The NIS2 Directive: Article 21 compliance checklist

Q: What is the NIS2 Directive?

NIS2 (Directive EU 2022/2555) is an EU directive strengthening cybersecurity requirements for essential and important entities across critical sectors. It replaces the original NIS Directive with expanded scope, stricter measures, and personal liability for management.

Q: Who does NIS2 apply to?

NIS2 applies to organizations with 50+ employees or EUR 10M+ annual turnover operating in critical sectors (energy, transport, banking, health, water, digital infrastructure, ICT service management, space) and important sectors (postal, waste, chemicals, food, manufacturing, digital providers, research).

Q: What are the NIS2 incident reporting deadlines?

NIS2 Article 23 requires a three-stage notification to your national CSIRT: early warning within 24 hours, detailed incident notification within 72 hours, and a comprehensive final report within one month of the incident notification.

Q: What are the penalties for NIS2 non-compliance?

Essential entities face fines up to EUR 10 million or 2% of global annual turnover. Important entities face fines up to EUR 7 million or 1.4% of global turnover. Management bodies can be held personally liable.

Q: How does NIS2 relate to the CRA?

NIS2 focuses on organizational cybersecurity measures for operators of essential services. The CRA focuses on product-level security for manufacturers. Many organizations fall under both: NIS2 for their operations and CRA for products they manufacture. The incident reporting timelines are identical (24h/72h/1 month).

A practical guide for essential and important entities. The ten required cybersecurity measures, incident reporting timelines, and what you actually need to implement.

Does NIS2 apply to you?

If your organization meets the size threshold (50+ employees or €10M+ turnover) and operates in one of these sectors, you are in scope:

Essential entities: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space
Important entities: postal services, waste management, chemicals, food production, manufacturing, digital providers, research organizations
You provide DNS, TLD registries, cloud computing, data center, CDN, managed security, or trust services in the EU
Member states can designate additional entities regardless of size

Small and micro enterprises are generally exempt unless they provide critical services like DNS, TLD registries, or trust services.

Key dates

January 16, 2023

NIS2 entered into force — Directive EU 2022/2555 was published and became EU law.

October 17, 2024

Transposition deadline — Member states were required to transpose NIS2 into national law. Implementation varies; check your national legislation.

2025 – 2026

Compliance audits begin — National authorities begin supervision and compliance checks. Essential entities face stricter proactive oversight.

Article 21: the ten required measures

NIS2 Article 21 mandates ten specific cybersecurity risk management measures. Every in-scope entity must implement all of them.

Risk analysis and information security policies

Establish and maintain policies covering risk assessment methodologies, asset classification, and information security objectives. Review and update regularly based on evolving threats.

Article 21(2)(a)

Incident handling

Implement processes for preventing, detecting, and responding to cybersecurity incidents. This includes detection mechanisms, escalation procedures, containment, and post-incident analysis.

Article 21(2)(b)

Business continuity and crisis management

Establish business continuity plans, backup management, disaster recovery, and crisis management procedures. Test them regularly.

Article 21(2)(c)

Supply chain security

Assess and manage cybersecurity risks in your supply chain and relationships with direct suppliers and service providers. Include security requirements in contracts.

Article 21(2)(d)

Security in network and information systems

Ensure security in the acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure.

Article 21(2)(e)

Policies and procedures to assess effectiveness

Implement policies and procedures for assessing the effectiveness of your cybersecurity risk management measures. Conduct regular audits, penetration tests, and security assessments.

Article 21(2)(f)

Cybersecurity hygiene and training

Establish basic cyber hygiene practices and cybersecurity training for all staff. Management bodies must receive specific training and are personally liable under Article 20.

Article 21(2)(g)

Cryptography and encryption

Implement policies on the use of cryptography and, where appropriate, encryption for protecting data at rest and in transit.

Article 21(2)(h)

Human resources security and access control

Enforce human resources security policies, access control policies, and asset management. Apply least privilege and role-based access.

Article 21(2)(i)

Multi-factor authentication and secure communications

Use multi-factor authentication, continuous authentication solutions, and secured voice, video, and text communications. Apply secured emergency communication systems where appropriate.

Article 21(2)(j)

Incident reporting: the 24/72/30-day rule

NIS2 Article 23 requires entities to notify their national CSIRT (or competent authority) when a significant incident occurs. The timeline mirrors the CRA’s ENISA reporting structure:

Within 24 hours

Early warning — Notify your CSIRT that a significant incident has occurred. Indicate whether it was caused by malicious action and whether it may have cross-border impact. No detailed analysis required.

Within 72 hours

Incident notification — Submit a detailed update: initial severity assessment, indicators of compromise, impact scope, and containment actions taken.

Within 1 month

Final report — Comprehensive report including detailed description, threat type or root cause, applied mitigation measures, and cross-border impact.

A "significant incident" is one that has caused or is capable of causing severe operational disruption, financial loss, or considerable damage to other natural or legal persons.

Penalties

Essential entities

Up to €10 million or 2% of global annual turnover, whichever is higher.

Important entities

Up to €7 million or 1.4% of global annual turnover, whichever is higher.

Under Article 20, management bodies of essential and important entities must approve and oversee cybersecurity measures. They can be held personally liable for non-compliance and must undergo mandatory cybersecurity training.

NIS2 vs. CRA: which applies to you?

Both regulations have similar incident timelines, but different scopes:

NIS2 Organizational cybersecurity for operators of essential/important services

Scope Your organization’s internal security posture, policies, and incident response

CRA Product-level security for manufacturers of products with digital elements

Scope Your products: SBOMs, vulnerability handling, security updates, conformity

Many organizations fall under both. Security2Center covers both: NIS2 readiness scoring for your organizational measures, and CRA readiness for your product security obligations.

Get NIS2 ready with Security2Center

NIS2 readiness dashboard scores your organization across all ten Article 21 measures. CSIRT notification templates generate the reports your authority expects. Incident tracking enforces 24h/72h/1-month deadlines automatically.

Start your free trial

3 months free. No credit card required.

FAQ

What is the NIS2 Directive?

NIS2 (Directive EU 2022/2555) is an EU directive that strengthens cybersecurity requirements for essential and important entities across critical sectors. It replaces the original NIS Directive with expanded scope, stricter security measures, and personal liability for management.

Who does NIS2 apply to?

Organizations with 50+ employees or €10M+ annual turnover in critical sectors (energy, banking, healthcare, transport, water, digital infrastructure) and important sectors (food, manufacturing, waste management, digital providers). Member states can also designate smaller entities for critical services.

What are the NIS2 incident reporting deadlines?

Article 23 requires a three-stage notification to your national CSIRT: early warning within 24 hours, detailed incident notification within 72 hours, and a comprehensive final report within one month. These are clock hours, including weekends and holidays.

What are the penalties for NIS2 non-compliance?

Essential entities: up to €10 million or 2% of global turnover. Important entities: up to €7 million or 1.4% of global turnover. Management bodies face personal liability and must receive mandatory cybersecurity training.

How does NIS2 relate to ISO 27001?

A certified ISO 27001 ISMS covers approximately 70% of NIS2 requirements. However, NIS2 adds specific obligations around incident reporting timelines, supply chain risk management, management accountability, and cooperation with national authorities that go beyond ISO 27001.

How does NIS2 relate to the CRA?

NIS2 focuses on organizational cybersecurity for operators of essential services. The CRA focuses on product-level security for manufacturers. Many organizations fall under both. The incident reporting timelines are identical (24h/72h/1 month), but NIS2 reports go to national CSIRTs while CRA reports go to ENISA.