Compliance Required by October 17, 2024

NIS2 Directive Compliance Guide

Follow our comprehensive roadmap to achieve NIS2 compliance. From initial assessment to ongoing governance, we guide you through each step of implementing mandatory cybersecurity measures.

Start Gap Analysis Download Checklist
10 measures
Required controls
6 months
Implementation time
24 hours
Incident reporting

NIS2 Compliance in Plain English

NIS2 compliance means implementing specific cybersecurity measures and proving you've done so. It's not just about having security - it's about documenting it, testing it, and reporting when things go wrong.

Start with determining if you're essential or important entity
Implement the 10 mandatory cybersecurity measures
Create incident response and reporting procedures
Establish supply chain security requirements
Document everything with policies and procedures
Set up ongoing monitoring and improvement processes

Start Your NIS2 Compliance Journey

Choose your starting point based on your current status

Recommended

Gap Analysis

Assess your current cybersecurity posture against NIS2

Requirements Review

Understand the 10 mandatory measures in detail

Implementation Plan

Get a step-by-step implementation roadmap

Expert Consultation

Work with NIS2 compliance specialists

Your 8-Step Path to NIS2 Compliance Compliance

Follow these steps to achieve full compliance. Each step builds on the previous one, creating a comprehensive compliance program.

Step 1 Beginner

1. Entity Classification & Gap Analysis

Determine your NIS2 status and current compliance gaps

Key Actions

  • Confirm essential vs important entity classification
  • Identify applicable sector-specific requirements
  • Assess current cybersecurity maturity level
  • Document compliance gaps and priorities

Available Tools

Entity Classifier Gap Analysis Tool Maturity Assessment

Real Examples

Energy sector essential entity Healthcare important entity Cloud service provider
Timeline: 2-3 weeks
Learn More
Step 2 Intermediate

2. Establish Governance Structure

Set up leadership and accountability for cybersecurity

Key Actions

  • Appoint cybersecurity leadership roles
  • Establish board-level oversight
  • Define roles and responsibilities
  • Create steering committee structure

Available Tools

RACI Matrix Governance Framework Job Descriptions

Real Examples

CISO appointment Security committee charter Board reporting structure
Timeline: 3-4 weeks
Learn More
Step 3 Intermediate

3. Risk Management Framework

Implement comprehensive risk assessment and management

Key Actions

  • Conduct initial risk assessment
  • Develop risk treatment plans
  • Implement risk monitoring processes
  • Create risk register and metrics

Available Tools

Risk Assessment Template Risk Register Treatment Plans

Real Examples

ISO 27005 methodology NIST risk framework Threat modeling
Timeline: 4-6 weeks
Learn More
Step 4 Advanced

4. Implement Technical Measures

Deploy the required technical security controls

Key Actions

  • Deploy access control and authentication systems
  • Implement encryption for data protection
  • Set up security monitoring and logging
  • Configure backup and recovery systems

Available Tools

Technical Checklist Configuration Guides Security Baselines

Real Examples

MFA deployment SIEM implementation Backup automation
Timeline: 8-12 weeks
Learn More
Step 5 Intermediate

5. Incident Response Capability

Build incident detection, response, and reporting capabilities

Key Actions

  • Create incident response plan
  • Establish incident response team
  • Set up 24-hour reporting procedures
  • Test incident response processes

Available Tools

Incident Response Plan Playbooks Contact Lists

Real Examples

Ransomware playbook Data breach procedures CSIRT setup
Timeline: 4-6 weeks
Learn More
Step 6 Advanced

6. Supply Chain Security

Secure your technology and service supply chain

Key Actions

  • Map critical suppliers and dependencies
  • Assess supplier cybersecurity maturity
  • Implement supplier security requirements
  • Monitor supply chain risks

Available Tools

Supplier Assessment Contract Templates Risk Matrix

Real Examples

Vendor risk assessments Security clauses Third-party audits
Timeline: 6-8 weeks
Learn More
Step 7 Beginner

7. Training & Awareness

Build cybersecurity culture and competence

Key Actions

  • Develop cybersecurity training program
  • Conduct role-based security training
  • Run phishing simulation exercises
  • Measure security awareness levels

Available Tools

Training Materials Awareness Campaigns Testing Tools

Real Examples

Security awareness training Phishing tests Incident drills
Timeline: 4-6 weeks
Learn More
Step 8 Intermediate

8. Continuous Improvement

Establish ongoing compliance and improvement processes

Key Actions

  • Implement compliance monitoring
  • Schedule regular security assessments
  • Track and report security metrics
  • Update measures based on threat landscape

Available Tools

KPI Dashboard Audit Schedule Improvement Plans

Real Examples

Monthly metrics review Annual assessments Continuous monitoring
Timeline: Ongoing
Learn More

What NIS2 Compliance Actually Requires You to Do

Risk Management

Systematic approach to cybersecurity risks

  • • Risk identification
  • • Impact assessment
  • • Treatment plans
  • • Regular reviews

Technical Measures

Implement required security controls

  • • Access control
  • • Encryption
  • • Monitoring
  • • Backup systems

Incident Response

Detect and respond to security incidents

  • • 24-hour reporting
  • • Response procedures
  • • Recovery plans
  • • Lessons learned

Governance

Leadership and accountability structures

  • • Board oversight
  • • Clear roles
  • • Regular reporting
  • • Budget allocation

Supply Chain

Secure your extended enterprise

  • • Vendor assessment
  • • Security requirements
  • • Ongoing monitoring
  • • Incident coordination

Training

Build security awareness and skills

  • • Regular training
  • • Role-based content
  • • Effectiveness testing
  • • Continuous education

Free NIS2 Compliance Compliance Tools

Gap Analysis Tool

Assess your current NIS2 compliance status

Policy Templates

Ready-to-use NIS2 policy and procedure templates

Incident Reporter

24-hour incident notification tool

Training Materials

Security awareness training resources

Common NIS2 Compliance Questions

How long do we have to achieve NIS2 compliance?

NIS2 is already in effect as of October 17, 2024:

  • Immediate compliance required for all covered entities
  • 6-12 months typical implementation timeline
  • National authorities are already conducting assessments
  • Non-compliance penalties can be applied immediately

What's the difference between essential and important entities?

Entity classification determines your specific obligations:

  • Essential entities: Critical infrastructure sectors
  • Important entities: Other significant digital services
  • Essential entities face stricter supervision
  • Different penalty thresholds apply
  • Both must implement the 10 mandatory measures

Do we need external certification for NIS2?

NIS2 doesn't require specific certification but:

  • National authorities may conduct audits
  • ISO 27001 can demonstrate compliance
  • Third-party assessments are recommended
  • Documentation must prove compliance
  • Regular assessments are mandatory

How does NIS2 relate to other regulations?

NIS2 complements other EU cybersecurity laws:

  • Works alongside GDPR for data protection
  • Aligns with CRA for product security
  • Coordinates with DORA for financial sector
  • National implementations may vary
  • Avoid duplication where possible

Ready to Achieve NIS2 Compliance?

Don't wait for enforcement action. Start your NIS2 compliance journey today with expert guidance.

Get Compliance Assessment Download Implementation Guide
Article Article 21 ·
View on EUR-Lex

🤝 Still Feeling Overwhelmed?

EU cybersecurity laws can be complex. Our free tools and guides work great for most people, but if you're dealing with something particularly challenging or have tight deadlines, we're here to help.

Talk to an expert → or Browse all our free resources →