Understand NIS2.
Simply explained.
Everything you need to know about the NIS2 Directive. Clear, structured, without jargon.
Frequently Asked Questions about NIS2
The 10 most important questions, clearly answered.
What is NIS2?
The NIS2 Directive (Network and Information Security 2) is an EU directive on cybersecurity. Each EU member state must transpose it into national law. It directly affects over 100,000 companies across the EU and many more through supply chain obligations.
Am I affected by NIS2?
Affected are companies with more than 50 employees OR more than EUR 10 million revenue that operate in one of the 18 critical sectors. Smaller companies may also be affected through the supply chain. Our free check determines this in 2 minutes.
What are the 10 measure categories?
Art. 21 NIS2 defines 10 areas:
- Risk analysis and information security
- Incident handling
- Business continuity management (BCM)
- Supply chain security
- Security in acquisition, development and maintenance
- Effectiveness assessment
- Cyber hygiene and training
- Cryptography
- Personnel security, access control
- MFA, secure communications
What are the deadlines?
Registration deadlines vary by country. Check your national authority for specific dates. The EU NIS2 Directive has been in effect since January 2023. Further details in our deadline overview.
What happens in case of violations?
Essential entities: up to EUR 10 million or 2% of global annual revenue. Important entities: up to EUR 7 million or 1.4% of global annual revenue. Personal managing director liability is enshrined in law.
What must management do?
Management must approve and oversee measures (as required by the national NIS2 transposition law). They must participate in training and are personally liable for breach of duty. Our training certificate feature helps with this.
What is the reporting obligation?
Security incidents must be reported:
- 24h Early warning within 24 hours
- 72h Full incident report within 72 hours
- 1M Final report within 1 month
Does NIS2 apply to the supply chain?
Yes! Art. 21(2)(d) obliges affected companies to secure their supply chain. Suppliers must be able to demonstrate NIS2 requirements, even if they are not directly affected. More on our supplier page.
What is the difference between “essential” and “important”?
Essential entities (Annex I, from 250 employees or over EUR 50 million): stricter supervision, higher fines (up to EUR 10 million / 2%).
Important entities (Annex I+II, from 50 employees or over EUR 10 million): supervision only on suspicion, lower fines (up to EUR 7 million / 1.4%).
Does NIS2 Pilot replace a consultant?
NIS2 Pilot helps with initial orientation and shows where action is needed. For a binding legal review, we recommend a specialised consultant. The app can save you valuable time and money in preparation.
NIS2 Glossary
Key terms around NIS2, briefly explained.
NIS2
Network and Information Security Directive 2, EU Directive 2022/2555
National NIS2 Law
Each EU member state transposes NIS2 into national law (e.g. NIS2UmsuCG in Germany, NISG in Austria)
NISG
NIS Act 2024 (Austria)
Critical Infrastructure
Essential services and facilities whose disruption would have significant impact on society (KRITIS in Germany)
BCM
Business Continuity Management: measures to maintain operations
ISMS
Information Security Management System: systematic framework for IT security
ISO 27001
International standard for information security management systems
GDPR
General Data Protection Regulation: EU-wide regulation for the protection of personal data
Annex I
11 sectors of “essential” entities (Energy, Transport, Healthcare, etc.)
Annex II
7 additional sectors of “important” entities (Postal, Chemicals, Food, etc.)
Art. 21
Article 21 NIS2: defines the 10 mandatory measure categories
Executive Liability
Managing director obligations: approval, oversight, and training certificate (national NIS2 law)
Reporting obligation
24h early warning, 72h incident report, 1 month final report
Registration obligation
Registration with your national authority (check your country's deadline) for affected entities
MD liability
Personal liability of managing directors for breach of duty (national NIS2 transposition law)
Deadline Overview
All important NIS2 dates at a glance.
Select your country
EnactedSelect country above
Select country above
EUR 10M or 2%
EU transposition deadline
EU member states were required to transpose the NIS2 Directive into national law by this date. Many countries have since enacted their national laws. Check your country's status above.
Registration portals launched
National authorities across the EU are progressively launching registration portals. Check your country's competent authority for details and registration status.
Registration deadlines
Registration deadlines vary by country. Some deadlines have already passed. Check your national authority's portal for specific dates. Our registration assistant guides you through the process.
National CER / Critical Infrastructure Acts
EU member states are implementing the CER Directive (2022/2557), extending requirements to the physical resilience of critical infrastructures. Timelines vary by country.
18 NIS2 Sectors
Which industries are affected? Here is the complete overview.
Further Links
Official sources and references about NIS2.
Deadline missed? No need to panic.
Registration deadlines may have passed in some countries. But that does not mean it is too late. A late NIS2 registration is significantly better than none at all.
What does this mean in practice?
Registration portals typically remain open and continue to accept registrations. A deadline is a cut-off date, not a shutdown of the system. Companies that register now can still complete the process.
Fines could theoretically be imposed, but national authorities often take a cooperative approach. Those who act promptly and catch up on registration can significantly reduce the risk of sanctions. The key is to start the process now.
5 Steps to Catch Up on NIS2 Registration
Check applicability
First, clarify whether your company falls under NIS2. The criteria are employee count, revenue, and industry sector. Our free online check gives you an initial assessment in just a few minutes.
Catch up authority registration
Sign in to your national authority's portal and complete the registration. Our registration assistant in the app guides you through the process step by step.
Start NIS2 measures
Begin with the 10 measure categories under Art. 21. Prioritise risk analysis, incident management, and supply chain security. A maturity assessment shows you where the greatest need for action lies.
Build documentation
Create evidence for your NIS2 compliance: policies, risk analyses, training certificates, and an audit trail. Thorough documentation can demonstrate during a later audit that you are actively pursuing the process.
Inform the supply chain
Inform your suppliers about NIS2 requirements. Even companies that are not directly affected may be obligated through the supply chain. Use our supplier questionnaire for this purpose.
Check your applicability now
Free online check in just a few minutes. No registration required.
Go to checkDownload NIS2 Pilot App
Registration assistant, maturity assessment, and documentation in one app.
View in App StoreNote: This information is for guidance only and does not constitute legal advice. Assessments regarding fines and regulatory action may change. For a binding evaluation of your situation, consult a specialised lawyer.
Deepen your knowledge in the app
Free knowledge hub with FAQ, glossary, and deadlines. Plus applicability check, assessment, and checklists. Everything offline on your device.