ComplianceEU

EU NIS2 Directive (EU) 2022/2555 Compliance

Build an NIS2 compliance program that works during incidents and audits.

Output: scoped program, owned controls, reporting workflows, and evidence packs aligned to supervision expectations.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

NIS2 compliance is the ability to demonstrate - quickly and credibly - that you govern cybersecurity at management level, that your controls reduce real risk, and that you can report significant incidents on time with evidence. Use this page as the operating model for your NIS2 program.

Section 1

Compliance operating model (what the program must produce)

Treat compliance outputs as artefacts that can be audited: scope memo, control register, incident reporting workflow, and evidence vault.

  • Scope memo: per legal entity, sector mapping, size-cap logic, essential vs important classification, and jurisdiction assumptions.
  • Control baseline: Article 21 a-j mapped to control IDs, owners, KPIs, and evidence items (tests, logs, audits, training).
  • Incident reporting workflow: significant incident triage, 24h/72h/1 month templates, and authority contact routes.
  • Governance: management approval and oversight cadence (Article 20), training records, and risk acceptance decisions.
Recommended next step

Turn EU NIS2 Directive (EU) 2022/2555 Compliance into an operational assessment

Assessment Autopilot can take EU NIS2 Directive (EU) 2022/2555 Compliance from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU NIS2 Directive (EU) 2022/2555 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU NIS2 Directive (EU) 2022/2555 Compliance

Start from EU NIS2 Directive (EU) 2022/2555 Compliance and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU NIS2 Directive (EU) 2022/2555

Review your current process, evidence gaps, and next steps for EU NIS2 Directive (EU) 2022/2555 Compliance.

Explore next step
Section 2

Phased implementation plan (fast risk reduction + fast defensibility)

Sequence matters. Prioritise controls that reduce impact and controls that enable reporting and evidence capture.

  • Phase 1 (0-30 days): scope memo, RACI, incident reporting workflow, backup/restore baseline + restore test, MFA for admin access.
  • Phase 2 (31-60 days): supplier tiering + contract clauses, vulnerability handling and patch SLAs, monitoring/logging coverage uplift.
  • Phase 3 (61-90 days): control effectiveness testing cadence (audits/scans/tabletops), KPI dashboards, and management review sign-off.
  • Phase 4 (ongoing): continuous risk cycles, supplier reviews, and recurring reporting drills.
Section 3

Audit and supervision readiness (design your evidence so it can be produced quickly)

Supervision can involve audits, scans, and requests for policies and evidence. Build an evidence vault with tight access control and clear indexing.

  • Index evidence by requirement: Article 20, Article 21 a-j, Article 23 reporting, and national transposition specifics.
  • Maintain an exception register with expiry dates and management approval for risk acceptance.
  • Keep incident evidence separate from "policy evidence": timelines, logs, IoCs, and reporting submissions must be retrievable.
  • Prove effectiveness (Article 21(2)(f)) with test results, audit findings, remediation tracking, and KPI trends.
Section 4

Handle national transposition reality (how to stay consistent across jurisdictions)

NIS2 is implemented through Member State transposition and supervision. Your program needs a central baseline with local overlays.

  • Keep a per-country overlay sheet: competent authority/CSIRT routes, reporting portals, and any additional requirements.
  • If you operate in multiple Member States, document how you will coordinate incident reporting across jurisdictions.
  • Track transposition updates and update your scope memo and reporting routes when national rules change.
Primary sources

References and citations

Related guides

Explore more topics

Applicability Test | EU NIS2 Directive (EU) 2022/2555 | In Scope? Essential vs Important?
A grounded NIS2 applicability test: map each legal entity to Annex I or Annex II, apply the NIS2 size-cap rule and regardless-of-size triggers.
Article 21 Control Baseline | EU NIS2 Directive (EU) 2022/2555 | Cybersecurity Risk Management Measures
A practical Article 21 control baseline for NIS2: translate Article 21(2)(a) to (j) into owned controls, KPIs, tests, and evidence.
Checklist | EU NIS2 Directive (EU) 2022/2555 | Audit-Ready Owners, Evidence, Acceptance Criteria
An audit-ready EU NIS2 compliance checklist: scope (Annex I/II + size-cap rules), essential vs important classification, Article 21 control baseline.
Deadlines and Compliance Calendar | EU NIS2 Directive (EU) 2022/2555 | 16 January 2023, 17 October 2024, 17 April 2025
A practical EU NIS2 deadlines and compliance calendar with the legal anchor dates that matter: entry into force on 16 January 2023.
FAQ | EU NIS2 Directive (EU) 2022/2555 | Scope, Essential vs Important, Article 21, Article 23 (24h/72h)
High-intent EU NIS2 FAQ: who is in scope, how essential vs important works, what Article 21 requires.
Incident Reporting Workflow | EU NIS2 Directive (EU) 2022/2555 | 24h Early Warning, 72h Notification, Final Report (1 Month)
A practical NIS2 incident reporting workflow grounded in Article 23 and Commission Implementing Regulation (EU) 2024/2690: define significant incidents.
Management Body Accountability | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Training, Liability
A practical Article 20 governance guide for EU NIS2: what the management body must approve and oversee, how liability and training work.
National Transposition Tracker | EU NIS2 Directive (EU) 2022/2555 | How to Track Local Laws, Authorities, Portals
A practical NIS2 national transposition tracker: monitor Member State implementation, find competent authority and CSIRT routes.
NIS2 vs ISO/IEC 27001 | How to Reuse Your ISMS for EU NIS2 Directive (EU) 2022/2555
A practical NIS2 vs ISO/IEC 27001 mapping: how to reuse an ISMS (risk assessment, policies, internal audits, management review.
NIS2 vs ISO/IEC 27017 | Cloud Security Mapping for EU NIS2 Directive (EU) 2022/2555
A practical mapping for cloud teams: how NIS2 Article 21 controls and Article 23 reporting apply to cloud service providers and cloud-dependent organisations.
NIS2 vs NIS1 | Directive (EU) 2022/2555 vs Directive (EU) 2016/1148 | Scope, Supervision, Reporting
A practical comparison of NIS2 vs NIS1: what changed in scope and sectors, how essential vs important works.
Penalties and Fines | EU NIS2 Directive (EU) 2022/2555 | Article 32-34 Enforcement + Fine Thresholds
A practical NIS2 enforcement guide: how supervision works for essential vs important entities (Articles 32-33), what enforcement measures authorities can use.
Requirements | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Article 21 Controls, Article 23 Reporting
A practical EU NIS2 requirements breakdown grounded in Articles 20 to 23, the Article 3 and Article 4 guidelines, and Implementing Regulation (EU) 2024/2690.
Scope: Essential vs Important | EU NIS2 Directive (EU) 2022/2555 | Article 3 Classification + What Changes
A practical guide to NIS2 scope classification: how essential vs important entities work (Article 3).
Supply Chain Security Program | EU NIS2 Directive (EU) 2022/2555 | Article 21(d) Supplier Risk + Evidence
A practical NIS2 supply chain security program (Article 21(d)): vendor tiering, security requirements, onboarding/offboarding controls, continuous assurance.