NIS2 Directive: Secure your networks and information systems
The European NIS2 directive imposes new cybersecurity requirements on thousands of organizations across 18 sectors. Conformitly supports you through your compliance journey.
What is NIS2?
The NIS2 Directive (EU 2022/2555) is the European regulatory framework for cybersecurity, replacing the NIS1 directive from 2016. It significantly expands the scope of affected organizations and strengthens obligations regarding risk management, incident reporting, and governance. NIS2 targets essential and important entities across 18 sectors defined in Annexes I and II, with proportionate requirements based on the entity's criticality.
Who is concerned by NIS2?
Key NIS2 requirements
Security measures (Art. 21)
Implementation of appropriate and proportionate technical, operational, and organizational measures: risk analysis, incident handling, business continuity, supply chain security, network security, access management, cryptography, HR security, asset management, and multi-factor authentication.
Incident reporting (Art. 23)
Three-stage reporting obligation: early warning within 24 hours of detecting a significant incident, detailed notification within 72 hours including an initial severity assessment, and a final report within one month covering the detailed description, root causes, and mitigation measures applied.
Governance and management accountability
Management bodies must approve cybersecurity risk management measures, oversee their implementation, and undergo appropriate training. Personal liability of executives can be invoked in case of non-compliance.
Supply chain security
Entities must assess and manage risks related to their direct suppliers and service providers, taking into account the overall quality of products and cybersecurity practices of their suppliers, including secure development procedures.
Registration and cooperation
Concerned entities must register with competent national authorities. Member states must establish national CSIRTs and participate in the EU-CyCLONe network for coordinated management of large-scale cyber crises.
NIS2 timeline
NIS2 directive entered into force
Deadline for transposition into member states' national law
Deadline for member states to establish registries of essential and important entities
NIS2 sanctions
Essential entities face administrative fines of up to 10 million euros or 2% of global annual turnover, whichever is higher. Important entities risk fines of up to 7 million euros or 1.4% of global annual turnover. Executives can be held personally liable and face temporary bans from exercising management functions.
How Conformitly helps with NIS2
Automated NIS2 qualification
Determine in minutes whether your organization qualifies as an essential or important entity under NIS2, through a guided questionnaire covering sector, size, and criticality criteria.
22 pre-mapped controls
Benefit from 22 controls directly mapped to NIS2 Article 21 requirements, with detailed descriptions, expected evidence, and automatic progress tracking.
Incident reporting with timers
Manage your cybersecurity incidents with automatic timers to meet the regulatory deadlines of 24 hours, 72 hours, and 1 month imposed by Article 23, with pre-filled report templates.
Gap analysis and action plan
Identify your NIS2 compliance gaps through a detailed gap analysis, and automatically generate a prioritized action plan with tasks assignable to your teams.