NIS2 Obligations

🛡️ Security Measures (Art. 21)

Entities must implement appropriate technical, operational, and organisational measures to manage cybersecurity risks.

📋 Security Policy

High-level document approved by management, plus specific policies for each sector or topic

🚨 Incident Management

Procedures for identification, classification, handling, and reporting. Initial notification within 24 hours.

🔄 Business Continuity

BCP and DRP, off-site/cloud backups, disaster recovery plans

🔗 Supply Chain

Risk assessment across the entire ICT supply chain, security requirements for suppliers

🔧 Procurement and Maintenance

Pre-production vulnerability assessment, patch management, secure support

🔑 Access and Identity

Least privilege principle, privileged access management (PAM), multi-factor authentication (MFA)

🔐 Encryption

Encryption for sensitive data, protection of communications

🔍 Testing and Auditing

Periodic security testing, vulnerability assessments, annual penetration testing

📡 Detection

IDS/IPS, SIEM, continuous threat monitoring

🏢 Physical Security

Data centre access control, protection against natural disasters and physical attacks

📅 Reporting Obligations (Art. 23)

24 hours Initial report — from discovery of a significant incident to your national CSIRT

Immediately Update — when substantial new information becomes available

1 month Final report — complete report with all details

⚠️ What is a "Significant Incident"?

Has an impact on service availability
Has an impact on data integrity
Has an impact on confidentiality (if relevant to security)

❌ NOT a significant incident

Minimal or no impact
Scheduled and communicated disruptions
Interruptions due to external causes unrelated to cybersecurity

📝 Registration Obligations

Entities must register with the competent national authority and provide:

Organisation size
Sectors and subsectors of operation
Approximate number of employees
Turnover (only for determining size threshold)

🔗 Supply Chain (Art. 21)

Entities must assess and manage risks across the entire ICT supply chain:

Level of exposure to ICT risks
Vulnerabilities of direct suppliers
Security requirements in contracts
Monitoring exposure throughout the entire supply chain

⚖️ Essential vs Important

Aspect	🔴 Essential	🟡 Important
Supervision	Stricter	Lighter
Notifications	Mandatory	Mandatory
Maximum penalties	€10M or 2% of turnover	€7M or 1.4% of turnover
Authority	National authority + sectoral	National authority only
Audit	At any time	Only when necessary

🇪🇺 Implementation in EU Member States

🏛️ National Cybersecurity Authority

Each Member State designates a competent national authority for NIS2 supervision.

🛡️ National CSIRT

Receives incident reports and provides operational support — part of the national cybersecurity authority.

📅 Staged Compliance

Registration: within 30 days of identification
Notifications: immediate, according to NIS2 timeframes
Security measures: within 4 months of identification

💰 Penalties (Art. 34)

🚫 Failure to implement measures

€10M or 2% of turnover for Essential entities

€7M or 1.4% of turnover for Important entities

⚠️ Late or missing notification

Administrative financial penalty scaled according to severity and duration

👔 Management Liability

Possible personal liability for managers in cases of violations resulting from strategic business decisions.