NIS2 Directive (EU Network and Information Security)
An EU regulation effective from October 2024 that mandates cybersecurity risk management and incident reporting for a broad range of essential and important entities.
The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated network and information security legislation, which replaced the original NIS Directive (2016) and became legally effective across EU member states from October 2024. NIS2 significantly expands the scope of the original directive — from a narrow set of Operators of Essential Services and Digital Service Providers to a far broader range of entities classified as either Essential Entities (EE) or Important Entities (IE) across eighteen sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.
The core obligations under NIS2 are organized around two pillars: cybersecurity risk management measures and incident reporting. On risk management, organizations must implement technical and organizational measures appropriate to the risks, including policies on risk analysis and information system security, incident handling, business continuity, supply chain security, procurement practices, access control, cryptography, and multi-factor authentication. Critically, NIS2 holds senior management personally accountable for compliance — management bodies can be held liable for infringements and may be prohibited from exercising managerial functions if their organization repeatedly violates the directive.
Incident reporting under NIS2 is more prescriptive than its predecessor. Significant incidents must be reported to the national Computer Security Incident Response Team (CSIRT) within 24 hours of becoming aware (early warning), with a full incident notification within 72 hours, and a final report within one month. Significant incidents are defined as those causing or capable of causing severe operational disruption, financial loss, or harm to other natural or legal persons. The supply chain dimension is particularly notable: organizations must assess the security of suppliers and service providers, and incidents caused by third-party vulnerabilities must be reported under the same timeline.
The enforcement regime is substantially strengthened under NIS2. Essential Entities are subject to proactive supervision, including regular audits, on-site checks, and security scans. Important Entities are subject to reactive supervision, triggered by evidence of non-compliance or incidents. Financial penalties for Essential Entities can reach 10 million euros or 2% of global annual turnover (whichever is higher); for Important Entities, 7 million euros or 1.4% of global annual turnover. Organizations operating in the EU — including non-EU businesses that provide services to EU entities within the directive's scope — should conduct a NIS2 scoping assessment, gap analysis against the risk management requirements, and incident response readiness review as priority compliance activities.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.