Who is concerned?
NIS2 dramatically expanded the scope of EU cybersecurity regulation. It covers two categories :
Essential entities (Annex I) : energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space.
Important entities (Annex II) : postal and courier services, waste management, manufacture/production/distribution of chemicals, food, manufacturing, digital providers, research.
Generally : medium and large enterprises (>50 employees, >€10M turnover) in these sectors. Specific thresholds vary by member state transposition.
What it requires (high-level)
- Risk management measures (Art. 21) : policies, incident handling, business continuity, supply chain security, vulnerability disclosure, cryptography, MFA.
- Incident notification : early warning within 24h, incident notification within 72h, final report within 1 month.
- Supply chain security : assess and account for vulnerabilities of direct suppliers and service providers.
- Management body accountability : top management is personally liable for non-compliance — including potential bans from management roles.
Penalty exposure
Up to €10M or 2% of global annual turnover for essential entities. Up to €7M or 1.4% for important entities. Plus personal liability for board / management body in some member states (FR, DE, IT, ES have implemented this strongly).
How NexCyber helps with NIS2
- Essential vs important classification — automated based on your sector, size, and member state.
- 21 risk management measures mapping — each measure mapped to controls (ISO 27001, NIST CSF).
- Incident reporting workflow — pre-filled templates for 24h / 72h / 1-month obligations.
- Supply chain visibility — vendor inventory + tier-1 risk scoring.
- Management body briefings — board-ready PDF reports with personal liability heat-map.
Critical : if you haven't started NIS2 implementation yet, you are already non-compliant in most EU member states.