What is the NIS2 Directive?

NIS2 (Directive (EU) 2022/2555) is the EU's updated cybersecurity directive, replacing the original 2016 NIS Directive. It significantly broadens the sectors and entities in scope, raises baseline risk-management requirements, introduces strict incident-reporting timelines, and makes management bodies accountable for cybersecurity. As a directive, it is implemented through each Member State's national law.

NIS2 covers medium and large organizations across roughly 18 sectors — energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, public administration, space, postal services, manufacturing, food, and more. In-scope organizations are classified as either 'essential' or 'important' entities, which determines the level of supervision and the size of potential fines.

What are the reporting deadlines?

For a significant incident, NIS2 requires an early warning within 24 hours, a fuller incident notification within 72 hours, and a final report within one month. episki tracks each window per incident so deadlines are not missed.

What are the penalties?

Penalties are tiered by entity type. Essential entities can face fines up to €10 million or 2% of total worldwide annual turnover, whichever is higher; important entities up to €7 million or 1.4%. Senior management can be held personally accountable for compliance failures.

NIS2, without the guesswork

Comply with the EU NIS2 Directive

The Article 21 risk-management measures as controls, Article 23 incident reporting timers, supply-chain security, and management-body oversight — mapped to ISO 27001 so you don't start from scratch.

Start free trial Book a demo

What is NIS2?

NIS2 — Directive (EU) 2022/2555 — is the European Union's updated cybersecurity directive. It replaces the original 2016 NIS Directive and dramatically expands both the range of organizations in scope and the rigor of what they must do. The transposition deadline for Member States was October 17, 2024, and because national implementation and enforcement have rolled out unevenly, 2026 is a key year as the remaining requirements and supervisory regimes come fully into effect.

Unlike a regulation, a directive is implemented through national law, so the precise rules vary by Member State — but the baseline obligations below are common across the EU.

Who is in scope

NIS2 applies to medium and large organizations across roughly 18 sectors, including energy, transport, banking and financial market infrastructure, health, water, digital infrastructure, ICT service management, public administration, manufacturing, and food. In-scope organizations are classified as essential or important entities; essential entities face proactive supervision, while important entities are supervised reactively, and the distinction also affects the size of potential fines.

Core requirements

Risk-management measures (Article 21) — a baseline set of ten measures including incident handling, business continuity and crisis management, supply-chain security, secure development and vulnerability handling, cryptography, access control, and multi-factor authentication.
Incident reporting (Article 23) — for a significant incident, a 24-hour early warning, a 72-hour notification, and a one-month final report to the national CSIRT or competent authority.
Governance and accountability — management bodies must approve and oversee cybersecurity measures and can be held personally liable; staff must receive training, and entities must register with their authority.

How episki helps

episki implements the Article 21 measures as living controls, tracks the 24-hour / 72-hour / one-month reporting windows for every significant incident, and manages supply-chain and governance obligations in one workspace. Because most NIS2 measures map directly to ISO 27001 Annex A and NIST CSF, an existing security program covers the large majority of NIS2 — episki shows you exactly where the gaps are.

NIS2 outcomes with episki

Quantify the impact security and compliance brings to your business.

18 sectors

Essential and important entities across energy, health, digital, finance, and more.

24h / 72h

Early-warning and notification timers for significant incidents, tracked to the deadline.

ISO 27001 mapped

Article 21 measures cross-walked to ISO 27001 Annex A for evidence reuse.

Why teams choose episki for NIS2

Framework-specific automation, collaboration, and reporting in one workspace.

Article 21 measures as controls

The ten baseline risk-management measures implemented and evidenced.

Incident handling, BCDR, and crisis management
Supply-chain and third-party security
Cryptography, access control, and MFA

Incident reporting on the clock

Classify significant incidents and hit every reporting window.

24-hour early warning
72-hour incident notification
One-month final report

Governance and accountability

The management-body oversight and training NIS2 requires.

Management-body approval and liability
Security awareness and training
Entity registration with the authority

NIS2 readiness inside episki

What an essential or important entity needs in place.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ Scope determination (essential vs. important entity)
✓ Article 21 risk-management measures as controls
✓ Incident classification and 24h / 72h / 1-month reporting
✓ Supply-chain and third-party security program
✓ Business continuity, backup, and crisis management
✓ Management-body oversight, training, and registration

NIS2 accelerators

NIS2 readiness accelerators

Translate the Directive into a working program your regulator will recognize.

Scope assessment

Determine whether you are an essential or important entity, and your obligations.

Incident reporting timers

Track the early-warning, notification, and final-report windows per incident.

ISO 27001 crosswalk

Reuse your ISO 27001 Annex A controls to satisfy the Article 21 measures.

NIS2 frequently asked questions

Build a NIS2 program in episki

Implement the Article 21 measures once and reuse your ISO 27001 evidence to get there faster.

Start free trial Book a walkthrough