Skip to content
Infilux AppSec Logo
NIS2 Directive (EU 2022/2555) · European Union

NIS2 Directive Compliance for EU Essential & Important Entities

Infilux AppSec delivers NIS2 Directive (EU 2022/2555) compliance for organisations classified as essential or important entities under Article 3 — covering the Article 21 cybersecurity risk-management measures, the Article 23 incident-reporting obligations (24-hour early warning, 72-hour notification, 1-month final report), governance + supply-chain controls, and registration with the relevant national CSIRT.

European Union Norway Iceland Liechtenstein
Book a scoping call Free attack-surface check

NIS2 entered enforcement in EU member states on 17 October 2024, expanding the scope of EU cybersecurity regulation from ~17,000 entities under NIS1 to an estimated 180,000+ under NIS2. Sectors newly in scope include digital infrastructure, B2B ICT service management, public administration, manufacturing of critical products, postal services, waste management, food production, and chemical manufacturing.

The most under-appreciated provision is Article 20: management bodies (boards, executives) are personally liable for ensuring the Article 21 measures are in place, and member states can impose individual sanctions including temporary bans from management functions. This dramatically raises board-level engagement compared to NIS1.

Our NIS2 engagement covers the full lifecycle: classifying your entity status, gap analysis against the 10 Article 21 measures, governance + risk programme implementation, supply-chain security controls under Article 21(d), the incident-response playbook with the 24/72/30-day timing, and the entity-registration process with your national CSIRT.

Key controls we implement

Entity classification (Article 3)

Essential vs Important entity status determines fine ceilings (€10M / 2% turnover for essential vs €7M / 1.4% for important) and supervisory regime intensity.

Article 21(a) risk management

Risk-analysis-and-information-system-security policies. Documented, board-approved, reviewed at defined intervals.

Article 21(b) incident handling

Detection, response, and recovery procedures. Integration with the Article 23 incident-reporting timeline.

Article 21(c) business continuity

BCP, DR, crisis management, regular testing.

Article 21(d) supply-chain security

Cybersecurity assessment of suppliers and service providers — broader than typical procurement vendor risk.

Article 21(g) MFA + cryptography

Strong authentication and cryptographic controls including phishing-resistant MFA for sensitive accounts.

Article 23 incident reporting

24-hour early warning, 72-hour notification, 1-month final report to national CSIRT for significant incidents.

Frequently asked

Are we in scope for NIS2?+
Two factors: (1) you operate in one of the 18 NIS2 sectors (energy, transport, banking, digital infrastructure, B2B ICT services, manufacturing of critical products, public administration, etc.), AND (2) you meet the size threshold (mid-sized = 50+ employees or €10M+ turnover, with some sector-specific lower thresholds). Many digital SaaS / cloud providers serving EU enterprises are in scope.
What's the difference between essential and important entities?+
Annex I sectors (e.g. energy, transport, banking) → essential. Annex II sectors (e.g. postal, waste management, food, manufacturing) → important. Both must meet Article 21 measures and Article 23 reporting; supervisory regime is stricter for essential entities.
What changed from NIS1 to NIS2?+
Massively expanded scope (~17,000 → 180,000+ entities), stricter incident reporting (24/72/30-day vs NIS1's 24-hour single-step), board-level personal liability, harmonised supervisory regime across member states, supply-chain security mandate, fines up to €10M / 2% turnover.
We're a non-EU SaaS serving EU customers. Does NIS2 apply?+
If your customers in the EU are essential or important entities, your services are part of their supply chain (Article 21(d)). They will pass through NIS2 expectations to you contractually — even if you're not directly regulated. Practically, every B2B SaaS serving EU enterprise needs to be ready to demonstrate Article 21 alignment.
How long does NIS2 readiness take?+
4-8 months for a first-time programme depending on existing maturity. Organisations with ISO 27001 already in place can compress this — 60-70% of NIS2 measures map directly to ISO 27001:2022 Annex A controls.

Related Infilux services

ISO 27001 ComplianceSOC as a Service (incident reporting)GRC Compliance Platform

Other compliance frameworks

SOC 2 Type 2

SOC 2 Type 2 Audit Readiness for US SaaS Companies

HIPAA Security Rule

HIPAA Compliance & Security Risk Assessment for US Healthcare

GDPR (EU 2016/679)

GDPR Compliance & Data Protection for EU Companies

PCI DSS 4.0

PCI DSS 4.0 Compliance for Fintech & Payments

UAE IAR / NESA / SIA

UAE NESA / SIA Information Assurance Compliance