ISMS Copilot
NIS2 with AI

How to get started with NIS2 implementation using AI

Overview

You'll learn how to use AI to launch your NIS2 Directive implementation, from determining whether your organization is in scope, to understanding essential versus important entity obligations, securing management body approval under Article 20, conducting a gap analysis against Article 21, and building an actionable implementation roadmap using ISMS Copilot.

Who this is for

This guide is for:

  • CISOs and compliance leads at organizations that may fall under NIS2 scope

  • Management body members who need to understand their personal liability under the Directive

  • Security consultants advising clients on NIS2 readiness across EU member states

  • IT and risk managers responsible for operationalizing NIS2 requirements

  • GRC teams managing NIS2 alongside other frameworks such as ISO 27001, DORA, or GDPR

Before you begin

You will need:

  • An ISMS Copilot account (free trial available)

  • Knowledge of your organization's sector classification, employee count, and annual turnover

  • Access to your current information security policies and controls inventory (if available)

  • Contact details for your national competent authority and CSIRT

  • Access to senior leadership for governance and sign-off discussions

The NIS2 Directive (Directive (EU) 2022/2555) took effect on October 18, 2024. EU member states have transposed or are transposing the Directive into national law, potentially adding requirements beyond the baseline. If your organization is in scope, compliance obligations are active now.

Understanding NIS2 and why AI matters for implementation

What is the NIS2 Directive?

The NIS2 Directive is the European Union's updated cybersecurity legislation, replacing the original NIS Directive (2016/1148). It establishes comprehensive security and incident reporting requirements for essential and important entities across 18 critical sectors. NIS2 significantly expands the scope of organizations covered, strengthens governance and accountability, harmonizes penalties across member states, and introduces stricter incident reporting timelines.

NIS2 is built around three core obligation pillars:

  • Article 20 -- Governance: Management body approval, oversight, training, and personal liability

  • Article 21 -- Risk management measures: Ten cybersecurity domains covering everything from risk analysis to multi-factor authentication

  • Article 23 -- Incident reporting: 24-hour early warning, 72-hour notification, and one-month final report timelines

Management liability: Under Article 20, members of the management body can be held personally liable for non-compliance with NIS2 cybersecurity risk management measures. This is not a hypothetical risk -- national transposition laws across EU member states include enforcement provisions for individual accountability.

The implementation challenge without AI

NIS2 implementation is demanding because of:

  • Scope complexity: Determining applicability across sectors, size thresholds, and national transpositions requires detailed analysis

  • Breadth of requirements: Article 21 covers ten distinct cybersecurity measure areas, each requiring dedicated policies, procedures, and controls

  • Documentation volume: Producing audit-ready policies, risk assessments, incident playbooks, and supply chain assessments across all measure areas

  • Multi-jurisdiction complexity: Organizations operating across EU member states must track national transposition differences

  • Tight timelines: Enforcement is underway, and supervisory authorities can conduct inspections at any time

How ISMS Copilot accelerates NIS2 implementation

ISMS Copilot provides purpose-built AI assistance for NIS2:

  • Scope determination: Analyze your sector, size, and services to determine essential or important entity classification

  • Gap analysis: Upload existing documentation and identify gaps against all Article 21 measure areas

  • Policy generation: Draft audit-ready policies for each of the ten required cybersecurity domains

  • Incident reporting templates: Generate 24-hour, 72-hour, and final report workflows aligned with Article 23

  • Supply chain assessments: Create vendor security questionnaires and risk assessment frameworks

  • Framework-specific knowledge: Get answers grounded in NIS2 articles, recitals, and ENISA guidance -- not generic internet results

Organizations using AI-assisted NIS2 implementation typically reduce their documentation effort by 50-70% while producing outputs that meet audit scrutiny from the start.

Step 1: Determine your NIS2 scope

Sector classification

NIS2 applies to medium and large organizations (50+ employees OR annual turnover/balance sheet of EUR 10 million or more) operating in 18 designated sectors. The first step is confirming whether your organization's activities fall within these sectors.

Essential Entities (Annex I -- High Criticality):

Sector

Examples

Energy

Electricity, district heating/cooling, oil, gas, hydrogen

Transport

Air, rail, water, road transport operators

Banking

Credit institutions

Financial market infrastructure

Trading venues, central counterparties

Health

Healthcare providers, reference labs, pharmaceutical R&D/manufacturing, medical device manufacturers

Drinking water

Water supply and distribution

Wastewater

Collection, disposal, treatment of wastewater

Digital infrastructure

IXPs, DNS providers, TLD registries, cloud/data centers/CDNs, trust service providers, telecom

ICT service management (B2B)

Managed service providers, managed security service providers

Public administration

Central and regional government entities

Space

Operators of ground-based infrastructure

Important Entities (Annex II):

Sector

Examples

Postal and courier services

Universal service providers, express delivery

Waste management

Hazardous and non-hazardous waste operators

Chemicals

Manufacturing and distribution of chemicals

Food

Production, processing, distribution of food products

Manufacturing

Medical devices, IVDs, electronics, optics, electrical equipment, machinery, motor vehicles, transport equipment

Digital providers

Online marketplaces, search engines, social media platforms

Research organizations

Research institutions (where results are commercially exploited)

Some organizations below the standard size thresholds may still be in scope if they are the sole provider of a critical service in a member state, if their disruption would have significant systemic impact, or if they are designated under national transposition law. Always verify with your member state's competent authority.

Using AI for scope determination

  1. Open ISMS Copilot at chat.ismscopilot.com

  2. Run a scope assessment:

    "Assess whether our organization falls under NIS2 scope. We are a [sector] company with [number] employees and EUR [amount] annual turnover, operating in [EU member states]. Our primary activities include [describe services]. Determine whether we qualify as an essential or important entity, which member state has jurisdiction, and what specific obligations apply."

  3. Check for edge cases:

    "We are below the standard NIS2 size thresholds but provide [describe critical service]. Could we still be in scope under Article 2 exceptions or national transposition provisions? What criteria would trigger inclusion?"

  4. Document the scoping decision:

    "Generate a formal NIS2 scoping statement for our organization documenting: sector classification, size threshold analysis, entity categorization (essential/important), applicable member state jurisdiction, and the rationale for our determination. Format this as an audit-ready document."

For consultants managing multiple clients: Create a separate ISMS Copilot workspace for each client's NIS2 project. Set custom instructions with the client's sector, size, member state, and current maturity level so every response is automatically tailored to that specific engagement.

Step 2: Understand the difference between essential and important entity obligations

Why classification matters

Your classification as an essential or important entity directly determines your supervisory regime, penalty exposure, and the intensity of obligations under NIS2.

Aspect

Essential Entities

Important Entities

Supervision

Proactive (ex ante) -- authorities can inspect at any time

Reactive (ex post) -- authorities investigate after incidents or evidence of non-compliance

Maximum fines

EUR 10 million or 2% of global annual turnover, whichever is higher

EUR 7 million or 1.4% of global annual turnover, whichever is higher

Management liability

Personal liability for management body members

Personal liability for management body members

Art 21 measures

Full implementation of all ten measure areas

Full implementation of all ten measure areas (proportionate to risk)

Incident reporting

24h/72h/1 month reporting to CSIRT

24h/72h/1 month reporting to CSIRT

Additional enforcement

Suspension of certifications, prohibition of management roles

Warnings, binding instructions, compliance orders

Critical distinction: While both entity types must implement the same ten Article 21 measure areas, essential entities face proactive supervision -- meaning authorities can demand evidence of compliance at any time without waiting for an incident. This demands a higher baseline of audit-readiness at all times.

Analyzing obligations with AI

Ask ISMS Copilot to break down the specific obligations for your classification:

"We have been classified as an [essential/important] entity under NIS2 in [member state]. Create a comprehensive obligations matrix showing: each Article 20, 21, and 23 requirement, what specifically we must implement, the supervision and enforcement regime we face, and the penalties for non-compliance with each obligation area."

Step 3: Secure management body approval and address personal liability

Why Article 20 governance comes first

Article 20 of NIS2 requires that the management body (board of directors, executive management, or equivalent governing body) formally approves cybersecurity risk management measures and oversees their implementation. This is not optional -- it is a legal obligation with personal liability attached.

Specifically, Article 20 requires:

  • Management body members must approve the cybersecurity risk management measures adopted under Article 21

  • Management body members must oversee the implementation of those measures

  • Management body members can be held personally liable for infringements

  • Management body members must follow cybersecurity training and encourage regular training for employees

Personal liability is real: Unlike many cybersecurity frameworks where governance is aspirational, NIS2 creates a direct legal link between management body members and compliance outcomes. National transposition laws may include provisions for temporary suspension of managerial functions for serious non-compliance.

Building the management briefing with AI

  1. Generate a board-ready briefing:

    "Create an executive briefing on NIS2 Directive obligations for the management body of a [sector] company classified as an [essential/important] entity. Cover: what NIS2 requires of the management body specifically, personal liability provisions under Article 20, the penalties we face (up to EUR [10M/7M] or [2%/1.4%] of global turnover), supervisory regime, and what decisions need board-level approval. Format for a 30-minute board presentation."

  2. Draft a management body resolution:

    "Draft a formal management body resolution approving the adoption of NIS2 cybersecurity risk management measures for our organization. Include: acknowledgment of NIS2 obligations, approval of the cybersecurity risk management framework, designation of responsible persons, commitment to ongoing oversight and training, and authorization of necessary resources."

  3. Create a management training outline:

    "Design a cybersecurity training program for management body members that satisfies NIS2 Article 20 training requirements. Include: NIS2-specific governance obligations, cyber risk fundamentals for non-technical executives, incident reporting responsibilities, supply chain risk oversight, and how to evaluate cybersecurity reports. Specify duration, frequency, and evidence documentation."

Audit evidence: Document the board resolution, meeting minutes, and training attendance records. Supervisory authorities will specifically look for evidence that the management body approved measures, receives regular cybersecurity briefings, and has completed training.

Step 4: Conduct a gap analysis against Article 21

Understanding the ten measure areas

Article 21(2) requires organizations to implement cybersecurity risk management measures covering at minimum these ten areas:

  1. (a) Policies on risk analysis and information system security

  2. (b) Incident handling

  3. (c) Business continuity, including backup management, disaster recovery, and crisis management

  4. (d) Supply chain security, including security-related aspects of relationships with direct suppliers and service providers

  5. (e) Security in network and information system acquisition, development, and maintenance, including vulnerability handling and disclosure

  6. (f) Policies and procedures to assess the effectiveness of cybersecurity risk management measures

  7. (g) Basic cyber hygiene practices and cybersecurity training

  8. (h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption

  9. (i) Human resources security, access control policies, and asset management

  10. (j) Use of multi-factor authentication or continuous authentication solutions, secured voice/video/text communications, and secured emergency communication systems

Running the gap analysis with AI

  1. Prepare your current-state inventory: Before running the gap analysis, gather your existing policies, risk assessments, incident response plans, business continuity plans, and any security control documentation.

  2. Upload documents and run the analysis:

    "I am uploading our current information security documentation. Conduct a comprehensive gap analysis against all ten NIS2 Article 21(2) measure areas. For each area, assess: (1) whether we have a documented policy or procedure, (2) whether the policy content meets NIS2 requirements, (3) whether there is evidence of implementation, (4) specific gaps identified, (5) risk level of the gap (Critical/High/Medium/Low), and (6) recommended remediation actions with estimated effort."

  3. If you have no existing documentation:

    "We are starting NIS2 implementation from scratch with no existing cybersecurity policies. Generate a baseline gap analysis showing all ten Article 21(2) measure areas as non-compliant, with a prioritized remediation roadmap. For each area, describe what documentation, controls, and evidence we need to produce, and estimate the effort required for a [company size] organization in the [sector] sector."

  4. Generate the gap analysis report:

    "Format the gap analysis results as a formal NIS2 Gap Analysis Report including: executive summary, methodology, detailed findings per Article 21(2) measure area, overall compliance maturity score, prioritized remediation plan with timeline, and resource requirements. This report will be presented to our management body for approval."

Proportionality principle: NIS2 requires measures to be proportionate to your organization's risk exposure, size, and the likelihood and severity of potential incidents. Your gap analysis should reflect this -- a 50-person manufacturing company's controls will differ from a major energy provider's. ISMS Copilot tailors outputs to your context when you provide specific organizational details.

Step 5: Set up your ISMS Copilot workspace for NIS2

Why a dedicated workspace matters

A dedicated NIS2 workspace in ISMS Copilot ensures every AI response is tailored to your NIS2 implementation context, keeps your project conversations and uploaded documents organized, and creates an audit trail of your compliance work.

Creating your NIS2 workspace

  1. Log into ISMS Copilot at chat.ismscopilot.com

  2. Click the workspace dropdown in the sidebar

  3. Select "Create new workspace"

  4. Name your workspace using a clear convention:

    • "NIS2 Implementation - [Company Name]"

    • "NIS2 Compliance - [Client Name] - [Member State]"

    • "NIS2 [Essential/Important] Entity - [Sector]"

  5. Set custom instructions to tailor all responses:

Focus on NIS2 Directive (EU 2022/2555) compliance.

Organization context:
- Sector: [e.g., energy, healthcare, digital infrastructure, manufacturing]
- Entity classification: [essential / important]
- Size: [employees, annual turnover]
- EU member state(s): [primary jurisdiction and other operating states]
- National transposition law: [name of national law if known]
- Current maturity: [starting from scratch / have ISO 27001 / have partial controls]

Project scope:
- Target compliance date: [date]
- Primary gaps: [list key areas from gap analysis]
- Key stakeholders: [CISO, board, legal, IT, operations]

Preferences:
- Emphasize audit-ready outputs with NIS2 article references
- Flag management body obligations under Article 20
- Include national transposition considerations where relevant
- Align with ISO 27001 where applicable for organizations pursuing both

With custom instructions set, every prompt you enter in this workspace will produce responses calibrated to your specific sector, entity classification, member state, and current maturity level -- eliminating repetitive context-setting.

Step 6: Create your NIS2 implementation roadmap

Understanding the implementation phases

NIS2 implementation typically follows these phases:

Phase

Key activities

Typical duration

Key deliverables

1. Scoping and governance

Scope determination, management body briefing, resolution, governance framework

2-4 weeks

Scoping statement, board resolution, governance charter

2. Gap analysis

Current-state assessment against all Art 21 areas, national transposition review

3-6 weeks

Gap analysis report, prioritized remediation plan

3. Risk assessment

All-hazards risk analysis, asset identification, threat landscape, risk treatment

4-8 weeks

Risk methodology, risk register, risk treatment plan

4. Policy and procedure development

Drafting policies for all ten Art 21 measure areas

6-10 weeks

Ten policy documents, supporting procedures

5. Technical implementation

Deploying controls: MFA, encryption, monitoring, backup, access controls

8-16 weeks

Control implementation evidence, configuration records

6. Incident response readiness

Building reporting workflows, templates, playbooks, CSIRT registration

3-5 weeks

Incident classification matrix, reporting templates, playbooks

7. Supply chain security

Supplier assessments, questionnaires, contractual updates

4-8 weeks

Supplier risk register, questionnaires, contract clauses

8. Training and awareness

Management training, employee cyber hygiene, role-based training

2-4 weeks

Training materials, attendance records, competency assessments

9. Effectiveness testing

Control testing, vulnerability assessments, tabletop exercises

3-6 weeks

Test results, corrective action plans

10. Authority registration and ongoing compliance

Register with national authority, establish continuous monitoring

2-3 weeks

Registration confirmation, monitoring procedures

Timeline reality: A medium-sized organization starting from scratch should plan for 6-12 months for comprehensive NIS2 compliance. Organizations with existing ISO 27001 or similar frameworks can leverage existing controls and may achieve compliance in 3-6 months. ISMS Copilot significantly compresses the documentation phases.

Generating your roadmap with AI

  1. Create a tailored implementation plan:

    "Generate a detailed NIS2 implementation roadmap for our [sector] organization ([employee count] employees, classified as [essential/important] entity in [member state]). We currently have [describe existing controls: e.g., ISO 27001 certified / no formal ISMS / some policies in place]. Include phase breakdown, key milestones, resource requirements, dependencies between phases, and critical path items. Target full compliance by [date]."

  2. Identify quick wins:

    "Based on our NIS2 gap analysis, identify the top 10 quick wins we can achieve in the first 30 days to demonstrate progress to our management body. Focus on high-impact, low-effort actions that also address the most critical compliance gaps."

  3. Build the resource plan:

    "Estimate the internal and external resources needed for NIS2 implementation at a [company size] [sector] organization. Include: FTE requirements by role (CISO, security analyst, IT, legal, project manager), potential need for external consultants, technology investments, and training budget. Provide a cost estimate range."

  4. Create a stakeholder communication plan:

    "Develop a stakeholder communication plan for our NIS2 implementation project. Include: key messages for the management body, department heads, IT team, legal, and all employees. Define communication frequency, channels, and escalation paths for each phase of the roadmap."

Step 7: Register with your national competent authority

Understanding registration requirements

NIS2 requires essential and important entities to register with their member state's designated competent authority. The registration process varies by member state, but typically requires:

  • Organization name, address, and registration number

  • Sector and subsector classification

  • Contact details for designated liaison person

  • EU member states where the entity operates

  • IP address ranges (for certain digital infrastructure entities)

Using AI to prepare registration

"Prepare the information required for NIS2 entity registration with the [member state] competent authority. Our organization details are: [provide company name, registration number, sector, services, operating member states]. Generate a checklist of all information we need to gather, and draft the registration notification."

Check your national competent authority's website for specific registration forms, portals, and deadlines. ENISA maintains a directory of national NIS2 authorities. Some member states have online portals; others require written notification.

Mapping NIS2 to existing frameworks

Leveraging ISO 27001 for NIS2

If your organization is already ISO 27001 certified or implementing the standard, you have a significant head start on NIS2 compliance. Many Article 21 measure areas map directly to ISO 27001 controls.

Ask ISMS Copilot to create a mapping:

"Create a detailed mapping between NIS2 Article 21 measure areas and ISO 27001:2022 Annex A controls. For each NIS2 requirement, show: the corresponding ISO 27001 clause or control, gaps where ISO 27001 does not fully cover NIS2 requirements, and additional actions needed for NIS2 compliance."

Aligning with DORA

Financial sector entities may be subject to both NIS2 and the Digital Operational Resilience Act (DORA). Article 4 of NIS2 includes a lex specialis provision meaning that where DORA imposes equivalent or stricter requirements, those take precedence.

"Our organization is subject to both NIS2 and DORA. Create a compliance overlap analysis showing which NIS2 requirements are fully covered by DORA, which require additional NIS2-specific actions, and how to structure a unified compliance program that satisfies both frameworks."

Next steps in your NIS2 implementation

You have now established the foundation for your NIS2 implementation:

  • Scope determined and documented

  • Entity classification confirmed

  • Management body briefed and resolution approved

  • Gap analysis completed against Article 21

  • ISMS Copilot workspace configured

  • Implementation roadmap created

Continue with the next guides in this series:

  • Risk assessment: See How to Conduct NIS2 Risk Assessment Using AI for a deep dive into all-hazards risk analysis, asset identification, and risk treatment aligned with Article 21

  • Policy creation: See How to Create NIS2 Cybersecurity Policies Using AI for step-by-step guidance on generating policies for each of the ten Article 21 measure areas

  • Incident reporting: See How to Implement NIS2 Incident Reporting Using AI for Article 23 compliance, reporting workflows, and playbooks

  • Supply chain security: See How to Manage NIS2 Supply Chain Security Using AI for supplier assessments, questionnaires, and contractual requirements

For ready-to-use prompts across all NIS2 domains, explore the NIS2 Directive Prompt Library. For a comprehensive overview of NIS2 requirements, see the NIS2 Compliance Guide for In-Scope Companies.

Getting help

For additional support during your NIS2 implementation:

  • Ask ISMS Copilot: Use your dedicated NIS2 workspace for ongoing questions as you progress through each phase

  • Upload documents: Get AI-powered gap analysis on existing security policies, risk assessments, or controls inventories

  • Framework Q&A: Ask specific questions about NIS2 articles, recitals, or national transposition requirements

  • Multi-framework alignment: Get guidance on aligning NIS2 with ISO 27001, DORA, GDPR, or other applicable frameworks

Ready to start your NIS2 implementation? Create your dedicated NIS2 workspace at chat.ismscopilot.com and run your first scope assessment today. The AI has dedicated NIS2 knowledge built from real consulting engagements -- not generic internet content.

Was this helpful?