NIS2Free Resource
EU NIS2 Directive Timeline and Compliance Decision Flow
Use this artifact to scope NIS2 applicability under Annex I or Annex II, test the size cap and regardless of size triggers, decide whether you are an essential or important entity, and convert Article 20, Article 21, and Article 23 into an implementation plan.
NIS2 entered into force on 16 January 2023. Member States had to transpose it by 17 October 2024 and apply national measures from 18 October 2024. The exact supervisory route, reporting portal, and local penalty regime still depend on Member State implementation.
Run the NIS2 applicability testPublication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
What you can decide faster
In scope or out of scope
Annex I or Annex II mapping, size cap logic, regardless of size triggers, and Article 4 overlap checks.
Essential vs important
What changes in supervision, evidence expectations, management accountability, and enforcement.
Controls + reporting
Article 21 measures, Implementing Regulation (EU) 2024/2690 where relevant, and Article 23 reporting.
By Sorena AIGrounded in official EU sourcesUpdated March 2026
Quick scan
NIS2Scope
Map services to Annex I or Annex II and document size and jurisdiction logic.
Controls
Implement Article 21 measures and the 2024/2690 baseline where applicable.
Reporting
Run a 24h early warning, 72h notification, and 1 month final report workflow.
Use the linked guides to turn NIS2 into scope memos, management approvals, incident runbooks, and evidence packs.
16 Jan 2023
In force
17 Oct 2024
Transposition
17 Apr 2025
Entity lists
2024/2690
Implementing act
Essential vs important
Article 21 baseline
24h/72h reporting
NIS2 Timeline
Key dates for cybersecurity planning
Track adoption, transposition, entity list deadlines, the 2024 implementing regulation, the 2025 Commission enforcement step on late transposition, and the 2026 targeted amendment proposal while keeping your local overlays current.
Loading timeline...
NIS2 Decision Flow
How to structure a NIS2 scoping review
Use the decision flow as an EU baseline, then confirm authority routes, entity listing mechanics, and national penalty rules in each Member State where you operate.
Loading decision map...
Topic guides
Deep dive pages for implementation planning, controls, reporting, and evidence.
1
Applicability Test | EU NIS2 Directive (EU) 2022/2555 | In Scope? Essential vs Important?
A grounded NIS2 applicability test: map each legal entity to Annex I or Annex II, apply the NIS2 size-cap rule and regardless-of-size triggers.
Read Guide
2
Article 21 Control Baseline | EU NIS2 Directive (EU) 2022/2555 | Cybersecurity Risk Management Measures
A practical Article 21 control baseline for NIS2: translate Article 21(2)(a) to (j) into owned controls, KPIs, tests, and evidence.
Read Guide
3
Checklist | EU NIS2 Directive (EU) 2022/2555 | Audit-Ready Owners, Evidence, Acceptance Criteria
An audit-ready EU NIS2 compliance checklist: scope (Annex I/II + size-cap rules), essential vs important classification, Article 21 control baseline.
Read Guide
4
Compliance Guide | EU NIS2 Directive (EU) 2022/2555 | Build an Audit-Ready Program
A practical EU NIS2 compliance guide: how to run scope and classification, build Article 21 controls, implement Article 23 reporting workflows.
Read Guide
5
Deadlines and Compliance Calendar | EU NIS2 Directive (EU) 2022/2555 | 16 January 2023, 17 October 2024, 17 April 2025
A practical EU NIS2 deadlines and compliance calendar with the legal anchor dates that matter: entry into force on 16 January 2023.
Read Guide
6
FAQ | EU NIS2 Directive (EU) 2022/2555 | Scope, Essential vs Important, Article 21, Article 23 (24h/72h)
High-intent EU NIS2 FAQ: who is in scope, how essential vs important works, what Article 21 requires.
Read Guide
7
Incident Reporting Workflow | EU NIS2 Directive (EU) 2022/2555 | 24h Early Warning, 72h Notification, Final Report (1 Month)
A practical NIS2 incident reporting workflow grounded in Article 23 and Commission Implementing Regulation (EU) 2024/2690: define significant incidents.
Read Guide
8
Management Body Accountability | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Training, Liability
A practical Article 20 governance guide for EU NIS2: what the management body must approve and oversee, how liability and training work.
Read Guide
9
National Transposition Tracker | EU NIS2 Directive (EU) 2022/2555 | How to Track Local Laws, Authorities, Portals
A practical NIS2 national transposition tracker: monitor Member State implementation, find competent authority and CSIRT routes.
Read Guide
10
NIS2 vs ISO/IEC 27001 | How to Reuse Your ISMS for EU NIS2 Directive (EU) 2022/2555
A practical NIS2 vs ISO/IEC 27001 mapping: how to reuse an ISMS (risk assessment, policies, internal audits, management review.
Read Guide
11
NIS2 vs ISO/IEC 27017 | Cloud Security Mapping for EU NIS2 Directive (EU) 2022/2555
A practical mapping for cloud teams: how NIS2 Article 21 controls and Article 23 reporting apply to cloud service providers and cloud-dependent organisations.
Read Guide
12
NIS2 vs NIS1 | Directive (EU) 2022/2555 vs Directive (EU) 2016/1148 | Scope, Supervision, Reporting
A practical comparison of NIS2 vs NIS1: what changed in scope and sectors, how essential vs important works.
Read Guide
13
Penalties and Fines | EU NIS2 Directive (EU) 2022/2555 | Article 32-34 Enforcement + Fine Thresholds
A practical NIS2 enforcement guide: how supervision works for essential vs important entities (Articles 32-33), what enforcement measures authorities can use.
Read Guide
14
Requirements | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Article 21 Controls, Article 23 Reporting
A practical EU NIS2 requirements breakdown grounded in Articles 20 to 23, the Article 3 and Article 4 guidelines, and Implementing Regulation (EU) 2024/2690.
Read Guide
15
Scope: Essential vs Important | EU NIS2 Directive (EU) 2022/2555 | Article 3 Classification + What Changes
A practical guide to NIS2 scope classification: how essential vs important entities work (Article 3).
Read Guide
16
Supply Chain Security Program | EU NIS2 Directive (EU) 2022/2555 | Article 21(d) Supplier Risk + Evidence
A practical NIS2 supply chain security program (Article 21(d)): vendor tiering, security requirements, onboarding/offboarding controls, continuous assurance.
Read Guide
Next step
Turn EU NIS2 Directive Timeline and Compliance Decision Flow into an operational assessment workflow
EU NIS2 Directive Timeline and Compliance Decision Flow should be the shared entry point for your team. Route execution into Assessment Autopilot for live work and into Research Copilot when the artifact needs deeper research, evidence governance, or supporting analysis.
What this unlocks
- Start from EU NIS2 Directive Timeline and Compliance Decision Flow and route the work by entity, product, team, or control owner.
- Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints.
- Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs.
- Move from artifact reading to accountable execution without rebuilding the guidance in separate files.
Recommended route
Open Assessment Autopilot
Turn the guidance into owned tasks, evidence requests, and review checkpoints for EU NIS2 Directive Timeline and Compliance Decision Flow.
Supporting route
Open Research Copilot
Answer scope, timing, and interpretation questions with cited outputs from the same artifact.
Talk to Sorena
Talk through EU NIS2 Directive Timeline and Compliance Decision Flow
Review your current process, evidence model, and next steps for EU NIS2 Directive Timeline and Compliance Decision Flow.
Discuss your setup
Share it internally
Download the artifact exports to align legal, product, engineering, and commercial teams.