Frequently Asked Questions
Everything you need to know about NIS2 and how NIS2 Pro can help your organisation.
NIS2 Basics
- What is the NIS2 Directive?
- NIS2 (Network and Information Security Directive 2) is an EU-wide cybersecurity regulation that sets baseline security and incident-reporting obligations for organisations operating in critical and important sectors. It replaces the original NIS Directive adopted in 2016.
- When did NIS2 come into effect?
- The directive entered into force on 16 January 2023. EU Member States were required to transpose it into national law by 17 October 2024. Enforcement timelines vary by country.
- Which sectors does NIS2 cover?
- NIS2 covers 18 sectors split into two groups. Essential sectors include energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, and space. Important sectors include postal services, waste management, chemicals, food, manufacturing, digital providers, and research.
- What is the difference between Essential and Important entities?
- Essential entities face stricter supervisory requirements, including proactive audits and inspections. Important entities are subject to reactive supervision, typically triggered by evidence of non-compliance. Both must meet the same baseline security obligations.
- Does NIS2 apply to companies outside the EU?
- Yes. If your organisation provides services within the EU — even if headquartered elsewhere — NIS2 may apply. Non-EU entities must designate a representative in one of the Member States where they operate.
Scope & Classification
- How do I know if my organisation is in scope?
- NIS2 applies to medium-sized and large organisations in the 18 covered sectors. The general thresholds are 50+ employees or €10 million+ annual turnover. Some entity types — such as DNS providers and trust service providers — are in scope regardless of size.
- What does NIS2 Pro’s Scope Check do?
- Our Scope Check assessment asks targeted questions about your sector, size, operations, and digital dependencies to determine whether NIS2 likely applies to your organisation, and whether you would be classified as Essential or Important.
- Can a small company fall under NIS2?
- Generally, organisations below the size thresholds are excluded. However, certain categories are in scope regardless of size — for example, providers of DNS services, TLD registries, trust service providers, and entities identified as critical by a Member State.
- What if I operate in multiple EU countries?
- You may be subject to the national transposition laws of each Member State where you operate. NIS2 introduces a primary jurisdiction model for certain digital entities, but most organisations must comply with each country’s specific requirements.
Compliance Requirements
- What are the main compliance obligations under NIS2?
- NIS2 requires organisations to implement risk-based cybersecurity measures, establish incident detection and response capabilities, ensure supply chain security, conduct regular risk assessments, and provide staff training. Management bodies must also approve and oversee these measures.
- What incident reporting obligations does NIS2 impose?
- Significant incidents must be reported to the competent authority in three stages: an early warning within 24 hours, a detailed notification within 72 hours, and a final report within one month. The definition of ‘significant’ depends on factors like service disruption scope and data impact.
- Is management personally liable under NIS2?
- Yes. NIS2 introduces personal accountability for senior management. Board members and executives can be held liable for failure to ensure compliance, and Member States may impose temporary management bans for repeated violations.
- Do I need ISO 27001 to comply with NIS2?
- ISO 27001 is not mandatory, but it provides a strong foundation. Many NIS2 requirements overlap with ISO 27001 controls. NIS2 Pro includes a crosswalk tool that maps your assessment results to relevant ISO 27001 controls.
- What are the penalties for non-compliance?
- Essential entities face fines up to €10 million or 2% of global annual turnover (whichever is higher). Important entities face fines up to €7 million or 1.4% of global turnover. Individual Member States may impose additional sanctions.
Deadlines & Timelines
- What is the NIS2 transposition deadline?
- Member States were required to transpose NIS2 into national law by 17 October 2024. Some countries met this deadline; others are still in the process. Check our NIS2 Status page for the latest country-by-country progress.
- When do I need to register with the competent authority?
- Registration timelines vary by country. In many Member States, in-scope entities must register with their national competent authority within a specified period after the transposition law takes effect. Check your country’s guide for specifics.
- How often should I reassess my NIS2 compliance?
- We recommend reassessing at least every 12 months, or whenever there is a significant change in your organisation — such as entering a new market, a major IT transformation, an acquisition, or a security incident.
Supply Chain & Third Parties
- What does NIS2 require for supply chain security?
- Organisations must assess and manage cybersecurity risks across their supply chain, including direct suppliers and service providers. This includes contractual security requirements, due diligence on suppliers, and monitoring of third-party risk.
- Am I responsible for my suppliers’ compliance?
- You are not directly responsible for making your suppliers NIS2-compliant, but you must assess and manage the risks they introduce to your operations. If a supplier’s security weakness causes an incident affecting your services, you remain accountable.
- Does NIS2 affect cloud service providers?
- Yes. Cloud computing service providers are explicitly included as Important entities under NIS2. If you rely on cloud providers, you must also assess them as part of your supply chain risk management.
NIS2 Pro Platform
- What does NIS2 Pro do?
- NIS2 Pro helps organisations assess their NIS2 scope, evaluate their cybersecurity maturity, generate compliance reports, track improvement actions, and manage reassessments over time. It is designed specifically for SMEs navigating NIS2 requirements.
- Is NIS2 Pro a substitute for legal advice?
- No. NIS2 Pro provides guidance and tools to support your compliance journey, but it does not constitute legal advice. For binding legal interpretations, consult a qualified legal professional familiar with your jurisdiction’s transposition law.
- Can I manage multiple companies in NIS2 Pro?
- Yes. NIS2 Pro supports multiple company profiles under a single account. This is useful for group structures, consultants managing client portfolios, or organisations with subsidiaries in different sectors or countries.
- What reports can I generate?
- NIS2 Pro generates scope analysis reports, maturity score breakdowns, improvement roadmaps, board-ready summaries, risk registers, incident response kits, ISO 27001 crosswalk reports, and version comparison reports — all exportable as PDF or DOCX.
- Can I invite team members?
- Yes. You can invite colleagues to collaborate on a company profile with role-based access: Admin, Contributor, or Viewer. Team members receive an email invitation and can access the shared company data once they accept.
Pricing & Plans
- How is NIS2 Pro priced?
- NIS2 Pro offers a one-time Scope Check for €10 and three subscription tiers (Basic, Business, Business Plus) with monthly or annual billing. The Scope Check fee is credited towards a subscription if you enroll within 30 days. Visit the Pricing page for full details.
- What is included in a subscription?
- Subscriptions unlock the full platform: unlimited assessments, all report types, improvement tracking, risk register, compliance calendar, team collaboration, reassessment workflows, and access to all country and sector guides.
- Can I cancel my subscription?
- Yes. You can cancel at any time from your Account page. Your access continues until the end of the current billing period. No data is deleted upon cancellation.
GDPR & Data Protection
- How does NIS2 relate to GDPR?
- NIS2 and GDPR are complementary but separate regulations. GDPR focuses on personal data protection, while NIS2 focuses on network and information system security. An incident may trigger obligations under both — for example, a data breach affecting personal data requires GDPR notification alongside NIS2 incident reporting.
- Does NIS2 Pro store my data securely?
- Yes. All data is stored in EU-based infrastructure with encryption at rest and in transit. Access is controlled through authenticated sessions and role-based permissions. We do not share your assessment data with third parties.
- Can I export or delete my data?
- Yes. You can export all your assessment data and reports at any time. If you wish to delete your account and all associated data, contact our support team and we will process the request in accordance with GDPR requirements.