FAQEU

EU NIS2 Directive (EU) 2022/2555 Frequently Asked Questions

Practical, high-intent answers to NIS2 scope, controls, and reporting.

Use this as a fast orientation, then follow the subpages for implementation details and evidence mapping.

Back to main artifact Review sources

Author

Sorena AI

Published

Feb 23, 2026

Updated

Feb 23, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Feb 23, 2026

Updated Feb 23, 2026

Overview

NIS2 questions are often answered incorrectly because people mix the directive text with national transposition details and sector guidance. This FAQ focuses on accurate baseline answers and the practical implications for your implementation program.

Section 1

Scope and classification

Most search intent is: "Am I in scope?" and "Am I essential or important?" Start here.

Q: Who is in scope? A: Public or private entities of a type in Annex I or II that are at least medium-sized (or above), plus certain regardless-of-size cases (e.g., providers of public electronic communications networks/services, trust service providers, TLD registries and DNS service providers), subject to Directive scope conditions.
Q: What's essential vs important? A: NIS2 distinguishes entity types and uses Member State identification/lists; entities not qualifying as essential under Article 3(1) are treated as important under Article 3(2).
Q: Does being "small" mean out of scope? A: Not always. Certain entity types are in scope regardless of size (e.g., trust service providers; certain digital infrastructure providers).
Q: What if a sector-specific EU act applies? A: Article 4 provides a mechanism where equivalent sector-specific obligations can displace certain NIS2 provisions for the overlapping parts.

Section 2

Article 21 controls (risk management measures)

The most common misunderstanding is treating Article 21 as "policy language". It's a control baseline that must be owned, measurable, and evidenced.

Q: What does Article 21 require? A: Appropriate and proportionate technical, operational, and organisational measures to manage risks and prevent/minimise incident impact.
Q: What are the minimum measures? A: Article 21(2) lists at least a-j measures (risk analysis/policies, incident handling, BC/DR, supply chain security, secure development + vulnerability handling, effectiveness assessment, cyber hygiene/training, cryptography, HR/access/asset management, MFA/secure communications).
Q: Do standards matter? A: Article 21 refers to state-of-the-art and (where applicable) relevant European and international standards; for certain entity types, an implementing regulation provides more prescriptive requirements.
Q: What evidence do we need? A: Control register, test results, audit evidence, supplier assurance records, training records, and incident post-mortems linked back to control improvements.

Section 3

Article 23 incident reporting (24h/72h/1 month)

Reporting obligations fail when teams don't have triage rules and templates ready before an incident happens.

Q: What triggers reporting? A: Incidents that have a significant impact on the provision of services (significant incident).
Q: What is the timeline? A: Early warning within 24h of becoming aware; incident notification within 72h; final report within 1 month after the 72h notification (with intermediate/progress reports as applicable).
Q: Do we have to notify customers/recipients? A: Where appropriate, entities notify recipients of services of significant incidents likely to adversely affect service provision, and communicate measures recipients can take for significant cyber threats.
Q: Who do we report to? A: The CSIRT or (where applicable) competent authority - routes are defined in national transposition and should be validated per Member State.

Section 4

Transposition and enforcement

NIS2 is implemented through Member State transposition and supervision. Your program must be stable across jurisdictions while allowing local overlays.

Q: How do we track transposition? A: Use the Commission's transposition tracker and Member State implementation pages, then validate with national competent authority guidance.
Q: What are the consequences of non-compliance? A: Supervision and enforcement powers include audits, scans, binding instructions, and administrative fines tied to Article 21/23 infringements (Article 34).
Q: What should we do first? A: Scope memo -> classification -> Article 21 control baseline -> Article 23 workflow and templates -> evidence vault and governance cadence.

Recommended next step

Use EU NIS2 Directive (EU) 2022/2555 Frequently Asked Questions as a cited research workflow

Research Copilot can take EU NIS2 Directive (EU) 2022/2555 Frequently Asked Questions from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on EU NIS2 Directive (EU) 2022/2555 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow

Open Research Copilot for EU NIS2 Directive (EU) 2022/2555 Frequently Asked Questions

Start from EU NIS2 Directive (EU) 2022/2555 Frequently Asked Questions and answer scope, timing, and interpretation questions with cited outputs.

Explore next step

Talk to Sorena

Talk through EU NIS2 Directive (EU) 2022/2555

Review your current process, evidence gaps, and next steps for EU NIS2 Directive (EU) 2022/2555 Frequently Asked Questions.

Explore next step

Primary sources