRT contact.
Set your entity tier so the right reminders, notification routing and obligations apply to your organisation.
Reuse NIS2 controls across GDPR, DORA and the EU AI Act through the framework-mapping engine — evidence once, satisfy many.
NIS2 applies to medium and large entities (broadly, 50+ employees or more than €10M turnover) operating in the high-criticality sectors of Annex I or the other critical sectors of Annex II. Some entity types — such as DNS and TLD name registries and qualified trust service providers — are in scope regardless of size.
Member States were required to transpose Directive (EU) 2022/2555 into national law by 17 October 2024, replacing the original NIS Directive. Obligations apply through each country's implementing legislation.
Essential entities come from the Annex I high-criticality sectors and face proactive supervision; important entities come from the Annex II sectors and are supervised reactively. Both must meet the risk-management and reporting obligations — the supervision regime and maximum fines differ.
For a significant incident: an early warning within 24 hours, a full notification within 72 hours, and a final report within one month, submitted to the national CSIRT or competent authority.
Essential entities can face fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher; important entities up to €7 million or 1.4%. Management bodies can also be held personally accountable.
Take the free self-assessment to estimate your NIS2 scope and obligations in a few minutes — no account required.