Is Your Board Ready for a NIS2 Audit?

NIS2 (Directive 2022/2555) applies to medium and large entities in 18 sectors split between Annex I (essential entities) and Annex II (important entities). Essential sectors include energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management B2B, public administration, and space. Important sectors include postal and courier services, waste management, chemicals, food, manufacturing of specific products, digital providers, and research. Threshold: at least 50 employees and €10M annual turnover or balance sheet. Size-cap exceptions apply for certain critical providers regardless of size.

Both categories must meet the same cybersecurity risk-management obligations under Article 21 and incident-reporting obligations under Article 23. The difference is in supervision and penalty ceilings. Essential entities are subject to ex-ante supervision: competent authorities can conduct unannounced on-site inspections, regular audits, and ad-hoc audits. Important entities are subject to ex-post supervision: action is taken when evidence of non-compliance arises. Penalty ceilings differ: essential entities face up to €10 million or 2% of global annual turnover; important entities face up to €7 million or 1.4%.

Article 20 imposes two duties on management bodies. First, members must approve and oversee implementation of the cybersecurity risk-management measures under Article 21 and can be held personally liable for failures. Second, members must follow training and ensure regular training is offered to all employees, with the aim of acquiring sufficient knowledge to identify cybersecurity risks and assess their impact. Member State transpositions can include temporary prohibitions on individuals exercising management functions where compliance failures persist.

For significant incidents, Article 23 requires three reports: an early warning within 24 hours of becoming aware of the incident, an incident notification within 72 hours including an initial assessment, and a final report within one month. A 'significant incident' is one that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. CSIRTs may request intermediate progress reports during the response.

Annex I essential sectors: energy (electricity, oil, gas, district heating, hydrogen), transport (air, rail, water, road), banking, financial market infrastructures, health (healthcare providers, EU reference laboratories, medical device manufacturers in respect of products critical during public health emergency, pharmaceutical research and development for emergency use, medicinal products under Article 1(2) of Directive 2001/83/EC), drinking water, waste water, digital infrastructure (IXPs, DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, providers of public electronic communications networks, providers of publicly available electronic communications services), ICT service management (B2B managed services and managed security services), public administration (central and regional), space. Annex II important sectors: postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing (medical devices, computer/electronic/optical products, electrical equipment, machinery, motor vehicles, other transport equipment), digital providers (online marketplaces, online search engines, social networking services platforms), research.

Article 21 requires ten categories of measure, applied proportionately to risk: policies on risk analysis and information system security; incident handling; business continuity (backup management, disaster recovery, crisis management); supply chain security (including security-related aspects of relationships between entity and its direct suppliers/service providers); security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; policies and procedures to assess effectiveness of cybersecurity risk-management measures; basic cyber hygiene practices and cybersecurity training; policies and procedures regarding the use of cryptography and encryption; human resources security, access control policies and asset management; multi-factor authentication or continuous authentication, secured voice/video/text communications and secured emergency communication systems.

Member States were required to adopt and publish national measures transposing the Directive by 17 October 2024. Many Member States missed that deadline. The Directive applies in transposed Member States from the dates set out in their national law. Where a Member State has not transposed in time, entities should follow the Directive directly to the extent possible and monitor national transposition closely.

Article 20 requires management bodies to follow training, and to ensure regular training is offered to employees. The Directive does not prescribe specific content but expects training proportionate to role and risk. For board members, training should cover cybersecurity governance, supervisory expectations, incident escalation thresholds, and personal liability under Article 20. For technical and operational staff, training should cover the Article 21 measures relevant to their role. For all staff, basic cyber hygiene training (phishing, credential management, escalation paths) is expected as a baseline.