Question 1

What is the NIS2 Directive?

Accepted Answer

NIS2 (Network and Information Security Directive 2) is an EU-wide cybersecurity regulation that sets baseline security and incident-reporting obligations for organisations operating in critical and important sectors. It replaces the original NIS Directive adopted in 2016.

Question 2

When did NIS2 come into effect?

Accepted Answer

The directive entered into force on 16 January 2023. EU Member States were required to transpose it into national law by 17 October 2024. Enforcement timelines vary by country.

Question 3

Which sectors does NIS2 cover?

Accepted Answer

NIS2 covers 18 sectors split into two groups. Essential sectors include energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, and space. Important sectors include postal services, waste management, chemicals, food, manufacturing, digital providers, and research.

Question 4

What is the difference between Essential and Important entities?

Accepted Answer

Essential entities face stricter supervisory requirements, including proactive audits and inspections. Important entities are subject to reactive supervision, typically triggered by evidence of non-compliance. Both must meet the same baseline security obligations.

Question 5

Does NIS2 apply to companies outside the EU?

Accepted Answer

Yes. If your organisation provides services within the EU — even if headquartered elsewhere — NIS2 may apply. Non-EU entities must designate a representative in one of the Member States where they operate.

Question 6

How do I know if my organisation is in scope?

Accepted Answer

NIS2 applies to medium-sized and large organisations in the 18 covered sectors. The general thresholds are 50+ employees or €10 million+ annual turnover. Some entity types — such as DNS providers and trust service providers — are in scope regardless of size.

Question 7

What does NIS2 Pro’s Scope Check do?

Accepted Answer

Our Scope Check assessment asks targeted questions about your sector, size, operations, and digital dependencies to determine whether NIS2 likely applies to your organisation, and whether you would be classified as Essential or Important.

Question 8

Can a small company fall under NIS2?

Accepted Answer

Generally, organisations below the size thresholds are excluded. However, certain categories are in scope regardless of size — for example, providers of DNS services, TLD registries, trust service providers, and entities identified as critical by a Member State.

Question 9

What if I operate in multiple EU countries?

Accepted Answer

You may be subject to the national transposition laws of each Member State where you operate. NIS2 introduces a primary jurisdiction model for certain digital entities, but most organisations must comply with each country’s specific requirements.

Question 10

What are the main compliance obligations under NIS2?

Accepted Answer

NIS2 requires organisations to implement risk-based cybersecurity measures, establish incident detection and response capabilities, ensure supply chain security, conduct regular risk assessments, and provide staff training. Management bodies must also approve and oversee these measures.

Question 11

What incident reporting obligations does NIS2 impose?

Accepted Answer

Significant incidents must be reported to the competent authority in three stages: an early warning within 24 hours, a detailed notification within 72 hours, and a final report within one month. The definition of ‘significant’ depends on factors like service disruption scope and data impact.

Question 12

Is management personally liable under NIS2?

Accepted Answer

Yes. NIS2 introduces personal accountability for senior management. Board members and executives can be held liable for failure to ensure compliance, and Member States may impose temporary management bans for repeated violations.

Question 13

Do I need ISO 27001 to comply with NIS2?

Accepted Answer

ISO 27001 is not mandatory, but it provides a strong foundation. Many NIS2 requirements overlap with ISO 27001 controls. NIS2 Pro includes a crosswalk tool that maps your assessment results to relevant ISO 27001 controls.

Question 14

What are the penalties for non-compliance?

Accepted Answer

Essential entities face fines up to €10 million or 2% of global annual turnover (whichever is higher). Important entities face fines up to €7 million or 1.4% of global turnover. Individual Member States may impose additional sanctions.

Question 15

What is the NIS2 transposition deadline?

Accepted Answer

Member States were required to transpose NIS2 into national law by 17 October 2024. Some countries met this deadline; others are still in the process. Check our NIS2 Status page for the latest country-by-country progress.

Question 16

When do I need to register with the competent authority?

Accepted Answer

Registration timelines vary by country. In many Member States, in-scope entities must register with their national competent authority within a specified period after the transposition law takes effect. Check your country’s guide for specifics.

Question 17

How often should I reassess my NIS2 compliance?

Accepted Answer

We recommend reassessing at least every 12 months, or whenever there is a significant change in your organisation — such as entering a new market, a major IT transformation, an acquisition, or a security incident.

Question 18

What does NIS2 require for supply chain security?

Accepted Answer

Organisations must assess and manage cybersecurity risks across their supply chain, including direct suppliers and service providers. This includes contractual security requirements, due diligence on suppliers, and monitoring of third-party risk.

Question 19

Am I responsible for my suppliers’ compliance?

Accepted Answer

You are not directly responsible for making your suppliers NIS2-compliant, but you must assess and manage the risks they introduce to your operations. If a supplier’s security weakness causes an incident affecting your services, you remain accountable.

Question 20

Does NIS2 affect cloud service providers?

Accepted Answer

Yes. Cloud computing service providers are explicitly included as Important entities under NIS2. If you rely on cloud providers, you must also assess them as part of your supply chain risk management.

Question 21

What does NIS2 Pro do?

Accepted Answer

NIS2 Pro helps organisations assess their NIS2 scope, evaluate their cybersecurity maturity, generate compliance reports, track improvement actions, and manage reassessments over time. It is designed specifically for SMEs navigating NIS2 requirements.

Question 22

Is NIS2 Pro a substitute for legal advice?

Accepted Answer

No. NIS2 Pro provides guidance and tools to support your compliance journey, but it does not constitute legal advice. For binding legal interpretations, consult a qualified legal professional familiar with your jurisdiction’s transposition law.

Question 23

Can I manage multiple companies in NIS2 Pro?

Accepted Answer

Yes. NIS2 Pro supports multiple company profiles under a single account. This is useful for group structures, consultants managing client portfolios, or organisations with subsidiaries in different sectors or countries.

Question 24

What reports can I generate?

Accepted Answer

NIS2 Pro generates scope analysis reports, maturity score breakdowns, improvement roadmaps, board-ready summaries, risk registers, incident response kits, ISO 27001 crosswalk reports, and version comparison reports — all exportable as PDF or DOCX.

Question 25

Can I invite team members?

Accepted Answer

Yes. You can invite colleagues to collaborate on a company profile with role-based access: Admin, Contributor, or Viewer. Team members receive an email invitation and can access the shared company data once they accept.

Question 26

How is NIS2 Pro priced?

Accepted Answer

NIS2 Pro offers a one-time Scope Check for €10 and three subscription tiers (Basic, Business, Business Plus) with monthly or annual billing. The Scope Check fee is credited towards a subscription if you enrol within 30 days. Visit the Pricing page for full details.

Question 27

What is included in a subscription?

Accepted Answer

Subscriptions unlock the full platform: unlimited assessments, all report types, improvement tracking, risk register, compliance calendar, team collaboration, reassessment workflows, and access to all country and sector guides.

Question 28

Can I cancel my subscription?

Accepted Answer

Yes. You can cancel at any time from your Account page. Your access continues until the end of the current billing period. No data is deleted upon cancellation.

Question 29

How does NIS2 relate to GDPR?

Accepted Answer

NIS2 and GDPR are complementary but separate regulations. GDPR focuses on personal data protection, while NIS2 focuses on network and information system security. An incident may trigger obligations under both — for example, a data breach affecting personal data requires GDPR notification alongside NIS2 incident reporting.

Question 30

Does NIS2 Pro store my data securely?

Accepted Answer

Yes. All data is stored in EU-based infrastructure with encryption at rest and in transit. Access is controlled through authenticated sessions and role-based permissions. We do not share your assessment data with third parties.

Question 31

Can I export or delete my data?

Accepted Answer

Yes. You can export all your assessment data and reports at any time. If you wish to delete your account and all associated data, contact our support team and we will process the request in accordance with GDPR requirements.

Frequently Asked Questions

NIS2 Basics

Scope & Classification

Compliance Requirements

Deadlines & Timelines

Supply Chain & Third Parties

NIS2 Pro Platform

Pricing & Plans

GDPR & Data Protection

Still have questions?