Question 1

Does NIS 2 apply to my organization?

Accepted Answer

NIS 2 applies to medium and large entities (50+ staff or EUR 10M+ turnover) across 18 sectors. Essential sectors include energy, transport, banking, health, water, and digital infrastructure. Important sectors include postal, waste, chemicals, food, manufacturing, and digital providers.

Question 2

What are the penalties for non-compliance?

Accepted Answer

Essential entities face fines up to EUR 10 million or 2% of global turnover (whichever is greater). Important entities face up to EUR 7 million or 1.4% of turnover. Critically, individual managers can face personal fines and temporary management role prohibitions.

Question 3

How does NIS 2 relate to ISO 27001?

Accepted Answer

ISO 27001 covers approximately 70% of NIS 2 requirements. However, NIS 2 adds mandatory 24h/72h/1-month incident reporting timelines, management personal accountability, MFA as mandatory, and specific supply chain security requirements that go beyond ISO 27001.

Question 4

What about management personal liability?

Accepted Answer

Article 20 requires management bodies to personally approve cybersecurity risk measures, oversee their implementation, and receive sufficient training. This is a fundamental shift - individual managers are personally accountable and can face fines and temporary bans from management roles.

Question 5

What are the incident reporting deadlines?

Accepted Answer

Early warning within 24 hours of becoming aware of an incident. Incident notification within 72 hours with initial assessment. Final report within one month with detailed root cause analysis and remediation measures.

Question 6

Does NIS 2 apply to non-EU companies?

Accepted Answer

Yes. Non-EU organizations providing certain services to EU customers (DNS providers, TLD registries, cloud providers, data centers, CDNs, managed service providers, online marketplaces) must appoint an EU representative and comply with NIS 2.

Question 7

How long does compliance take?

Accepted Answer

Organizations with no existing programs need 9-18 months. Those with ISO 27001, SOC 2, or NIST 800-53 can achieve compliance in 3-6 months. Quick wins like MFA deployment and incident procedures can be completed within weeks.

Question 8

What is the relationship between NIS 2 and DORA?

Accepted Answer

DORA applies specifically to EU financial entities. Financial entities gain exemption from NIS 2's risk and incident reporting requirements for DORA-covered areas, though governance and supply chain obligations may persist under NIS 2.

Question 9

What does NIS 2 require for supply chain security?

Accepted Answer

Article 21(d) mandates assessment and management of cybersecurity risks in supplier and service provider relationships. This includes evaluating supplier security practices and ensuring contractual security requirements flow through the supply chain.

Question 10

What are the 10 NIS 2 Article 21 security measures?

Accepted Answer

Article 21 requires: (1) Risk analysis and information security policies; (2) Incident handling including mandatory reporting timelines; (3) Business continuity and crisis management; (4) Supply chain security; (5) Security in network and information systems acquisition, development, and maintenance; (6) Policies to assess effectiveness of cybersecurity risk management; (7) Basic cyber hygiene and cybersecurity training; (8) Policies regarding cryptography and encryption; (9) Human resources security, access control, and asset management; (10) Multi-factor authentication and continuous authentication solutions.

Question 11

Is ISO 27001 certification sufficient for NIS 2 compliance?

Accepted Answer

ISO 27001 covers approximately 70% of NIS 2 requirements. However, NIS 2 adds specific requirements beyond ISO 27001: the mandatory 24h/72h/1-month incident reporting timeline, management personal liability and training obligations, MFA as a mandatory baseline control, and specific supply chain security requirements. We identify what NIS 2 specifically adds and build only what is missing.

Question 12

What sectors are covered by NIS 2?

Accepted Answer

NIS 2 covers 18 sectors across two annexes. Annex I (essential): energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Annex II (important): postal and courier, waste management, chemicals, food, manufacturing (medical devices, computers, electronics, machinery, vehicles), digital providers (marketplaces, search, social networking), and research organisations.

NIS 2 Compliance

What is NIS 2 Compliance?

Who Needs NIS 2 Compliance?

Ready to get started?

Our Methodology

Scoping

Gap Assessment

Implementation

Governance Setup

What You Get with NIS 2 Compliance

Frequently Asked Questions

Book a Free Consultation