NIS2 Compliance Guide for In-Scope Companies

The NIS2 Directive (EU 2022/2555) is the European Union's updated framework for cybersecurity and network resilience, replacing the original NIS Directive. It applies to medium and large organizations across 18 critical sectors and imposes strict cybersecurity requirements, governance obligations, and incident reporting rules. This guide walks you through NIS2 scope, requirements, implementation steps, and how AI can accelerate your compliance efforts.

Who Must Comply with NIS2?

NIS2 applies to medium and large enterprises (50+ employees OR €10M+ annual turnover/balance sheet) operating in designated sectors. Small and micro entities may be included if they're critical providers, pose systemic risk, or are nationally important.

Essential Entities (Annex I - High Criticality)

• Energy: Electricity, heating/cooling, oil, gas, hydrogen

• Transport: Air, rail, water, road

• Banking and financial market infrastructure

• Health: Healthcare providers, reference labs, pharmaceutical R&D/manufacturing, medical device manufacturers

• Drinking water and wastewater

• Digital infrastructure: Internet exchange points, DNS/TLD providers, cloud/data centers/CDNs, trust service providers, telecom networks

• ICT service management: Managed service providers, managed security service providers

• Public administration: Central and regional government

• Space: Ground-based infrastructure operators

Important Entities (Annex II)

• Postal and courier services

• Waste management

• Chemicals: Manufacturing and distribution

• Food: Production, processing, distribution

• Manufacturing: Medical devices/IVDs, electronics, optics, electrical equipment, machinery, motor vehicles, transport equipment

• Digital providers: Online marketplaces, search engines, social media platforms

• Research organizations

Key NIS2 Requirements

NIS2 imposes three core obligation areas: governance, risk management, and incident reporting.

Article 20: Governance and Accountability

• Management body approval: Your board or senior management must formally approve cybersecurity risk management measures and oversee implementation

• Mandatory training: Management and employees must receive cybersecurity training appropriate to their roles

• Management liability: Leadership can be held personally liable for non-compliance

Article 21: Risk Management Measures

Organizations must implement proportionate, all-hazards cybersecurity measures covering:

• Risk analysis and information security policies

• Incident handling: Detection, prevention, response, recovery

• Business continuity: Backup management, disaster recovery, crisis management

• Supply chain security: Assess direct suppliers, vulnerabilities, and quality of services

• Network and information systems: Acquisition, development, maintenance, vulnerability handling

• Effectiveness assessment and testing

• Cyber hygiene and employee training

• Cryptography and encryption

• Human resources, access control, and asset management

• Multi-factor authentication, continuous authentication, and secure communications

Article 23: Incident Reporting

You must report significant incidents (those causing severe operational disruption, financial loss, or reputational damage) to your national authority within strict timelines:

• Early warning: Within 24 hours of becoming aware

• Incident notification: Within 72 hours, including indicators of compromise (IOCs)

• Final report: Within 1 month, with root cause analysis and mitigation measures

Voluntary reporting of significant threats and near-misses is encouraged.

Implementation Roadmap

Follow these steps to achieve and maintain NIS2 compliance:

1. Determine Applicability

Confirm whether your organization is in scope based on sector, size, and criticality. Check your member state's national transposition law for specific requirements.

2. Conduct a Gap Analysis

Compare your current cybersecurity posture against Article 21 requirements. Identify missing or insufficient controls across governance, risk management, incident handling, supply chain, and technical measures.

3. Develop Policies and Frameworks

Create or update documentation covering:

• Information security policy (aligned with NIS2 Articles 20-21)

• Risk assessment methodology

• Incident classification and response procedures

• Business continuity and disaster recovery plans

• Supply chain security assessment and third-party contracts

4. Implement Technical and Organizational Controls

Deploy controls to meet Article 21 requirements: vulnerability management, access controls, MFA, encryption, network segmentation, backup systems, and monitoring tools.

5. Establish Governance and Training

Secure management approval for your risk management framework. Roll out mandatory cybersecurity training for management and staff.

6. Test and Monitor Effectiveness

Conduct regular penetration tests, DR drills, and control assessments. Document results and adjust policies as needed.

7. Register with National Authorities

Notify your member state's designated NIS2 competent authority and comply with registration or reporting requirements.

8. Prepare Incident Reporting Playbooks

Build templates and workflows for 24-hour, 72-hour, and final incident reports. Train your incident response team on NIS2 timelines.

Penalties for Non-Compliance

NIS2 enforcement is strict. National authorities can impose:

• Essential entities: Fines of at least €10 million or 2% of global annual turnover, whichever is higher

• Important entities: Fines of at least €7 million or 1.4% of global annual turnover, whichever is higher

• Other measures: Warnings, cease-and-desist orders, publication of violations, suspension of certifications, monitoring officers, or prohibitions on holding management roles (as a last resort)

Management liability extends to board members and senior executives who fail to oversee compliance.

How ISMS Copilot Accelerates NIS2 Compliance

NIS2 compliance is document-heavy, time-consuming, and requires deep expertise. ISMS Copilot is purpose-built to help you move faster and smarter:

Generate Audit-Ready Policies and Documents

Ask ISMS Copilot to draft your NIS2-aligned information security policy, incident response procedures, risk assessment frameworks, or BCP/DR plans. Outputs are structured, professional, and tailored to your sector and requirements.

Conduct Gap Analysis in Minutes

Upload your existing policies, risk assessments, or security documentation (PDF, DOCX, XLS) and ask ISMS Copilot to identify gaps against NIS2 Article 21 requirements. You'll get a detailed breakdown of what's missing or insufficient.

Risk Assessments and Supply Chain Security

Use ISMS Copilot to build risk registers, assess third-party suppliers, and generate supply chain security questionnaires aligned with NIS2 expectations.

Framework-Specific Q&A

Ask questions about NIS2 scope, timelines, Article 20/21/23 obligations, or national transpositions. ISMS Copilot's knowledge base is built from real consulting experience—no hallucinations, no generic internet searches.

Organize Multi-Client or Multi-Project Work

If you're a consultant managing NIS2 compliance for multiple clients, use Workspaces to keep projects, documents, and AI conversations separate and organized.

EU-Hosted and GDPR-Compliant

ISMS Copilot is hosted in Frankfurt (EU), with enterprise-grade security (MFA, end-to-end encryption). Your data is never used for AI training, and you maintain full control.

Getting Started with ISMS Copilot for NIS2

Start free at app.ismscopilot.com. The free tier gives you access to core features. Upgrade to Plus ($20/month) for increased quotas and more document uploads, or Pro Unlimited ($100/month, coming soon) for unlimited messaging and team collaboration.

For tailored NIS2 workflows, explore the NIS2 prompt library and the Risk Managers in Regulated Industries (DORA/NIS2) use case guide.

Additional Resources

• NIS2 Directive Full Text (EUR-Lex)

• European Commission NIS2 Policy Page

• NIS2 Directive Prompt Library

• ISMS Copilot for Risk Managers in Regulated Industries (DORA/NIS2)