What’s the main difference between NIS1 and NIS2?

NIS2 expands the scope of affected sectors and strengthens cybersecurity risk-management requirements. It adds stronger supply-chain obligations, demanding incident reporting timelines, and an enforcement regime that increases accountability at the management-body level.

Which companies must comply with NIS2?

It depends on sector, size and whether the entity qualifies as essential or important. In general, it covers medium and large organizations in critical sectors, and requirements may extend through contracts and the supply chain.

What incident reporting timelines does NIS2 require?

NIS2 sets staged reporting (e.g., early warning and subsequent notification) and a final report. The exact operational detail can depend on national transposition and guidance, so you should design processes capable of 24h/72h workflows and auditable reporting.

Directive (EU) 2022/2555 (NIS2)

NIS2 readiness: technical controls, evidence and governance.

We help reduce operational exposure and management risk. We implement Article 21 technical and governance measures with focus on essential/important entities and supply-chain security.

Request a Gap Assessment Does it apply to us?

Essential and Important Entities

NIS2 generally covers medium and large organizations in critical sectors, and may extend obligations through contracts and the supply chain.

High-Criticality Sectors (Essential)

Energy (Electricity, Oil, Gas)
Transport (Air, Rail, Maritime)
Banking and Financial Market Infrastructures
Healthcare
Drinking Water and Waste Water
Digital Infrastructure (Cloud, Data Centers)
Public Administration

Other Critical Sectors (Important)

Postal and Courier Services
Waste Management
Manufacture and Distribution of Chemicals
Food Production and Processing
Manufacturing (Electronics, Machinery)
Digital Providers (Marketplaces, Search Engines)

Enforcement and accountability

Accountability

Management body

The goal isn’t “paper compliance”: it’s governance, oversight and evidence. We implement traceability (requirement → control → evidence → review) to demonstrate due diligence.

Penalties

Fines and supervisory measures

NIS2 provides for significant penalties and supervisory actions, with exact application depending on national transposition. Real mitigation comes from operational controls, evidence and incident readiness.

24h

Early warning (indicative)

You need real detection and response capabilities to report significant incidents within demanding timelines (e.g., 24h/72h), with traceable evidence.

Technical readiness strategy (Art. 21)

Governance and Oversight

Management-body training, clear roles, policies and a measurable cybersecurity risk-management system.

Incident Management

Detect, contain and communicate: operational capability to report significant incidents (24h/72h) and deliver a final report.

Supply-Chain Security

Third-party risk: vendor assessments, contractual requirements, SLAs, controls and defensible evidence.

Cyber Hygiene & Zero Trust

IAM, strong MFA, hardening, segmentation and least-privilege for critical assets.

Cryptography & Encryption

Data protection in transit and at rest, key management and verifiable controls.

Business Continuity

BCP/DR, backups (incl. immutability where relevant), testing and crisis management with evidence.

NIS2 FAQ

What does management-body accountability mean in practice?

NIS2 strengthens accountability: the management body must approve and oversee risk-management measures. The practical approach is governance + metrics + periodic reviews + evidence (not just documents) to demonstrate due diligence.

How should incident reporting be implemented?

You need an operational workflow that supports staged reporting within demanding timelines (commonly 24h/72h), plus a final report. The key is detection, triage, containment and traceable reporting with an auditable trail.

What penalties can apply under NIS2?

NIS2 provides for significant penalties and supervisory measures, with exact application depending on national transposition. Real mitigation comes from operational controls, evidence, third-party governance and incident readiness.

Where should we start?

Start with a technical + governance gap assessment: confirm your essential/important classification, map Article 21 measures, assess third parties, and build a risk-based roadmap with quick wins and evidence.

Are you ready for NIS2?

Don’t leave readiness to generalists. Hard2bit delivers engineering and execution to prove controls, reporting and response.

Request an NIS2 Gap Assessment