NIS2 Compliance

EU Network and Information Security Directive 2

NIS2 significantly widens the scope of organizations across energy, transport, health, digital infrastructure, and other critical sectors that must meet formal cybersecurity risk management and incident reporting requirements, with a 24-hour initial notification window for significant incidents. In-scope entities face a first compliance audit deadline of June 30, 2026, ahead of full national compliance in October 2026.

Who needs NIS2

  • Organizations newly in scope as “essential” or “important” entities under NIS2
  • Critical infrastructure operators across energy, transport, health, and digital sectors
  • Suppliers to NIS2-regulated entities facing new contractual security requirements

Our approach

  • Scope determination and gap assessment against NIS2 risk management measures
  • Incident reporting process design to meet the 24-hour notification requirement
  • Supply chain and third-party risk management program development
  • Governance and board-level accountability documentation

Frequently asked questions

How do I know if NIS2 applies to my organization?

NIS2 applies to medium and large entities across a wide list of sectors defined as “essential” or “important,” including energy, transport, banking, health, digital infrastructure, and more, based on the national transposition law in the relevant EU member state. A scope determination is the right first step if you're unsure.

What happens if we miss the reporting window after an incident?

Missing the 24-hour initial notification window is itself a compliance failure, separate from the incident itself, and regulators have signaled active enforcement. Building a tested, rehearsed reporting process ahead of time is the practical defense.

Is NIS2 the same as GDPR?

No. GDPR governs personal data protection and privacy. NIS2 governs cybersecurity risk management and incident reporting for critical infrastructure and digital services, with its own scope, deadlines, and reporting obligations. Many organizations are subject to both.

Ready to start your NIS2 journey?

Tell us where you are today and we'll scope a gap assessment to get you audit-ready.