Skip to main content
ToolsEaaSAcademyTDDPartnersPricing
Get Early Access
HomeTools › NIS2 Readiness
Free

NIS2 Readiness Assessment

Determine your organisation's classification and compliance posture under EU Directive 2022/2555 — the Network and Information Security Directive governing essential and important entities across critical sectors.

1 Entity Classification
2 Security Controls — Check all that are currently in place
NIS2 ENTITY CLASSIFICATION
Essential Entity
Subject to stricter supervisory obligations and higher penalties under Article 32 NIS2.
Overall NIS2 Readiness Score 0%
Based on 10 key NIS2 Article 21 security measures
0 / 10
Security controls
in place
Oct 2024
Compliance
deadline
€10M
Max penalty
exposure
Gap Analysis — NIS2 Article 21 Security Measures
Required Actions — Priority Order
3–6 months
Estimated implementation timeline
Medium
Overall implementation effort

Close Your NIS2 Gaps with NOVTRIQ

Our cybersecurity and OT security team provides NIS2 gap analysis, remediation roadmaps, and technical implementation across critical infrastructure sectors.

ENGAGE NOVTRIQ

NIS2 Directive — Frequently Asked Questions

What is the NIS2 Directive and who does it apply to? +

NIS2 (Directive 2022/2555) replaces the original NIS Directive and significantly expands the scope of EU cybersecurity regulation. It applies to medium and large organisations operating in 18 critical sectors — including energy, transport, health, digital infrastructure, and manufacturing. The directive mandates risk management measures, incident reporting obligations, and supply chain security, with member states required to transpose it by October 2024.

What is the difference between an Essential Entity and an Important Entity? +

Essential Entities (EE) operate in sectors such as energy, transport, banking, health, water, digital infrastructure, and public administration and are subject to proactive, ex-ante supervision. Important Entities (IE) — typically in sectors such as postal services, chemicals, food, manufacturing, and waste — face reactive, ex-post supervision. Both must meet the same security obligations under Article 21, but EEs face stricter oversight and higher potential fines: up to €10 million or 2% of global annual turnover, versus €7 million or 1.4% for IEs.

What are the 10 mandatory security measures under NIS2 Article 21? +

Article 21 requires organisations to implement: (1) policies on risk analysis and information system security; (2) incident handling; (3) business continuity and crisis management; (4) supply chain security; (5) security in network and information systems acquisition, development, and maintenance; (6) policies to assess the effectiveness of cybersecurity risk management; (7) basic cyber hygiene and cybersecurity training; (8) cryptography and encryption policies; (9) human resources security, access control, and asset management; (10) multi-factor authentication and continuous authentication solutions.

What are the incident reporting obligations under NIS2? +

NIS2 introduces a multi-stage reporting timeline. Organisations must submit an early warning to their national CSIRT or competent authority within 24 hours of becoming aware of a significant incident. A full incident notification is required within 72 hours, including an initial assessment of severity and impact. A final report must follow within one month, covering the nature of the incident, root cause, and measures taken. Significant incidents are those that cause or can cause severe operational disruption or financial loss.

Ready to Achieve NIS2 Compliance?

NOVTRIQ's cybersecurity engineers deliver end-to-end NIS2 compliance programmes — from gap assessment and risk management frameworks to technical control implementation and board-level governance.

START YOUR NIS2 PROGRAMME
Questions? Email projects@novtriq.com