NIS 2 Compliance Deepdive

1. Overview

What NIS 2 Is

Directive (EU) 2022/2555 (the NIS 2 Directive) is the EU's harmonized cybersecurity framework for essential and important entities operating in the Union. It entered into force on 16 January 2023 with a transposition deadline of 17 October 2024 across all 27 EU member states. NIS 2 replaces and expands the previous NIS Directive substantially: it doubles the sectoral scope, introduces explicit supply chain security obligations, harmonizes incident reporting on a three-clock structure, and makes the management body of in-scope entities personally accountable. The consolidated text and Annexes are published at eur-lex.europa.eu; the European Commission and ENISA publish implementing guidance and the relevant Implementing Regulations.

Who It Applies To

NIS 2 applies to entities active in 18 sectors organized in two annexes:

• Annex I (Essential entities): energy (electricity, district heating and cooling, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management (business-to-business), public administration entities, space.
• Annex II (Important entities): postal and courier services, waste management, manufacture / production / distribution of chemicals, food, manufacturing (medical devices, computer / electronic / optical products, electrical equipment, machinery, motor vehicles, other transport equipment), digital providers (online marketplaces, online search engines, social networking platforms), research.

Size matters: as a general rule, NIS 2 reaches medium and large enterprises (more than 50 employees or more than 10 million euro turnover, plus the alternative criterion under Article 2(2)). Member states retain limited discretion to extend to smaller entities. Certain sub-sectors (digital infrastructure, public administration, qualified trust service providers, top-level domain name registries) are in scope regardless of size.

Why It Reaches the Supply Chain

Article 21(2)(d) requires every in-scope entity to address supply chain security in its cybersecurity risk-management measures, including the security-related aspects of the relationship between each entity and its direct suppliers or service providers. In practice this flows down through customer contracts, vendor security questionnaires, procurement requirements, and contractual SLAs. For B2B SaaS providers and consulting firms selling into Annex I or Annex II entities, NIS 2 arrives at the contract negotiation, the renewal, and the procurement onboarding form.

Outcome

NIS 2 is not certifiable. Compliance is demonstrated through documented risk-management measures, operational evidence, incident reporting capability, and management body engagement. Sanctions are substantial: Essential entities up to 10 million euros or 2 percent of total worldwide annual turnover, whichever is higher; Important entities up to 7 million euros or 1.4 percent. Management bodies are personally accountable under Article 20 and may be temporarily prohibited from exercising managerial functions for repeated non-compliance.

Security Consultants supports NIS 2 programs through the NIS 2 compliance service, typically combined with ISO 27001 for the underlying ISMS and SOC 2 for the customer-facing attestation.

2. Scope & Applicability

Annex I and Annex II Sectors

The 18 in-scope sectors are listed above. The categorization between Essential and Important affects supervisory regime (ex ante for Essential, ex post for Important) and maximum sanctions, but the substantive Article 21 risk-management obligations are identical.

Size Thresholds (Article 2)

Medium-sized enterprise threshold per the Annex to Recommendation 2003/361/EC: 50 employees and 10 million euros annual turnover or balance sheet total. Above either threshold (and not exceeding 250 employees / 50 million euros turnover / 43 million euros balance sheet) is medium. Above all three is large.

Size-Exempt Sub-Sectors

Article 2(2) lists categories that are in scope regardless of size: providers of public electronic communications networks or services, trust service providers, top-level domain name registries, DNS service providers (excluding root name servers), entities providing domain name registration services, public administration entities of central government, sole providers in a member state of a service essential for societal or economic activities, and entities whose disruption could have significant impact on public safety, security, or health.

Supply Chain Flow-Down

Article 21(2)(d) requires the entity to address security-related aspects of the relationship with direct suppliers and service providers; Article 22 enables coordinated risk assessments of critical supply chains at Union level. Direct effect: in-scope entities pass through contractual security requirements to their vendors. The supply chain provisions are not optional contractual practice; they are required risk-management measures under the Directive.

Member State Transposition

NIS 2 is a Directive, not a Regulation. It requires transposition into 27 member state national laws. Material variation across transposition acts on scope, sanctions, registration mechanisms, and competent authorities. Notable transpositions in 2024 and 2025: Germany NIS2UmsuCG (delayed; expected 2025), Italy Legislative Decree 138/2024, France LPM and Decree 2024-XX, Netherlands Wbni revision, Spain Royal Decree-Law transposition, Ireland NIS 2 Regulations 2025, Poland UKSC amendment. Cross-border vendors must track transposition state per customer's member state.

3. Core Principles

NIS 2 builds on three principles:

• Risk-management measures (Article 21): a defined set of ten technical, operational, and organizational measures proportionate to the risks posed.
• Incident notification (Article 23): harmonized three-clock notification structure to the competent CSIRT or authority for significant incidents.
• Management body accountability (Article 20): management bodies approve risk-management measures, oversee their implementation, and bear personal liability for compliance failures.

The Directive is supplemented by Implementing Regulation (EU) 2024/2690 setting out cybersecurity requirements and significant incident specification for certain Annex I and II categories: DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines, and social networking services platforms.

4. Control Breakdown

Article 21 — Ten Risk-Management Measures

Article 21(2) requires in-scope entities to take measures based on an all-hazards approach, including:

• (a) Risk analysis and information system security policies: documented risk assessment methodology, risk register, information security policy reviewed at management level.
• (b) Incident handling: documented incident management process covering detection, response, recovery, lessons learned.
• (c) Business continuity: backup management, disaster recovery, crisis management, business continuity plan tested.
• (d) Supply chain security: security-related aspects of relationships with direct suppliers and service providers, with risk-based vendor assessment and contractual security requirements.
• (e) Security in network and information systems acquisition, development and maintenance: secure SDLC, vulnerability handling and disclosure, change management.
• (f) Policies and procedures to assess the effectiveness of cybersecurity risk-management measures: testing, internal audit, management review.
• (g) Basic cyber hygiene practices and cybersecurity training: workforce training program, security awareness, management body training under Article 20(2).
• (h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption: cryptography policy, encryption in transit and at rest, key management lifecycle.
• (i) Human resources security, access control policies and asset management: background screening, joiner-mover-leaver, least privilege, asset inventory.
• (j) Use of multi-factor authentication or continuous authentication, secured voice / video / text communications, and secured emergency communication systems: MFA on privileged and remote access, secured communications.

Article 23 — Incident Reporting

Trigger: significant incident as defined in Article 23(3) (causes or is capable of causing severe operational disruption or financial loss; affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage).

Three-Clock Notification Structure:

• Early warning to the competent CSIRT or authority within 24 hours of awareness of the significant incident, including whether the incident is suspected to be caused by unlawful or malicious acts and any cross-border impact.
• Incident notification within 72 hours of awareness, updating and adding initial assessment, severity and impact, and indicators of compromise where available.
• Final report within one month of the incident notification, including detailed description, type of threat or root cause, applied and ongoing mitigation measures, and where applicable, cross-border impact.

Intermediate status reports may be required by the CSIRT or competent authority. Recipients of the entity's services are notified where the incident is likely to adversely affect them.

Article 20 — Governance

Management bodies of in-scope entities approve the cybersecurity risk-management measures, oversee their implementation, and may be held liable for infringements. Members of the management body must follow training to gain sufficient knowledge to assess cybersecurity risks and management practices (Article 20(2)).

Implementing Regulation (EU) 2024/2690

For digital infrastructure, ICT service management, and digital providers, the Implementing Regulation specifies cybersecurity requirements in more detail and defines when an incident is significant. SaaS providers in scope (cloud computing service providers, data centre operators, CDN providers, managed service providers, MSSPs, online marketplaces, search engines, social networking) operate under this enhanced regime.

5. Minimum Requirements (Non-Negotiable) — Supply Chain View

Mandatory Documents

• Cybersecurity risk assessment with documented methodology
• Risk register
• Information security policy approved by the management body
• Incident response plan with the three-clock notification workflow
• Business continuity and disaster recovery plan with annual test record
• Supply chain security policy and supplier register with risk classification
• Cryptography and encryption policy with key management lifecycle
• Access control policy with MFA enforcement evidence
• Workforce training program and management body training records
• Sub-processor list available to in-scope customers
• Procurement response package (cybersecurity self-assessment, ISO 27001 certificate, SOC 2 report, incident notification SLA)

Mandatory Processes

• Annual risk assessment refresh
• Annual business continuity and DR test
• Continuous supplier security re-assessment
• Incident notification to in-scope customers per contractual SLA (typically tighter than the 24h regulatory clock)
• Management body training and engagement on cybersecurity
• Customer due diligence response cycle

Technical Controls

• MFA on privileged access and remote access
• Encryption in transit and at rest with documented key management
• Network segmentation and boundary protection
• Centralized logging and monitoring sufficient for incident investigation
• Vulnerability and patch management
• Endpoint protection
• Backup with tested restoration

6. Technical Implementation Guidance

Build on ISO 27001 Foundation

NIS 2 Article 21 measures map closely to ISO 27001:2022 Annex A and SOC 2 Trust Services Criteria. For a supply-chain vendor already operating an ISMS, the NIS 2-specific extensions are:

• Three-clock incident notification workflow per Article 23
• Supply chain security policy with risk classification of suppliers per Article 21(2)(d)
• Management body training program per Article 20(2)
• Procurement response package that maps your ISO 27001 controls to Article 21 measures

Incident Reporting Workflow

• Document the three-clock workflow: early warning at 24h, incident notification at 72h, final report at 30 days
• Identify which member state CSIRT or authority would be notified (depends on the in-scope customer's establishment)
• Pre-draft customer notification templates for the contractual notification clock

Supply Chain Security

• Build the supplier register with risk classification (criticality of the supplier's role, sensitivity of data processed, substitutability)
• Mature contractual security requirements: incident notification SLA, audit rights, security certifications, sub-processor disclosure
• Annual re-assessment of critical suppliers with documented evidence

Management Body Training

• Annual training plan for management body members per Article 20(2)
• Topics: NIS 2 obligations, cybersecurity risk landscape relevant to the business, incident response decisions, sanctions exposure
• Retained training evidence (date, attendees, content, assessment if applicable)

Procurement Response Package

• NIS 2 self-assessment mapping your controls to Article 21 measures
• ISO 27001 certificate and Statement of Applicability
• SOC 2 Type 2 report where available
• Sub-processor list with locations
• Incident notification SLA
• Business continuity and DR test summary
• Procurement Q&A bank covering the recurring questions across customer questionnaires

7. Policy & Procedure Requirements

• Cybersecurity Risk Management Methodology and Risk Register
• Information Security Policy
• Incident Response Plan with NIS 2 three-clock workflow
• Business Continuity Plan and Disaster Recovery Plan
• Supply Chain Security Policy and Supplier Risk Register
• Secure SDLC and Vulnerability Handling Procedure
• Cryptography and Key Management Policy
• Access Control Policy with MFA Enforcement
• Workforce Cybersecurity Awareness and Training Program
• Management Body Training Program per Article 20(2)
• Asset Management Policy
• Human Resources Security Procedure (background screening, JML)
• Customer Procurement Response Procedure

For entities also pursuing ISO 27001 certification, all of these extend the existing ISMS rather than running a parallel framework. See our ISO 27001 service.

8. Audit Evidence & Verification

NIS 2 is not a certifiable scheme. In-scope entities (Essential and Important) may be inspected by the competent authority. For supply chain vendors, the verification comes through customer security due diligence rather than direct regulatory inspection. The competent authority can request information about a vendor through the in-scope customer; sanctions for the customer flow through to vendor contractual relationships.

Typical Evidence Categories

• Risk assessment and risk register
• Information security policy with management body approval evidence
• Incident response records and notifications
• Business continuity and DR test reports
• Supplier register with risk classification and re-assessment records
• Workforce training completion records
• Management body training records
• Procurement response packages issued to customers
• ISO 27001 certificate and SOC 2 report (where in operation)

Common Remediation Items

• Supplier register absent or limited to financial vendor due diligence rather than cybersecurity-driven assessment
• Incident response plan not aligned with the three-clock NIS 2 workflow
• Management body training program absent or not refreshed annually
• Procurement response package thin or inconsistent across customers
• Article 23 notification SLAs in customer contracts shorter than internal capability

9. Implementation Timeline Considerations

Typical Duration — Supply Chain Vendor

• Vendor with mature ISO 27001 ISMS: 2 to 4 months to NIS 2 supply chain readiness
• Vendor without an ISMS: 8 to 12 months including ISO 27001 foundations
• Annual refresh: aligned with ISO 27001 surveillance cycle if integrated

Milestones

• Customer base mapping against NIS 2 Annex I and II
• Member state transposition tracking for relevant customer jurisdictions
• Article 21 ten-measure gap analysis
• Three-clock incident notification workflow build
• Supplier register and supply chain security policy
• Management body training program rollout
• Procurement response package assembly
• vCISO ongoing operations cycle

10. Ongoing BAU Requirements

• Annual risk assessment refresh
• Annual business continuity and DR test
• Annual workforce cybersecurity training
• Annual management body training per Article 20(2)
• Continuous supplier security re-assessment
• Continuous incident response readiness with three-clock rehearsal
• Procurement response package kept current with new evidence
• Member state transposition tracking

11. Maturity Levels

Minimum Compliance

• Article 21 ten measures documented
• Three-clock incident notification workflow ready
• Supplier register operational
• Management body training delivered annually
• Procurement response package available

Intermediate

• ISO 27001 ISMS extended with NIS 2 articulations
• Automated supplier risk re-assessment
• Cross-member-state transposition tracker maintained
• Customer notification automation per contractual SLA

Advanced

• Integrated NIS 2 + ISO 27001 + SOC 2 + DORA evidence library
• Continuous control monitoring with real-time evidence to customers
• Information sharing arrangements per Article 29 where applicable
• Management body engaged quarterly on cybersecurity risk

12. FAQs

Are we in scope of NIS 2 directly?

You are in scope directly if you are a medium or large entity (more than 50 employees or more than 10 million euros turnover) active in one of the 18 Annex I or Annex II sectors, or if you fall in one of the size-exempt categories under Article 2(2) (e.g. trust service provider, DNS service provider, public electronic communications). For most B2B SaaS providers selling to NIS 2 customers, the obligations arrive through supply chain flow-down rather than direct scope.

How does NIS 2 reach us as a supplier?

Article 21(2)(d) requires every in-scope entity to address supply chain security in its cybersecurity risk-management measures. In-scope entities flow contractual security requirements down to direct suppliers and service providers through procurement, contracts, and questionnaires. Your evidence package (ISO 27001, SOC 2, incident SLA, supplier register) is the response.

What are the three reporting clocks?

Early warning within 24 hours of awareness of a significant incident; incident notification within 72 hours; final report within one month of the incident notification. Intermediate status reports may be requested. Recipients of services likely affected are also notified.

What is the difference between Essential and Important?

Substantive Article 21 obligations are identical. The categorization affects supervisory regime (ex ante for Essential, ex post for Important) and maximum sanctions (10M EUR / 2 percent for Essential, 7M EUR / 1.4 percent for Important).

What sanctions apply?

Maximum administrative fines under Article 34: Essential entities up to 10 million euros or 2 percent of total worldwide annual turnover, whichever is higher; Important entities up to 7 million euros or 1.4 percent. Management bodies under Article 20 may be temporarily prohibited from exercising managerial functions for repeated non-compliance.

Does NIS 2 require certification?

No. NIS 2 is not certifiable. Compliance is demonstrated through documented risk-management measures, operational evidence, incident reporting capability, and management body engagement. Customer due diligence is the primary verification channel for supply-chain vendors.

How does NIS 2 interact with DORA?

For financial entities in scope of DORA, DORA is lex specialis: financial entities report incidents under DORA, not NIS 2 (Article 1(2) of DORA). For supply chain vendors serving both financial entities and other NIS 2-in-scope sectors, both frameworks apply to the relevant customer relationships. See our DORA service.

How does NIS 2 interact with GDPR?

NIS 2 cybersecurity obligations complement GDPR Article 32 security of processing obligations. A personal data breach is reported under GDPR Article 33 to the supervisory authority; a NIS 2 significant incident is reported under Article 23 to the CSIRT or competent authority. The two reports may overlap; coordinate timing and content. See our GDPR service.

How does NIS 2 interact with ISO 27001?

ISO 27001:2022 Annex A maps closely to Article 21 ten measures. For a vendor already certified, the NIS 2-specific work is limited to incident notification workflow, supply chain security articulation, management body training, and procurement response package. Where ISO 27001 is not yet in place, the path is to build the ISMS first then layer NIS 2.

What does Implementing Regulation 2024/2690 add?

The Implementing Regulation specifies cybersecurity requirements and defines significant incidents for digital infrastructure providers, ICT service management providers (B2B), and certain digital providers. Cloud computing service providers, data centre operators, CDN providers, managed service providers, managed security service providers, online marketplaces, online search engines, and social networking services operate under this enhanced regime. Verify scope against the Regulation's Article 1(2) before relying on this summary.

13. Summary

NIS 2 is the EU's harmonized cybersecurity framework for essential and important entities, with explicit and substantial supply chain reach via Article 21(2)(d). For a B2B SaaS or consulting firm selling into the 18 in-scope sectors, NIS 2 arrives through customer contracts, procurement requirements, and security questionnaires. The path to readiness leverages an ISO 27001 ISMS as the foundation and adds NIS 2-specific articulations: incident notification workflow on the three-clock structure, supplier risk register, management body training under Article 20(2), and a procurement response package that wins customer onboarding without your team being pulled in.

To scope an engagement, book a call from the NIS 2 compliance service page, or talk to us about combining NIS 2 with ISO 27001, SOC 2, DORA, GDPR, or a complete vCISO program for ongoing supply chain compliance.