# NIS2 Pro — Frequently Asked Questions

**Canonical URL:** https://www.nis2pro.com/faq  
**Last reviewed:** June 2026

---

## NIS2 Basics

### What is the NIS2 Directive?

The NIS2 Directive (Directive 2022/2555 of the European Parliament and of the Council) is EU legislation establishing a high common level of cybersecurity across the European Union. It entered into force on 16 January 2023 and replaced the original NIS Directive (2016/1148). NIS2 significantly expands the scope of regulated entities, strengthens security requirements, and introduces harmonised sanctions across member states. The transposition deadline for member states was 17 October 2024.

### When did NIS2 come into effect?

NIS2 entered into force in the EU on 16 January 2023. Member states were required to transpose it into national law by 17 October 2024. Most member states missed this deadline. The European Commission issued reasoned opinions to 19 member states in May 2025 for failure to notify complete transposition. As of mid-2026, most major EU economies have now transposed NIS2, though a few remain in draft or pending stages.

### Which sectors does NIS2 cover?

NIS2 covers a broad range of sectors, divided into two categories:

**Annex I — Essential Entities:**
- Energy (electricity, oil, gas, district heating/cooling, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructures
- Health (hospitals, laboratories, pharmaceutical manufacturing, medical devices)
- Drinking water and waste water
- Digital infrastructure (internet exchange points, DNS, TLD registries, cloud, data centres, CDNs, trust services, electronic communications)
- ICT service management (B2B managed service providers, managed security service providers)
- Public administration (central and regional government)
- Space (operators of ground-based infrastructure)

**Annex II — Important Entities:**
- Postal and courier services
- Waste management
- Manufacture, production, and distribution of chemicals
- Production, processing, and distribution of food
- Manufacturing (medical devices, computers, electronics, machinery, motor vehicles, transport equipment)
- Digital providers (online marketplaces, online search engines, social networking platforms)
- Research organisations

Some member states have expanded scope beyond the Directive minimum through national legislation.

### What is the difference between Essential and Important entities?

**Essential entities** face stricter supervision — proactive, ex ante supervision by competent authorities — and higher maximum penalties (up to €10 million or 2% of total worldwide annual turnover).

**Important entities** are subject to reactive, ex post supervision — authorities act after receiving evidence of non-compliance — with lower maximum penalties (up to €7 million or 1.4% of total worldwide annual turnover).

Both categories must comply with the same core security obligations under Article 21 of NIS2.

### Does NIS2 apply to companies outside the EU?

NIS2 can apply to non-EU organisations if they provide services within the EU. Such organisations must designate a representative established in the EU. Specific rules apply depending on the sector and service type. Organisations supplying to EU essential or important entities may also face indirect NIS2 obligations through supply chain security requirements.

---

## Scope & Classification

### How do I know if my organisation is in scope?

NIS2 scope is determined by three factors: (1) sector — whether you operate in one of the sectors listed in Annex I or II; (2) size — the general threshold is medium-sized enterprises (50+ employees and/or €10 million+ annual turnover), though certain entities are in scope regardless of size; and (3) criticality — some entities are automatically in scope due to the critical nature of their services.

NIS2 Pro's Scope Check provides a guided assessment of all these factors in approximately 10 minutes.

### What does NIS2 Pro's Scope Check do?

The NIS2 Pro Scope Check is a structured questionnaire that evaluates your sector, company size, revenue, and digital infrastructure against NIS2 scope criteria and national implementation nuances. It produces a scope classification (In Scope / Borderline / Exempt), explains the reasoning, identifies sector-specific considerations, and recommends next steps. Cost: €10 one-time, credited toward any subscription within 30 days.

### Can a small company fall under NIS2?

Yes. While the general thresholds are 50+ employees or €10 million+ turnover, certain entities are in scope regardless of size. These include: qualified trust service providers, TLD name registries, DNS service providers, providers of public electronic communications networks, and entities that are the sole provider of a service that is essential for maintaining critical societal or economic activities in a member state. Additionally, member states may designate smaller entities as essential or important.

### What if I operate in multiple EU countries?

If you operate in multiple EU member states, you are generally subject to supervision in each country where you provide services. For entities providing services in more than one member state, the member state where the entity is established (or where its representative is established) typically has lead supervisory jurisdiction. You should assess your obligations in each country where you operate.

---

## Compliance Requirements

### What are the main compliance obligations under NIS2?

Under Article 21 of NIS2, in-scope entities must implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. Key required measures include:

1. Risk analysis and information system security policies
2. Incident handling (prevention, detection, and response)
3. Business continuity and crisis management (backup management, disaster recovery)
4. Supply chain security (security of relationships with direct suppliers and service providers)
5. Security in network and information systems acquisition, development, and maintenance (including vulnerability handling and disclosure)
6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
7. Basic cyber hygiene practices and cybersecurity training
8. Policies and procedures regarding the use of cryptography and encryption
9. Human resources security, access control policies, and asset management
10. Use of multi-factor authentication or continuous authentication solutions, secured voice/video/text communications, and secured emergency communication systems

Management bodies of in-scope entities must approve these measures, oversee their implementation, and can be held personally liable for infringements.

### What incident reporting obligations does NIS2 impose?

NIS2 imposes a three-stage notification process for significant incidents:

- **Early warning:** Within 24 hours of becoming aware of a significant incident, notify the national CSIRT or competent authority.
- **Incident notification:** Within 72 hours of becoming aware, provide an updated notification with initial assessment of severity and impact.
- **Final report:** Within one month of the incident notification, submit a final report with description of the incident, type of threat, root cause, applied mitigation measures, and cross-border impact (if any).

An incident is "significant" if it has caused or could cause severe operational disruption or financial loss to the entity, or affected or could affect other persons by causing considerable material or non-material damage.

### Is management personally liable under NIS2?

Yes. NIS2 explicitly requires that management bodies of essential and important entities approve and oversee cybersecurity risk-management measures. Management body members may be held personally liable for non-compliance and can be temporarily prohibited from exercising managerial functions. This is a significant departure from the original NIS Directive.

### Do I need ISO 27001 to comply with NIS2?

ISO 27001 is not required by the NIS2 Directive itself, but it is widely referenced as an appropriate framework. Some member states (notably Belgium, which uses its CyFun® framework, and Poland, which mandates ISO 27001) have made ISO 27001 effectively a compliance pathway. NIS2 Pro's Business Plus plan includes an ISO 27001 crosswalk mapping to help organisations understand the relationship between their NIS2 obligations and ISO 27001 controls.

### What are the penalties for non-compliance?

**Essential entities:** Up to €10 million or 2% of total worldwide annual turnover (whichever is higher).  
**Important entities:** Up to €7 million or 1.4% of total worldwide annual turnover (whichever is higher).

Some member states have set higher national penalties (e.g., Poland: up to PLN 100 million, approximately €24 million). Personal liability of management body members is also possible.

---

## Deadlines & Timelines

### What is the NIS2 transposition deadline?

The deadline for EU member states to transpose NIS2 into national law was 17 October 2024. Most member states missed this deadline. As of mid-2026, 16 member states are fully notified, 6 have adopted national laws pending Commission confirmation, and a few remain in draft stages.

### When do I need to register with the competent authority?

Registration deadlines vary by member state. Some countries have already passed their initial registration deadlines (Germany: March 2026, Belgium: March 2025, Italy: early 2025). In member states with later or upcoming deadlines, organisations should begin compliance preparation immediately. Check the [NIS2 Status Tracker](https://www.nis2pro.com/status) for current country-specific deadlines.

### How often should I reassess my NIS2 compliance?

At minimum, annually — or whenever there is a significant change to your business, technology environment, or services. NIS2 Pro provides annual reassessment reminders and supports version history to track changes over time. Some member states require biennial independent audits for essential entities.

---

## Supply Chain & Third Parties

### What does NIS2 require for supply chain security?

NIS2 Article 21 requires in-scope entities to address cybersecurity in supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. Entities must consider the overall quality of products and cybersecurity practices of their suppliers, including their secure development procedures.

### Am I responsible for my suppliers' compliance?

NIS2 places the compliance obligation on the regulated entity, not directly on its suppliers (unless those suppliers are themselves in scope). However, regulated entities must assess and manage supply chain cybersecurity risks. This means you should include cybersecurity requirements in supplier contracts and conduct supplier security assessments. NIS2 Pro provides Vendor Assessment Templates to support this process.

### Does NIS2 affect cloud service providers?

Yes. Cloud computing service providers are explicitly covered under Annex I (digital infrastructure) as essential entities. Organisations using cloud services also have obligations to assess and manage the cybersecurity risks associated with those providers as part of their supply chain security obligations.

---

## NIS2 Pro Platform

### What does NIS2 Pro do?

NIS2 Pro is a self-service SaaS compliance platform. It provides:
- Scope determination via guided assessment
- Risk register generation
- Automated cybersecurity policy generation
- Action planning and implementation roadmaps
- Incident response kits and regulator notification templates
- Country-specific compliance guidance
- Documentation export (PDF and DOCX)
- Compliance tracking and monitoring
- Board-ready reporting (Business Plus)

### Is NIS2 Pro a substitute for legal advice?

No. NIS2 Pro provides documentation tools and compliance guidance. It does not constitute legal advice. For specific legal questions — including interpretation of national transposition laws, personal liability risk, or regulatory enforcement matters — organisations should consult a qualified attorney.

### Can I manage multiple companies in NIS2 Pro?

Yes. The Business plan supports up to 3 companies with 5 seats. The Business Plus plan supports up to 5 companies with 10 seats. This is designed for groups, consultants managing multiple clients, or multi-entity organisations.

### What reports can I generate?

Depending on your plan, available reports include:
- Scope Report
- Overview Report
- Risk Register
- Action Roadmap
- Score Breakdown
- Full Policy Pack (Incident Response, Access Control, Backup & Recovery, Supplier Security, Business Continuity)
- Regulator Notification Templates
- Incident Playbooks
- Board Reports (Business Plus)
- ISO 27001 Crosswalk (Business Plus)

### Can I invite team members?

Yes. The Basic plan includes 1 seat. Business includes 5 seats. Business Plus includes 10 seats.

---

## Pricing & Plans

### How is NIS2 Pro priced?

- **Scope Check:** €10 one-time (creditd toward any subscription within 30 days)
- **Basic:** €19/month (or annual equivalent with 1 month free)
- **Business:** €49/month
- **Business Plus:** €99/month

### What is included in a subscription?

Subscriptions include access to the NIS2 Pro platform features corresponding to your plan, including assessment tools, report generation, policy generation, action planning, and support resources. See the [Features page](https://www.nis2pro.com/features) for a full comparison.

### Can I cancel my subscription?

Yes. There are no long-term contracts. You can cancel at any time. All documents you have already downloaded remain yours.

---

## GDPR & Data Protection

### How does NIS2 relate to GDPR?

NIS2 and GDPR are complementary but distinct frameworks. GDPR governs the processing of personal data and applies to virtually all organisations handling EU personal data. NIS2 governs cybersecurity risk management and incident reporting for entities in specific sectors. An organisation may be subject to both frameworks simultaneously. A significant cybersecurity incident may simultaneously trigger NIS2 incident reporting obligations and GDPR breach notification obligations.

### Does NIS2 Pro store my data securely?

Yes. NIS2 Pro uses encrypted storage, EU-hosted infrastructure, and GDPR-compliant data processing practices. Customer data is never sold or shared with third parties.

### Can I export or delete my data?

Yes. All documents and reports can be exported at any time. You can request deletion of your account and associated data in accordance with your GDPR rights.

---

## Still Have Questions?

- [Contact NIS2 Pro →](https://www.nis2pro.com/contact)
- [Browse Country & Sector Guides →](https://www.nis2pro.com/guides)
- [Check NIS2 Status by Country →](https://www.nis2pro.com/status)
