Understanding and Complying with the NIS 2 Directive

EU’s updated cybersecurity law: scope, requirements & how SureCloud helps you fulfill your obligations.

NIS-2 Directive
Trust Badges
SOC_2_WHITE
GDPR_WHITE
ISO_27001_WHITE
GDPR_WHITE

NIS 2 Quick Facts



What Is NIS 2?

NIS 2 is the EU’s updated cybersecurity law (Directive (EU) 2022/2555), replacing the original NIS. It expands who is in scope, sets clearer incident reporting timelines, increases management accountability, and raises supervisory powers and fines. It was introduced to address evolving cyber threats and gaps in NIS1’s scope and enforcement—so organizations can strengthen resilience and respond consistently across Member States. 

Calculator
  • In force: January 2023
  • Transposition deadline: October 17, 2024
  • NIS 1 repealed: October 18, 2024
  • Applies to: “Essential” and “important” entities (non-EU providers may be in scope if they serve the EU)
  • Who it’s for: CISOs and Security, Risk, and Compliance leaders at essential/important entities and ICT/digital service providers operating in or with the EU
One Click Compliance Reporting

Scope of NIS 2

Essential vs Important Entities

NIS 2 applies to “essential” and “important” entities, classified by sector and size.

Common sectors in scope include:

  1. Energy and transport
  2. Banking and financial market infrastructure
  3. Healthcare and water services (drinking & wastewater)
  4. Digital infrastructure: IXPs, DNS, TLDs, data centres
  5. Cloud, data hosting, and managed service providers (MSPs/MSSPs)
  6. Postal and courier services
  7. Waste management, chemicals, and food
  8. Manufacturers of critical products
  9. Certain public administration bodies

Note: Cross-border operations or a high level of criticality can also bring an organisation into NIS 2 scope.

sc-ui-dashboard

Scope Checklist

  1. Confirm sector and threshold criteria.

  2. Determine entity type: essential vs. important.

  3. Identify the EU “main establishment” for supervision.

  4. Map ICT/third-party dependencies (MSPs/MSSPs).

  5. Record group structure and cross-border services.

  6. Check your Member State’s transposition guidance and competent authority requirements; note UK divergence where applicable.

nis2_landing

NIS 2 Requirements: What You Must Do

Implement governance and risk-management measures across:
  • Security policies, risk assessment, secure development, and change control
  • Incident handling and business continuity (backup/DR and regular testing)
  • Supply-chain security and vendor oversight (including MSP/MSSP)
    Vulnerability handling, disclosure, and timely patching
  • Access control, asset management, monitoring, and logging
  • Training and awareness for staff and leadership
Deadlines for NIS 2 EU Law — Reporting Timelines 
  • 24 hours: early warning
  • 72 hours: incident notification (with initial assessment)
  • 1 month: final report (root cause, measures, severity)

Penalties Under NIS 2
  • Essential entities: up to at least €10,000,000 or at least 2% of total worldwide annual turnover (whichever is higher)
  • Important entities: up to at least €7,000,000 or at least 1.4% of total worldwide annual turnover (whichever is higher) 

Authorities may also impose supervisory measures (e.g., audits, binding instructions, temporary managerial bans).

img-sector-financial

NIS 2 vs NIS 1

Area NIS 1 NIS 2
Scope Narrower Expanded sectors + size-cap rules
Reporting General Harmonized windows (see “Reporting Timelines”)
Management Implicit Explicit accountability
Supply chain Limited guidance Specific oversight expectations
Fines Lower ceilings Higher minimum ceilings, harmonized

NIS 2 expands scope, strengthens governance, harmonizes reporting windows, raises supervisory powers and penalties, and elevates supply chain oversight.

 



Implementation Guidance (Operational View)

Use a phased approach that ties each obligation to an owner, a control, and evidence:

  1. Scope & applicability: confirm entity type, sectors, and thresholds
  2. Gap analysis: compare current controls to NIS 2 measures
  3. Prioritize: address high-risk gaps first; set acceptance criteria
  4. Policies & processes: update, assign owners, set due dates
  5. Incident readiness: playbooks, contact trees, reporting templates
  6. Supply-chain: tier vendors/MSPs; assess, remediate, track exceptions
  7. Monitoring & testing: metrics, reviews, exercises, corrective actions
    Reporting: dashboards for leadership and competent authorities

Evidence to
Collect

To stay audit-ready under NIS 2, organisations need clear, traceable evidence that proves controls are active and effective. This includes mapped policies and standards, approved runbooks and procedures, security tool outputs such as SIEM or vulnerability scans, and change or exception records with sign-offs. Regulators also expect proof of training and awareness, plus vendor assessment logs showing how supply-chain risks are identified and remediated. With SureCloud, all this evidence lives in one platform—linked, searchable, and ready for inspection.

  • Policies/standards mapped to obligations
  • Procedures/runbooks and approvals
  • Tool outputs (EDR/SIEM logs, vulnerability scans)
  • Change/exception tickets and sign-offs
  • Training records and attestations
  • Vendor assessments, issues, and remediation logs
img-chart-iso-roadmap@4x

How SureCloud Makes NIS 2 Compliance Simple

Make NIS 2 obligations part of daily operations

SureCloud turns NIS 2 from a one-off project into a manageable routine. In one workspace you scope and classify (essential vs. important), map obligations, assign owners, capture evidence, oversee suppliers, and stay ready for reporting.

  • Assess: Confirm essential vs. important status and sectors/thresholds (see “Scope Checklist”); map NIS 2 obligations; cross-map to ISO 27001/27002 and GDPR to reuse work.
  • Implement: Assign owners and due dates; publish policies and standards; stand up technical and procedural controls; centralize evidence with approvals and version history.
  • Monitor: Track control health with tasks, reviews, and tests; manage vendor risk (MSPs/MSSPs); log incidents and corrective actions against acceptance criteria.
  • Report: Stay incident-reporting ready; export audit-ready packs (see “Reporting Timelines”).
“In SureCloud, we’re delighted to have a partner that shares in our values and vision.”
mollie
“It's dynamic and agile — if we want to get a snapshot of risk for a particular department or function, we can.”
Office for Students
“SureCloud gave us the flexibility to design our own user journeys and reporting tools.”
autotrader-1

Benefits of Being NIS 2 Compliant

NIS 2 compliance is more than a checkbox—it protects critical services, sharpens governance, and proves accountability. With SureCloud, you operationalize the directive and show measurable progress.

Regulatory compliance & avoiding fines

Meet obligations, hit 24 hours/72 hours/1 month timelines, and maintain audit-ready evidence to reduce enforcement and reputational risk.

Stronger cybersecurity posture and improved resilience

Apply risk-based controls, incident playbooks, and supplier oversight to lower exposure across your environment and supply chain.

 

Trust from customers, partners, and regulators

Share real-time dashboards and exportable reports that demonstrate control effectiveness and continuous compliance.

 

Clearer risk visibility, better governance

Give leaders a single view of obligations, owners, status, and gaps—driving timely decisions and accountability.

Competitive advantage

Stand out in bids and renewals with provable compliance, faster due-diligence responses, and integrated reporting across NIS-2, ISO, and GDPR.

Stand out in bids and renewals with provable compliance, faster due-diligence responses, and integrated reporting across NIS 2, ISO, and GDPR.

Ensure Your Organization Is Ready for NIS 2 Compliance

Frequently Asked Questions
When did NIS 2 come into force, and when did Member States have to implement it?

It came into force in January 2023. Member States had to transpose it by October 17, 2024; NIS 1 was repealed on October 18, 2024.

What is the difference between essential vs important entities?

Both are in scope, with differences in supervisory regime and fine ceilings. Classification depends on sector, service type, and thresholds.

What are the penalties for non-compliance?

Up to at least €10M/2% (essential) and €7M/1.4% (important), whichever is higher, plus supervisory measures as determined by competent authorities.

How long do we have to report a cybersecurity incident under NIS 2?

Early warning within 24 hours, incident notification within 72 hours, and a final report within one month.

Does NIS 2 apply to non-EU entities?

Yes, if they offer services in the EU; jurisdiction usually follows where cybersecurity decisions are made for the EU operation.

How does NIS 2 intersect with GDPR, ISO standards, and other regulations?

NIS 2 obligations for organisations overlap with ISO 27001/27002 and touch GDPR where security of processing and breach reporting intersect. Cross-mapping helps reduce duplicate effort.

London Office

1 Sherwood Street, London,

W1F 7BL, United Kingdom

US Headquarters

6010 W. Spring Creek Pkwy., Plano,
TX 75024, United States of America

  • iso27001 1
  • Group 39594
  • ces 1

© SureCloud 2025. All rights reserved.