Compliance GuideEU

NIS2 compliance scope, controls, and reporting

Map NIS2 obligations into an owned compliance record: entity scope, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, management accountability, and evidence.

Use this page to separate EU-level duties from Member State implementation details before assigning owners, controls, incident workflows, supplier checks, and review triggers.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

NIS2 compliance starts with a defensible scope decision and then turns that decision into controls, reporting procedures, governance evidence, and Member State follow-up. The Directive sets the EU framework for essential and important entities, Article 21 risk-management measures, Article 23 significant-incident reporting, and management-body accountability. National implementation and sector-specific rules still need to be checked before treating a workflow as complete.

Section 1

Start with an entity-scope decision

Do not begin with a generic security checklist. First determine whether the organization is an essential or important entity under the NIS2 framework, which Annex I or Annex II sector is involved, and whether size-threshold or special-case rules apply.

The compliance record should show the legal entity, establishment or jurisdiction facts, sector classification, services in scope, and the reason any affiliate, product line, or supplier relationship was excluded. That record becomes the baseline for control assignments and incident-reporting routes.

  • Record the entity type, sector, services, countries, and any size-threshold or special-case reasoning.
  • Separate EU Directive scope from Member State implementation rules and local supervisory contacts.
  • Treat new countries, acquisitions, regulated service launches, and major supplier changes as reassessment triggers.
  • Keep the source citation beside the scope decision so later reviewers can see why the entity was classified.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Legal text for NIS2 scope, essential and important entities, sector annexes, management bodies, risk measures, and reporting duties.
European Commission - NIS2 Directive FAQs
Commission explanation of NIS2 scope expansion, size-threshold approach, supervision, reporting stages, and relationship to Member State implementation.
Section 2

Translate Article 21 into owned controls

Article 21 requires essential and important entities to apply appropriate and proportionate cybersecurity risk-management measures. A practical compliance program should convert those measures into named controls, evidence owners, approval checkpoints, and test cadence.

The control baseline should cover risk analysis and information-system security policies, incident handling, business continuity, supply-chain security, secure acquisition and development, vulnerability handling, effectiveness assessment, cyber hygiene, training, cryptography where appropriate, access control, asset management, and secure communications practices.

  • Assign each Article 21 topic to an accountable control owner who can change the process.
  • Store policy approvals, risk assessments, test results, exception decisions, and remediation evidence together.
  • Link supplier and service-provider controls to contracts, security clauses, assurance reviews, and renewal checks.
  • Use proportionality deliberately: document risk exposure, entity size and structure, service criticality, and compensating measures.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 21 establishes cybersecurity risk-management obligations for essential and important entities.
Implementing Regulation (EU) 2024/2690
Technical and methodological requirements for covered digital infrastructure, ICT service management, digital provider, and trust-service entities.
ENISA - NIS2 Technical Implementation Guidance
ENISA implementation guidance for entities covered by Implementing Regulation (EU) 2024/2690, including practical advice, evidence examples, and mappings.
Section 3

Make management accountability auditable

NIS2 is not only a security-operations exercise. Management bodies of essential and important entities must approve cybersecurity risk-management measures, oversee their implementation, and can be held accountable under national transposition rules.

Compliance evidence should therefore show when management reviewed the risk posture, what measures were approved, what exceptions were accepted, what training was completed, and how unresolved cyber risk is escalated.

  • Keep management approvals for NIS2 policies and material control exceptions.
  • Track management-body training or awareness records where required by the local implementation.
  • Escalate overdue Article 21 remediation, repeated control failures, and significant incident lessons learned.
  • Make board or executive reporting specific enough to show oversight, not just awareness.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 20 addresses management-body approval, oversight, training, and accountability for cybersecurity risk-management measures.
Implementing Regulation (EU) 2024/2690
The implementing regulation describes management approval and oversight expectations for covered relevant entities.
Section 4

Build Article 23 incident reporting before an incident

NIS2 significant-incident reporting should be designed before an incident occurs. The workflow needs a detection-to-assessment step, a decision point for significant incidents, and routes to the CSIRT or competent authority required by the relevant Member State.

The Commission FAQ describes a staged reporting model: early warning within 24 hours of becoming aware, incident notification within 72 hours of becoming aware, and a final report no later than one month later. Local implementation and authority instructions still control how the submission is made.

  • Define when the organization is considered aware of a significant incident and who can make that determination.
  • Preserve timestamps for detection, triage, awareness, early warning, notification, updates, and final report delivery.
  • Pre-map Member State reporting portals, competent authorities, and CSIRT contacts for each in-scope establishment.
  • Keep customer, regulator, and internal escalation messages consistent with the Article 23 evidence file.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 23 sets significant-incident notification duties for essential and important entities.
European Commission - NIS2 Directive FAQs
Commission FAQ summary of the 24-hour early warning, 72-hour incident notification, and final-report sequence.
Implementing Regulation (EU) 2024/2690
Further specifies significant-incident cases for the relevant covered digital sectors and trust service providers.
Section 5

Avoid common compliance mistakes

The easiest mistakes are treating the EU Directive as a complete local answer, assuming a supplier certificate replaces Article 21 evidence, or failing to connect incident clocks to Member State reporting workflows. Each of those mistakes creates audit and regulator risk.

A resilient compliance file should show what was decided, what was implemented, what evidence proves it, which source controlled the decision, and when the answer must be revisited.

  • Do not cite NIS2 alone when the live obligation depends on national transposition or authority guidance.
  • Do not let annual reviews replace change-triggered reassessment for new services, countries, suppliers, or incidents.
  • Do not rely on policy documents without testing, approvals, remediation records, and operational logs.
  • Do not mix essential-entity and important-entity supervision assumptions without documenting the classification.
Sources for this answer
European Commission - NIS2 Directive FAQs
Commission context for entity classification, supervision, staged reporting, and the need to consider Member State implementation.
ENISA - NIS2 Technical Implementation Guidance
Guidance for practical implementation and evidence mapping for covered relevant entities.
Section 6

Implementation checklist

Use this checklist to turn a NIS2 compliance review into an evidence-backed workflow. It is not a substitute for Member State operational guidance, but it helps teams avoid unsupported scope, controls, and reporting decisions.

Store the checklist with the underlying evidence so the next product launch, supplier change, country rollout, or incident review can reuse the decision trail.

What is the first step in a NIS2 compliance review?

Start with entity scoping: decide whether the organization is an essential or important entity, which Annex sector applies, which Member State rules must be checked, and which services are in or out of scope.

What evidence should a NIS2 compliance file keep?

Keep the scope decision, Article 21 control map, management approvals, incident-reporting workflow, supplier security evidence, test results, source citations, and reassessment triggers.

  • Entity scope, sector classification, jurisdiction facts, and exclusions are documented.
  • Article 21 controls are mapped to owners, evidence, tests, exceptions, and remediation tracking.
  • Management-body approval, oversight, escalation, and training evidence is retained.
  • Article 23 incident reporting routes, awareness criteria, timestamps, and final-report workflow are tested.
  • Member State transposition checks and supervisory contacts are recorded for each in-scope country.
  • Supplier security requirements and contract clauses are tied to Article 21 supply-chain evidence.
  • Reassessment triggers cover service, country, supplier, acquisition, incident, and authority changes.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Primary legal source for the compliance checklist categories used on this page.
Implementing Regulation (EU) 2024/2690
Detailed technical and methodological requirements for relevant covered digital-sector entities.
ENISA - NIS2 Technical Implementation Guidance
Practical implementation and evidence guidance for applying the implementing regulation.
Recommended next step

Build a NIS2 compliance record that survives review

Sorena can help convert NIS2 scope, Article 21 controls, Article 23 reporting, supplier checks, and management approvals into cited answers, owner assignments, and reusable evidence requests.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about NIS2 scope, Article 21 controls, Article 23 reporting, and implementation evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your NIS2 compliance workflow, evidence gaps, and next implementation steps with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Primary legal source for the compliance checklist categories used on this page.
"cybersecurity risk-management measures"
European Commission - NIS2 Directive FAQs
digital-strategy.ec.europa.eu
Referenced sections
  • Commission context for entity classification, supervision, staged reporting, and the need to consider Member State implementation.
"essential and important entities"
Implementing Regulation (EU) 2024/2690
eur-lex.europa.eu
Referenced sections
  • Detailed technical and methodological requirements for relevant covered digital-sector entities.
"level of security of network and information systems appropriate to the risks"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.