NIS2 now in force across the EU

NIS2 Compliance Software for Small & Medium Businesses

The NIS2 Directive is already being enforced. Fines up to €10M or 2% of turnover — plus personal liability for management. ComplyOne helps SMBs meet every requirement without a dedicated compliance team.

Check Your NIS2 Readiness — Free

What NIS2 Requires from Your Business

NIS2 is the EU's updated cybersecurity directive. It's broader and stricter than NIS1 — covering more sectors, setting tighter deadlines, and adding management accountability.

Incident Reporting

Significant incidents must be reported within 24 hours (initial warning) and 72 hours (full report). Missing these windows is itself a violation.

Supply Chain Security

You're responsible for the security practices of your suppliers and service providers. NIS2 requires documented vendor risk assessments.

Management Liability

Directors and executives can be held personally liable for NIS2 violations — including temporary bans from management positions.

Which Sectors Are In Scope

Essential Entities (stricter rules)

  • Energy (electricity, gas, oil, hydrogen)
  • Transport (air, rail, road, maritime)
  • Banking and financial market infrastructure
  • Healthcare
  • Drinking water & wastewater
  • Digital infrastructure & ICT services
  • Public administration

Important Entities (also in scope)

  • Postal and courier services
  • Waste management
  • Chemical manufacturing
  • Food production
  • Medical device manufacturers
  • Digital providers (online marketplaces, search engines)
  • Research organisations

Not sure which category applies to you? Run a free compliance check — takes 5 minutes.

How ComplyOne Handles NIS2 for You

Maps your NIS2 obligations

Answer a few questions about your organisation. ComplyOne identifies exactly which NIS2 articles apply — no manual reading of 100+ pages of directive text.

Tracks your control status

Every NIS2 control (risk management, access control, incident response, supply chain) is tracked in a live dashboard with a clear readiness score.

Incident reporting templates

Pre-built 24-hour initial warning and 72-hour full incident report templates, so you're never scrambling when something goes wrong.

Vendor risk assessments

Built-in supplier questionnaires and risk scoring to document your supply chain security — a core NIS2 requirement.

Penalties

€10M

or 2% of global turnover

Essential entities. Whichever is higher applies.

€7M

or 1.4% of global turnover

Important entities — plus personal management liability.

How to Approach NIS2 Compliance: First Steps

NIS2 can feel overwhelming. In practice, most organisations can reach a solid baseline in 8–12 weeks by following a structured approach.

1

Determine if you're in scope

Check whether your organisation qualifies as an essential or important entity. Size (50+ employees or €10M+ revenue) and sector both matter. Supply chain position also counts — even smaller suppliers can be pulled in.

2

Classify your entity type

Essential entities face stricter oversight and proactive supervision. Important entities are subject to reactive supervision. The classification affects your audit timeline and the intensity of required controls.

3

Run a gap assessment

Map your current security controls against NIS2's 10 minimum measures: risk management, incident handling, business continuity, supply chain security, network security, access control, cryptography, HR security, asset management, and multi-factor authentication.

4

Set up incident reporting

Establish internal procedures so that when a significant incident occurs, you can file the initial 24-hour warning and 72-hour full report without scrambling. Designate who reports, to which national authority, and in what format.

5

Document everything

NIS2 requires that management actively governs cybersecurity and that this governance is documented. Policies, risk registers, supplier assessments, and training records all serve as evidence.

Get your NIS2 readiness score in 5 minutes

Free compliance check. No credit card. See exactly where you stand before an auditor does.

Start Free NIS2 Check

NIS2 FAQ

Does NIS2 apply to my business?

NIS2 applies to medium and large organisations in critical sectors — including energy, transport, banking, digital infrastructure, healthcare, and managed IT services. It also extends obligations to supply chain partners of in-scope entities. Run our free compliance check to see if you're in scope.

When did NIS2 take effect?

The NIS2 Directive entered into force in January 2023. EU member states were required to transpose it into national law by October 17, 2024. Most countries are now actively enforcing it, with national supervisory authorities issuing guidance.

What are the fines for NIS2 non-compliance?

For essential entities: up to €10 million or 2% of global annual turnover. For important entities: up to €7 million or 1.4% of global annual turnover. Management liability is a key new feature — executives can be held personally responsible.

What does NIS2 actually require us to do?

Core requirements include: risk management measures, incident reporting within 24 hours (initial) and 72 hours (detailed), business continuity planning, supply chain security, access control, vulnerability handling, and cybersecurity training. ComplyOne structures all of these into trackable tasks.

We already have ISO 27001 — are we covered?

Partially. ISO 27001 overlaps significantly with NIS2 requirements, but NIS2 adds specific obligations around incident reporting timelines, management accountability, and supply chain due diligence that ISO 27001 doesn't fully address. ComplyOne shows you exactly where your gaps are.

What are the 10 minimum security measures under NIS2?

NIS2 Article 21 specifies 10 required areas: (1) risk analysis and security policies, (2) incident handling, (3) business continuity and crisis management, (4) supply chain security, (5) security in network and information systems acquisition, (6) policies and procedures to assess the effectiveness of cybersecurity measures, (7) basic cyber hygiene practices and cybersecurity training, (8) policies and procedures regarding the use of cryptography, (9) human resources security and access control policies, (10) multi-factor authentication. ComplyOne maps each of these to trackable controls.

Can NIS2 apply to us even if we're not in a critical sector?

Yes — through the supply chain. If you provide IT services, managed security, cloud infrastructure, or software to an essential or important entity, NIS2 obligations can flow to you contractually. Many SMBs are discovering NIS2 requirements through enterprise customer contracts rather than direct regulatory notification.

Related compliance areas

DORA Compliance EU AI Act Cyber Resilience Act GDPR Compliance