Answers to recurring NIS2 questions about entity scope, essential versus important classification, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, management-body accountability, registration, and penalties.
Use the cited EU and ENISA sources to turn each answer into an auditable decision record before assigning control owners or reporting workflows.
Structured answer sets in this page tree.
Cited legal and guidance references.
Use this NIS2 FAQ to resolve practical compliance questions with a source, a fact pattern, and an evidence owner. The directive sets the EU framework, but implementation and supervision run through Member State law and competent authorities, so every answer should record the relevant country, sector, service, entity type, supplier dependency, and incident workflow.
These focused FAQ modules break this artifact into narrower answer sets so teams can move straight to the right source-backed guidance.
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
Start with the service and sector, not the company name. NIS2 generally captures medium-sized and large entities that operate in the Annex I sectors of high criticality or Annex II other critical sectors, with special size-independent rules for some entity types.
Do not stop at the size-cap rule. NIS2 also applies regardless of size to entities identified as critical entities under Directive (EU) 2022/2557 and to entities providing domain name registration services, and it treats qualified trust service providers, top-level domain name registries, and DNS service providers as essential entities regardless of size.
No. The Commission describes NIS2 as a framework for 18 critical sectors. In addition to sectors already covered by NIS1, it includes public electronic communications, more digital services, waste and wastewater, critical product manufacturing, postal and courier services, public administration, space, food, chemicals, and research.
No. The general rule focuses on medium-sized and large entities in listed sectors, but the directive includes size-independent categories and allows Member States to identify certain smaller entities where they play a key societal, economic, systemic, cross-border, or regional role.
Essential and important entities are both subject to NIS2 cybersecurity risk-management and reporting obligations. The classification mainly affects supervision and enforcement intensity, and it depends on the sector, entity type, size, and any Member State identification decision.
Article 3 treats certain Annex I large entities and specified digital, communications, public administration, critical-entity, and legacy operator categories as essential. Entities in Annex I or Annex II that are in scope but do not qualify as essential are important entities.
No. Article 21 applies to both essential and important entities. The measures must be appropriate and proportionate to the risk, entity size, likelihood and severity of incidents, and societal and economic impact.
Classification matters because NIS2 differentiates supervision and enforcement. The directive gives competent authorities different supervisory powers for essential entities and important entities, while both can face enforcement and administrative fines for Article 21 or Article 23 infringements.
Article 21 requires essential and important entities to take appropriate and proportionate technical, operational, and organisational measures to manage risks to the security of network and information systems and to prevent or minimise incident impact.
The minimum Article 21 topics include risk analysis and information system security policies, incident handling, business continuity and crisis management, supply-chain security, secure acquisition, development and maintenance, effectiveness assessment, cyber hygiene and training, cryptography and encryption where appropriate, human resources security, access control, asset management, multi-factor or continuous authentication where appropriate, secure communications, and emergency communications.
No. Standards and certifications can support evidence, and NIS2 encourages relevant European and international standards, but Article 21 still requires a risk-based and proportionate mapping to the NIS2 measures and the entity's actual services.
Use it for DNS service providers, TLD name registries, cloud computing providers, data centre providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines, social networking platforms, and trust service providers covered by the regulation.
Article 23 requires essential and important entities to notify the CSIRT or competent authority, without undue delay, of significant incidents. An incident is significant if it has caused or is capable of causing severe operational disruption or financial loss, or if it has affected or is capable of affecting others by causing considerable material or non-material damage.
The reporting sequence is staged: an early warning within 24 hours of becoming aware of the significant incident, an incident notification within 72 hours, intermediate reports if requested, and a final report not later than one month after the 72-hour incident notification. Trust service providers have a special 24-hour rule for significant incidents affecting trust services.
No. The early warning is the first stage and should indicate, where applicable, whether unlawful or malicious acts are suspected or whether the incident could have cross-border impact. The 72-hour notification updates the early warning and adds the initial severity and impact assessment and available indicators of compromise.
Article 23 states that the mere act of notification shall not subject the notifying entity to increased liability. That does not remove the underlying duty to manage the incident, preserve evidence, and comply with national authority instructions.
Article 4 prevents duplicate NIS2 obligations only where a sector-specific Union legal act requires cybersecurity risk-management measures or significant-incident notifications that are at least equivalent in effect to NIS2. If the sector-specific law covers only some entities or some duties, NIS2 continues to apply to the uncovered parts.
The Commission guidance explains that equivalence for risk-management measures should at minimum correspond to, or go beyond, Article 21(1) and (2). For incident reporting, the sector-specific law must give CSIRTs, competent authorities, or single points of contact immediate access to notifications and use reporting requirements at least equivalent to Article 23(1) to (6).
No. DORA is treated as a sector-specific Union legal act for covered financial entities for ICT risk management and major ICT-related incident reporting, but NIS2 coordination mechanisms, national strategies, crisis management frameworks, and information exchange with CSIRTs and single points of contact can still matter.
Keep the sector-specific Union law citation, the mapped NIS2 duty, the equivalence rationale, the covered entities or services, the authority route, and the unresolved NIS2 duties that remain in force.
A useful NIS2 FAQ answer should be more than a plain-language explanation. It should preserve the legal source, the scoped service, the country implementation note, the owner, the control or reporting workflow, and the evidence that proves the decision was implemented.
At minimum, save the sector and service mapping, essential or important classification, Article 21 control mapping, Article 23 reporting route, supplier dependencies, management-body approval trail, training record, registration data owner, review trigger, and the competent authority or CSIRT contact path.
Article 3 list-building information includes the entity name, address, current contact details including email addresses, IP ranges and telephone numbers, the relevant Annex I or II sector and subsector where applicable, and the Member States where in-scope services are provided. Certain Article 27 entities have additional registry information duties.
For infringements of Article 21 or 23, Member States must ensure essential entities are subject to administrative fines with a maximum of at least EUR 10,000,000 or at least 2% of total worldwide annual turnover, whichever is higher. Important entities are subject to a maximum of at least EUR 7,000,000 or at least 1.4% of total worldwide annual turnover, whichever is higher.
Sorena can help turn NIS2 FAQ answers into cited decisions, owner assignments, Article 21 control evidence, Article 23 incident workflow checks, and reusable review triggers.
Ask source-linked questions about NIS2 scope, obligations, reporting, penalties, and evidence using the cited sources on this page.
Review your NIS2 scope decisions, Article 21 control evidence, Article 23 reporting workflow, and unresolved national implementation questions with Sorena.
"name, address and up-to-date contact details"
"sector-specific Union legal acts"
"maximum of at least EUR 10 000 000"
"examples of evidence"
"stronger supervision tools"
"incident is considered to be significant"