---
title: "NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience"
canonical_url: "https://www.sorena.io/artifacts/eu/nis2-directive/nis2-vs-cerc"
source_url: "https://www.sorena.io/artifacts/eu/nis2-directive/nis2-vs-cerc"
author: "Sorena AI"
description: "Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "NIS2 vs CER"
  - "CER Directive"
  - "Critical Entities Resilience Directive"
  - "NIS2 Article 21"
  - "NIS2 Article 23"
  - "essential entities"
  - "important entities"
  - "NIS2 Directive"
  - "critical entities"
  - "Article 21"
  - "Article 23"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience

Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.

*Artifact Guide* *EU*

## NIS2 vs CER Directive cybersecurity duties and critical-entity resilience

Use this comparison to separate NIS2 cybersecurity obligations from CER critical-entity resilience work, then identify the records that can support both without merging the legal tests.

Grounded in the NIS2 Directive and European Commission NIS2 guidance on CER alignment, critical entities, authority cooperation, supervision, incident reporting, and risk-management measures.

NIS2 and the Critical Entities Resilience Directive are linked, but they do different jobs. NIS2 sets cybersecurity risk-management, reporting, governance, supervision, and enforcement duties for essential and important entities, including entities identified as critical under CER. CER is the comparator for critical-entity resilience and non-cyber risk coordination. Use this page to keep the two workstreams connected without treating one evidence pack as a substitute for the other.

## NIS2 vs CER Directive: scope, evidence, and overlap rules

Use the rows below to decide which facts belong to the NIS2 cybersecurity workstream, which facts belong to critical-entity resilience coordination, and which records need both citations.

- **NIS2 Directive**: Cybersecurity duties for covered essential and important entities, including critical entities identified under CER, with risk-management, incident-reporting, management-body, supervision, and enforcement requirements.
- **CER Directive alignment**: Critical-entity resilience context used here only where the NIS2 grounding set supports the comparison: aligned scope, physical and cyber resilience, authority cooperation, and shared risk or incident information.

| Dimension | NIS2 Directive | CER Directive alignment | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and covered activity | NIS2 covers public or private entities in Annex I and Annex II sectors that meet the size-cap or special-case rules, and it also applies regardless of size to entities identified as critical under CER. | The grounded CER comparison point is critical-entity resilience alignment: Commission guidance says NIS2 and CER are aligned to address physical and cyber resilience of critical entities comprehensively. | Start with NIS2 applicability, then flag any critical-entity designation as both a NIS2 scope trigger and a resilience-coordination item. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.<br>[European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities. |
| Who must act | NIS2 work needs entity leadership, management bodies, security owners, incident-response teams, supplier-risk owners, legal or compliance, and national authority contacts. | CER-facing overlap needs the owner who tracks critical-entity identification, non-cyber risks, resilience facts, and communications with the competent authority responsible for critical entities. | Use one register if helpful, but assign named owners for cybersecurity controls, incident reporting, critical-entity status, and resilience evidence. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.<br>[European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities. |
| Trigger or threshold | NIS2 is triggered by Annex sector coverage, medium-size or larger status unless an exception applies, special-case inclusion, and critical-entity identification under CER regardless of size. | The grounded CER trigger for this page is identification as a critical entity, because NIS2 expressly uses that identification as a scope rule and the Commission describes the two regimes as aligned. | Do not wait for a cybersecurity incident to decide scope; run the NIS2 sector, size, special-case, and critical-entity checks before assigning controls. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.<br>[European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities. |
| Core obligations | NIS2 requires cybersecurity risk-management measures, significant-incident reporting, management-body accountability, supply-chain security attention, registration or notification for some entities, and evidence for supervision. | The grounded comparison is not a full CER obligation list; it is that critical entities may require coordinated treatment of cyber risks, non-cyber risks, threats, incidents, and supervisory information between NIS2 and CER authorities. | Treat NIS2 controls as mandatory cybersecurity work; treat CER-facing items as resilience coordination unless a separate CER source supports a more specific duty. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.<br>[European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities. |
| Evidence and records | Keep NIS2 records for entity classification, Article 21 controls, supplier security, management approval, Article 23 incident notifications, registration, authority requests, and supervision responses. | Keep overlap records for critical-entity identification, resilience and non-cyber risk facts, shared incident information, authority correspondence, and any request to coordinate supervisory activity. | Tag each file before reuse: NIS2 cybersecurity evidence, CER-alignment evidence, or shared evidence that must keep both source citations. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.<br>[European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities. |
| Timing and cadence | NIS2 timing includes national transposition and registration effects plus Article 23 incident reporting steps: early warning, incident notification, intermediate updates where relevant, and final reporting. | The grounded timing point for CER overlap is coordination: authority information exchange and Cooperation Group engagement with the Critical Entities Resilience Group are recurring cooperation mechanisms. | Track NIS2 incident clocks separately from critical-entity coordination cycles and authority requests. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.<br>[European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities. |
| Supervision and enforcement | NIS2 competent authorities supervise essential and important entities, with different supervisory treatment and enforcement powers for the two categories. | For entities identified as critical under CER, NIS2 authorities and CER authorities are expected to inform, cooperate, exchange information, and in some cases coordinate supervisory or enforcement activity. | Prepare separate authority-response material for NIS2 cybersecurity compliance and critical-entity resilience coordination. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.<br>[European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities. |
| Overlap and reuse | NIS2 can reuse service maps, supplier files, incident logs, continuity records, and asset inventories when they prove cybersecurity risk-management or reporting duties. | CER alignment can reuse those same records only for supported critical-entity, physical-resilience, non-cyber risk, incident, or authority-cooperation questions. | Reuse facts, not conclusions: the same incident log may support both workstreams, but the NIS2 reportability decision and the CER resilience question remain separate. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.<br>[European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities. |
| Practical decision rule | If the question is about Annex scope, essential or important entity status, Article 21 controls, Article 23 reporting, management bodies, or NIS2 supervision, route it to the NIS2 workstream. | If the question is about critical-entity designation, physical resilience, non-cyber risk exchange, or CER authority coordination, route it to the resilience owner and keep unresolved CER-only claims flagged until separately sourced. | Create a coordinated work item only when the same entity, service, incident, supplier, or authority request has both a NIS2 citation and a CER-alignment citation. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.<br>[European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities. |

Sources for Scope and covered activity - NIS2 Directive:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Scope and covered activity - CER Directive alignment:

- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Scope and covered activity - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Who must act - NIS2 Directive:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Who must act - CER Directive alignment:

- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Who must act - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Trigger or threshold - NIS2 Directive:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Trigger or threshold - CER Directive alignment:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Trigger or threshold - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Core obligations - NIS2 Directive:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Core obligations - CER Directive alignment:

- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Core obligations - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Evidence and records - NIS2 Directive:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Evidence and records - CER Directive alignment:

- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Evidence and records - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Timing and cadence - NIS2 Directive:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Timing and cadence - CER Directive alignment:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Timing and cadence - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Supervision and enforcement - NIS2 Directive:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Supervision and enforcement - CER Directive alignment:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Supervision and enforcement - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Overlap and reuse - NIS2 Directive:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Overlap and reuse - CER Directive alignment:

- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Overlap and reuse - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Practical decision rule - NIS2 Directive:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Practical decision rule - CER Directive alignment:

- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

Sources for Practical decision rule - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

### How should teams decide which workstream owns a NIS2/CER issue?

- Use NIS2 when the issue is cybersecurity scope, Article 21 controls, Article 23 reporting, management-body accountability, registration, supervision, or enforcement.
- Use CER-alignment handling when a critical-entity designation, physical-resilience fact, non-cyber risk, or authority-cooperation request affects the same service.
- Use a joint work item only when the record needs both cyber and resilience owners, and keep the source citations separate.
- Block or escalate CER-only details when the grounding set does not contain a direct CER source for the claim.

Sources for the practical decision rule:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"

## What is the practical difference between NIS2 and CER?

NIS2 is the cybersecurity regime: it applies to covered Annex I and Annex II entities, certain special cases, and entities identified as critical under CER regardless of size. Its operational questions are whether the entity is in scope, which cybersecurity risk-management measures apply, who approves and supervises them, and how significant incidents are reported.

CER is the resilience comparator: the Commission explains that NIS2 and CER are aligned to address physical and cyber resilience of critical entities comprehensively. For planning, that means a critical-entity designation can pull the entity into NIS2 cybersecurity obligations, while CER-facing work still needs resilience, non-cyber risk, and competent-authority coordination records.

- Use NIS2 sources for cybersecurity controls, incident reporting, management-body accountability, and essential or important entity supervision.
- Use the Commission NIS2/CER alignment guidance for shared critical-entity, authority-cooperation, and physical-versus-cyber resilience claims.
- Avoid citing CER-specific obligations unless the supporting source is present in the grounding set; keep those items as legal review questions.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.

## What should the comparison produce?

The useful output is a two-column scoping and evidence record. The NIS2 side should name the Annex or special-case trigger, essential or important entity status, cybersecurity owner, Article 21 control evidence, Article 23 incident-reporting path, and national registration or supervision notes where relevant.

The CER side should stay narrower unless separately grounded: record whether the entity has been identified as critical, which resilience or non-cyber risk facts need a CER authority owner, and which shared incident, service, supplier, or asset facts should be exchanged with the NIS2 workstream.

- Write separate scope conclusions for NIS2 and CER instead of one combined compliance label.
- Tag every record as cybersecurity evidence, critical-entity resilience evidence, or reusable overlap evidence.
- Escalate ungrounded CER-specific claims rather than turning NIS2 guidance into unsupported CER advice.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview for NIS2 policy context, covered sectors, cooperation mechanisms, and implementation materials.

## When should teams run this comparison?

Run the comparison when a service may fall in a NIS2 Annex sector, when size-cap or special-case rules are uncertain, when a Member State or customer treats the organisation as critical, or when an incident affects a critical service and may require cross-authority information sharing.

Repeat it when the entity adds a covered service, changes its EU establishment or representative analysis, receives a national registration or authority request, changes a high-risk supplier, or learns that a critical-entity designation affects the same service.

- Inputs: entity legal name, EU countries, service description, Annex sector mapping, size and special-case analysis, authority contacts, critical-service facts, and incident-reporting routes.
- Outputs: separate NIS2 and CER scope notes, shared-risk register tags, owner assignments, source citations, and unresolved legal questions.
- Exclusions: do not infer CER duties, deadlines, or penalties from NIS2 sources alone.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj?ref=sorena.io) - Implementing regulation for technical and methodological cybersecurity risk-management requirements for specified digital providers under NIS2.

## Who should own the overlap evidence?

Security should own NIS2 cybersecurity controls and incident reporting. Legal or public-policy owners should maintain the interpretation of NIS2 scope, critical-entity status, national transposition effects, and competent-authority contacts. Resilience or continuity owners should maintain non-cyber risk and critical-service records when CER-facing facts are present.

A single coordinator can run the register, but the register should preserve regime tags. That prevents a supplier risk file, incident log, continuity plan, or authority email from being reused without checking whether it supports cyber resilience, physical resilience, or both.

- Keep NIS2 Article 21 control evidence separate from continuity and physical-resilience records unless a source supports reuse.
- Record when NIS2 authorities and CER authorities must exchange information about critical entities, risks, threats, incidents, and supervisory activity.
- Track unresolved CER-only details as blocked items until a CER source is available.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.

*Recommended next step*

*Placement: before sources*

## Build separate NIS2 and critical-entity resilience workstreams

Sorena can help turn the NIS2/CER comparison into cited scope notes, owner assignments, evidence tags, and escalation questions without treating ungrounded CER details as settled requirements.

- [Research NIS2 and CER overlap](/solutions/research-copilot.md): Ask source-linked questions about NIS2 scope, Article 21 controls, Article 23 reporting, and Commission guidance on CER alignment.
- [Talk through implementation](/contact.md): Review your NIS2/CER overlap register, source gaps, owner model, and next implementation steps with Sorena.

## Primary sources

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Binding NIS2 text for covered Annex I and II entities, critical entities brought into NIS2 scope, cybersecurity risk-management duties, incident reporting, supervision, and cooperation with CER authorities.
  - Quote: "high common level of cybersecurity across the Union"
- [European Commission NIS2 FAQ - interaction with CER](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ grounding the NIS2/CER relationship: aligned scope, critical entities becoming subject to NIS2 cybersecurity obligations, and cooperation between NIS2 and CER competent authorities.
  - Quote: "physical and cyber resilience of critical entities"
- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Commission overview for NIS2 policy context, covered sectors, cooperation mechanisms, and implementation materials.
  - Quote: "NIS2 Directive"
- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj?ref=sorena.io) - Implementing regulation for technical and methodological cybersecurity risk-management requirements for specified digital providers under NIS2.
  - Quote: "technical and methodological requirements"

## Related Topic Guides

- [Are managed service providers in scope of NIS2?](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md): NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
- [EU NIS2 Directive applicability test for entity scope](/artifacts/eu/nis2-directive/applicability-test.md): Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
- [EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks](/artifacts/eu/nis2-directive/deadlines-and-compliance-calendar.md): source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
- [FAQ: NIS2 essential vs important entity classification and registration obligations](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md): Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
- [NIS2 24-hour early warning: what to send and when](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md): Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
- [NIS2 72-hour incident notification FAQ](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md): Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
- [NIS2 Annex I and Annex II Sector Scoping Guide](/artifacts/eu/nis2-directive/annex-i-and-ii-sector-scoping.md): Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
- [NIS2 Article 21 control baseline and evidence checklist](/artifacts/eu/nis2-directive/article-21-control-baseline.md): Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
- [NIS2 Article 21 control-by-control evidence checklist](/artifacts/eu/nis2-directive/article-21-control-by-control-evidence.md): Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
- [NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners](/artifacts/eu/nis2-directive/article-21-gap-assessment-workflow.md): Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
- [NIS2 Article 23 incident notification workflow](/artifacts/eu/nis2-directive/article-23-notification.md): Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
- [NIS2 Compliance Checklist: scope, controls, reporting](/artifacts/eu/nis2-directive/checklist.md): Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
- [NIS2 Compliance Guide: scope, controls, reporting, and evidence](/artifacts/eu/nis2-directive/compliance.md): A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
- [NIS2 Country Transposition Tracker: EU Status Workflow](/artifacts/eu/nis2-directive/country-transposition-tracker.md): Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
- [NIS2 Entity Classifier Workflow: essential vs important entity scoping](/artifacts/eu/nis2-directive/entity-classifier-workflow.md): Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
- [NIS2 essential vs important entities: Article 3 scope and supervision guide](/artifacts/eu/nis2-directive/scope-essential-vs-important.md): Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
- [NIS2 essential vs important entities: supervision regime and audit evidence requirements](/artifacts/eu/nis2-directive/essential-vs-important-supervision.md): Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
- [NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties](/artifacts/eu/nis2-directive/faq.md): source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
- [NIS2 incident clock triage workflow](/artifacts/eu/nis2-directive/incident-clock-triage-workflow.md): Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
- [NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps](/artifacts/eu/nis2-directive/incident-reporting-workflow.md): Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
- [NIS2 Management Body Accountability: board duties, training, and evidence](/artifacts/eu/nis2-directive/management-body-accountability.md): source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
- [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md): How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
- [NIS2 National Transposition Tracker: EU Member State Evidence Register](/artifacts/eu/nis2-directive/national-transposition-tracker.md): Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
- [NIS2 penalties and fines: Article 34 caps for essential and important entities](/artifacts/eu/nis2-directive/penalties-and-fines.md): NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
- [NIS2 Registration and Authority Notification Guide](/artifacts/eu/nis2-directive/registration-and-authority-notification.md): Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
- [NIS2 Requirements: scope, Article 21 controls, reporting, and evidence](/artifacts/eu/nis2-directive/requirements.md): Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
- [NIS2 Size Cap Rule and Special Scope Cases](/artifacts/eu/nis2-directive/size-cap-and-special-cases.md): Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
- [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md): Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
- [NIS2 supply chain security program: Article 21 controls, contracts, and evidence](/artifacts/eu/nis2-directive/supply-chain-security-program.md): Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
- [NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance](/artifacts/eu/nis2-directive/nis2-vs-dora.md): Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
- [NIS2 vs GDPR breach reporting: EU deadlines and overlap](/artifacts/eu/nis2-directive/nis2-vs-gdpr-breach-reporting.md): Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
- [NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27001.md): Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
- [NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27017.md): Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
- [NIS2 vs NIS1: what changed in EU cybersecurity compliance](/artifacts/eu/nis2-directive/nis2-vs-nis1.md): Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/nis2-directive/nis2-vs-cerc