RequirementsEU

EU NIS2 Directive (EU) 2022/2555 Requirements

Turn NIS2 obligations into owned controls, reporting workflows, and evidence packs.

Focus: Article 20 governance, Article 21 controls, Article 23 reporting, and national overlays.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

NIS2 is a management, controls, and reporting system. Use this page as a structured breakdown of what you must implement, what changes for essential versus important entities, and what evidence you should hold so your compliance position is clear under supervision.

Section 1

The three obligations you must implement (most programs fail by missing one)

NIS2 combines governance, risk management controls, and incident reporting into one system. If any leg is weak, the program collapses during incidents or audits.

  • Governance under Article 20: management bodies approve the cybersecurity measures, oversee implementation, follow training, and may face liability under national law.
  • Controls under Article 21: technical, operational, and organisational measures that are appropriate and proportionate, including the listed measures in Article 21(2)(a) to (j).
  • Reporting under Article 23: early warning within 24 hours, incident notification within 72 hours, final report within 1 month, plus recipient communications where relevant.
Section 2

Scope and classification drives what "good" looks like (essential vs important; sector overlays)

Your implementation must be scoped per legal entity and per service. Classification affects supervision intensity, enforcement expectations, and how quickly you need to close gaps.

  • Run an applicability test based on Annex I or Annex II, size-cap logic, and regardless-of-size triggers, then document the outcome in a scope memo.
  • Determine whether the entity is essential or important under Article 3 and record how that changes your supervisory posture.
  • Check Article 4 overlap with sector-specific Union acts and keep the equivalence analysis in the scope file.
  • If you are in a category covered by Implementing Regulation (EU) 2024/2690, apply that act as a more prescriptive layer on top of Article 21 and Article 23.
Section 3

Evidence mapping (requirement -> evidence artefacts you should have)

Supervision powers include requests for documented policies and evidence, audits, and scans. Build an "evidence pack" that can be produced quickly and confidently.

  • Article 20: management approval minutes, oversight cadence, training records, and governance RACI.
  • Article 21: control register mapping Article 21(a) to (j), risk assessments, supplier assurance evidence, restore tests, and vulnerability management records.
  • Article 23: significant incident decision log, 24h and 72h templates, final report template, submission records, and recipient communications playbook.
  • Transposition overlays: competent authority and CSIRT route map, portal details, and any national add-ons to scope or enforcement.
Recommended next step

Turn EU NIS2 Directive (EU) 2022/2555 Requirements into an operational assessment

Assessment Autopilot can take EU NIS2 Directive (EU) 2022/2555 Requirements from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on EU NIS2 Directive (EU) 2022/2555 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU NIS2 Directive (EU) 2022/2555 Requirements

Start from EU NIS2 Directive (EU) 2022/2555 Requirements and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU NIS2 Directive (EU) 2022/2555

Review your current process, evidence gaps, and next steps for EU NIS2 Directive (EU) 2022/2555 Requirements.

Explore next step
Section 4

Program architecture (a model that scales beyond "compliance sprint")

Build your NIS2 program like an operating system: recurring risk cycles, recurring control tests, recurring training, and recurring reporting drills.

  • Quarterly: risk assessment updates for critical services, supplier reviews, and management review of control KPIs.
  • Monthly: vulnerability management metrics, patch SLA performance, backup/restore checks, access review completion.
  • Per incident: post-incident review feeding into Article 21 improvements and management reporting.
  • Annually: security audit/certification posture review, crisis simulations, and evidence pack refresh.
Primary sources

References and citations

Related guides

Explore more topics

Applicability Test | EU NIS2 Directive (EU) 2022/2555 | In Scope? Essential vs Important?
A grounded NIS2 applicability test: map each legal entity to Annex I or Annex II, apply the NIS2 size-cap rule and regardless-of-size triggers.
Article 21 Control Baseline | EU NIS2 Directive (EU) 2022/2555 | Cybersecurity Risk Management Measures
A practical Article 21 control baseline for NIS2: translate Article 21(2)(a) to (j) into owned controls, KPIs, tests, and evidence.
Checklist | EU NIS2 Directive (EU) 2022/2555 | Audit-Ready Owners, Evidence, Acceptance Criteria
An audit-ready EU NIS2 compliance checklist: scope (Annex I/II + size-cap rules), essential vs important classification, Article 21 control baseline.
Compliance Guide | EU NIS2 Directive (EU) 2022/2555 | Build an Audit-Ready Program
A practical EU NIS2 compliance guide: how to run scope and classification, build Article 21 controls, implement Article 23 reporting workflows.
Deadlines and Compliance Calendar | EU NIS2 Directive (EU) 2022/2555 | 16 January 2023, 17 October 2024, 17 April 2025
A practical EU NIS2 deadlines and compliance calendar with the legal anchor dates that matter: entry into force on 16 January 2023.
FAQ | EU NIS2 Directive (EU) 2022/2555 | Scope, Essential vs Important, Article 21, Article 23 (24h/72h)
High-intent EU NIS2 FAQ: who is in scope, how essential vs important works, what Article 21 requires.
Incident Reporting Workflow | EU NIS2 Directive (EU) 2022/2555 | 24h Early Warning, 72h Notification, Final Report (1 Month)
A practical NIS2 incident reporting workflow grounded in Article 23 and Commission Implementing Regulation (EU) 2024/2690: define significant incidents.
Management Body Accountability | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Training, Liability
A practical Article 20 governance guide for EU NIS2: what the management body must approve and oversee, how liability and training work.
National Transposition Tracker | EU NIS2 Directive (EU) 2022/2555 | How to Track Local Laws, Authorities, Portals
A practical NIS2 national transposition tracker: monitor Member State implementation, find competent authority and CSIRT routes.
NIS2 vs ISO/IEC 27001 | How to Reuse Your ISMS for EU NIS2 Directive (EU) 2022/2555
A practical NIS2 vs ISO/IEC 27001 mapping: how to reuse an ISMS (risk assessment, policies, internal audits, management review.
NIS2 vs ISO/IEC 27017 | Cloud Security Mapping for EU NIS2 Directive (EU) 2022/2555
A practical mapping for cloud teams: how NIS2 Article 21 controls and Article 23 reporting apply to cloud service providers and cloud-dependent organisations.
NIS2 vs NIS1 | Directive (EU) 2022/2555 vs Directive (EU) 2016/1148 | Scope, Supervision, Reporting
A practical comparison of NIS2 vs NIS1: what changed in scope and sectors, how essential vs important works.
Penalties and Fines | EU NIS2 Directive (EU) 2022/2555 | Article 32-34 Enforcement + Fine Thresholds
A practical NIS2 enforcement guide: how supervision works for essential vs important entities (Articles 32-33), what enforcement measures authorities can use.
Scope: Essential vs Important | EU NIS2 Directive (EU) 2022/2555 | Article 3 Classification + What Changes
A practical guide to NIS2 scope classification: how essential vs important entities work (Article 3).
Supply Chain Security Program | EU NIS2 Directive (EU) 2022/2555 | Article 21(d) Supplier Risk + Evidence
A practical NIS2 supply chain security program (Article 21(d)): vendor tiering, security requirements, onboarding/offboarding controls, continuous assurance.