Directive 2022/2555/EU on network and information security — cybersecurity obligations for essential and important entities across 18 critical sectors.
Get a compliance assessmentFree toolsNIS2 (Directive 2022/2555/EU) is the EU's updated network and information security framework, replacing the original NIS Directive. It entered into force in January 2023 and required transposition into national law by October 2024.
NIS2 significantly expands the scope of cybersecurity obligations — covering 18 sectors and distinguishing between 'essential entities' (subject to stricter supervision) and 'important entities'. For the first time, large manufacturers, waste management companies, and food processors are explicitly within scope.
A key feature of NIS2 is its explicit applicability to operational technology (OT) and industrial control systems. Organisations with SCADA, BMS, or ICS infrastructure connected to IT networks must address OT-specific cybersecurity risks under Article 21.
Sectors and entity types within the scope of NIS2.
Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space.
Postal and courier services, waste management, chemical manufacturing and distribution, food production, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers.
Any organisation in scope that operates SCADA, PLCs, DCS, BMS, or other operational technology connecting physical and cyber systems.
The principal obligations imposed by NIS2.
Organisations must adopt proportionate technical and organisational measures to manage cybersecurity risk — covering governance, incident handling, supply chain security, and OT security.
Significant incidents must be reported to the competent authority within 24 hours (early warning) and 72 hours (full notification). ENISA maintains the EU cybersecurity incident reporting database.
Organisations must assess the cybersecurity posture of key suppliers and service providers — including software, hardware, and cloud services in scope.
Senior management must approve and oversee cybersecurity risk management measures. Individuals can be held personally liable for non-compliance.
Essential entities: fines up to €10M or 2% of global annual turnover. Important entities: fines up to €7M or 1.4% of global annual turnover.
Engineering services applicable to NIS2 compliance.
OT Cybersecurity Assessment — NIS2 Article 21-aligned OT security gap analysis — asset inventory, network architecture review, and prioritised remediation roadmap.
Incident Response Planning — OT-specific incident response plan, notification procedures, and tabletop exercise facilitation.
Supply Chain Security Review — Cybersecurity assessment of critical OT suppliers and service providers — aligned to NIS2 Article 21(2)(d).
Management Briefing — Executive-level NIS2 briefing and risk presentation — satisfying management oversight obligations under Article 20.
Run preliminary assessments — no account required.
Compliance milestones you need to plan around.
Our engineering team delivers structured compliance assessments with actionable remediation roadmaps.
Contact usJoin waitlist