NIS2 Compliance
The EU’s expanded cybersecurity directive imposing risk-management, incident-reporting and governance obligations on essential and important entities across many sectors.
Medium and large organisations in 18 sectors deemed “essential” or “important” — and their suppliers — operating in or serving the EU.
- Mandatory risk-management measures and 24-hour incident reporting
- Management bodies are personally accountable
- Significant fines for non-compliance
Free NIS2 gap checker
Answer 8 quick questions for an instant readiness score and your priority gaps. ~2 minutes, no sign-up.
1. Do you have approved security policies and clear ownership of cyber risk?
2. How do you identify and treat information-security risks?
3. How are identity and access managed?
4. Do you maintain an inventory of assets and data?
5. How is sensitive/personal data protected?
6. What monitoring and detection do you have?
7. How prepared are you for a security incident?
8. How do you manage supplier/third-party risk?
NIS2 — frequently asked
Does NIS2 apply to my company?
If you are a medium/large entity in one of the 18 in-scope sectors (or a key supplier) operating in the EU, it likely applies.
What is the NIS2 incident-reporting deadline?
An early warning within 24 hours of becoming aware of a significant incident, with follow-up reports thereafter.
How do we prepare for NIS2?
Start with a gap assessment against the risk-management measures, then implement governance, controls and reporting processes.
Related: all frameworks · EU hub · automate it with CortexGuard
Ready to strengthen your security posture?
Book a confidential consultation with our advisors. We'll assess where you are and map a clear path to where you need to be.