NIS2 Frequently Asked Questions: Expert Answers for CISOs
About These FAQs
The NIS2 Directive (EU) 2022/2555 raises fundamental questions for CISOs, compliance officers, and executive leadership across regulated sectors. The following answers are based on the Directive text as published in the Official Journal, supplemented by ENISA guidance and emerging national transposition practice.
These FAQs cover the most common questions we encounter from compliance teams implementing NIS2. For detailed treatment of specific topics, refer to the dedicated guides on NIS2 requirements, incident reporting, and the compliance checklist available in this framework collection.
Frequently Asked Questions
Who does NIS2 apply to?
NIS2 applies to medium-sized and large entities (50+ employees or EUR 10M+ annual turnover) operating in 18 critical sectors listed in Annex I (sectors of high criticality) and Annex II (other critical sectors). The Directive uses a size-cap rule aligned with Commission Recommendation 2003/361/EC. Certain entity types — including DNS service providers, TLD registries, trust service providers, and public electronic communications providers — are in scope regardless of size. Member states may also extend scope to additional entities based on national risk assessment.
What are the NIS2 penalties?
NIS2 establishes maximum administrative fine ceilings: for essential entities, up to EUR 10,000,000 or 2% of total worldwide annual turnover (whichever is higher); for important entities, up to EUR 7,000,000 or 1.4% of total worldwide annual turnover. These are ceilings — actual fine levels are determined by national competent authorities based on the nature, gravity, and duration of the infringement, damage caused, previous infringements, and cooperation with authorities. Member states may also impose periodic penalty payments to compel compliance.
Can management body members be held personally liable?
Yes. Article 20(2) explicitly requires member states to ensure that management body members can be held liable for infringements of Article 21 (cybersecurity risk management measures). This is a personal, non-delegable obligation: management bodies must approve cybersecurity measures, oversee their implementation, and undergo cybersecurity training. The exact scope of personal liability depends on national transposition — some member states may implement stricter personal liability provisions. This is one of the most consequential changes from NIS1.
How does NIS2 relate to DORA?
DORA (Regulation (EU) 2022/2554) is considered lex specialis to NIS2 for financial entities regarding ICT risk management, incident reporting, digital operational resilience testing, and ICT third-party risk management. Under Article 4 of NIS2, where a sector-specific EU act imposes requirements at least equivalent in effect to NIS2, the sector-specific act prevails. Financial entities subject to DORA do not need to separately implement equivalent NIS2 requirements — but they must assess equivalence at the individual obligation level. NIS2 still applies where DORA does not provide equivalent coverage.
Does NIS2 apply to non-EU companies?
Yes, NIS2 has extraterritorial reach. Under Article 26, non-EU entities providing certain services within the EU must designate a representative in a member state where services are offered and comply with NIS2 obligations. This applies to: DNS service providers, TLD registries, cloud computing providers, data centre providers, CDN providers, managed service providers, managed security service providers, and providers of online marketplaces, search engines, or social networking platforms. The designated representative can be held liable for non-compliance.
Do SMEs need to comply with NIS2?
Generally, NIS2 applies to medium-sized enterprises and above (50+ employees or EUR 10M+ turnover). Micro and small enterprises below these thresholds are typically excluded. However, critical exceptions exist: entities providing DNS services, TLD registry services, trust services, or public electronic communications are in scope regardless of size. SMEs that are sole providers of a service essential for critical societal or economic activities in a member state may also be designated in scope. Additionally, member states can extend NIS2 to specific smaller entities based on national risk assessment.
Is ISO 27001 certification sufficient for NIS2 compliance?
ISO 27001 provides a strong foundation and covers many NIS2 requirements — risk assessment methodology, access control, incident management, business continuity, supplier relationships, and cryptographic controls. However, ISO 27001 alone does not satisfy all NIS2 obligations. Key gaps include: mandatory external incident reporting to CSIRTs with 24h/72h timelines (ISO 27001 focuses on internal incident management), management body personal liability provisions, specific supply chain security assessment factors (Art. 21(3)), and sector-specific requirements from national transposition. A formal gap analysis mapping ISO 27001 Annex A controls to NIS2 Art. 21(2) measures is recommended as a starting point.
What is the NIS2 incident reporting timeline?
NIS2 Article 23 establishes a four-stage reporting timeline for significant incidents: (1) Early warning within 24 hours of becoming aware of the incident — indicating suspected malicious cause and potential cross-border impact; (2) Incident notification within 72 hours with initial assessment, severity, impact, and indicators of compromise; (3) Intermediate reports on CSIRT or competent authority request; (4) Final report within one month containing detailed description, root cause, mitigations, and cross-border impact. If the incident is ongoing at one month, a progress report is due with the final report within one month of conclusion.
What sectors are covered by NIS2?
NIS2 covers 18 sectors across two Annexes. Annex I (sectors of high criticality): energy (electricity, district heating, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, and space. Annex II (other critical sectors): postal and courier services, waste management, chemicals, food production/processing/distribution, manufacturing (medical devices, electronics, electrical equipment, machinery, vehicles, other transport equipment), digital providers (marketplaces, search engines, social networks), and research organisations.
How does national transposition affect my obligations?
NIS2 is an EU Directive, meaning it must be transposed into national law by each member state. The Directive sets a minimum floor, but member states can adopt stricter requirements. National transposition determines: the exact scope of entities classified as essential or important, additional sector-specific requirements beyond the Directive minimum, the structure and powers of national competent authorities and CSIRTs, the detailed penalty regime within the Directive's ceilings, and specific governance and reporting procedures. You should review your member state's transposition law to understand jurisdiction-specific obligations beyond the Directive text.
What is the role of CSIRTs under NIS2?
Computer Security Incident Response Teams (CSIRTs) are the primary operational contact point for incident reporting and response under NIS2. Each member state must designate one or more CSIRTs. CSIRTs receive incident notifications from in-scope entities, provide initial feedback within 24 hours of early warning receipt, offer technical assistance and guidance on mitigation, coordinate with other member state CSIRTs for cross-border incidents through the CSIRTs Network, participate in coordinated vulnerability disclosure, and share threat intelligence. Entities should establish their CSIRT relationship before an incident occurs.
Can my organisation be audited under NIS2?
Yes. National competent authorities have broad supervisory powers under NIS2. For essential entities (Art. 32), authorities can conduct: regular and ad hoc security audits, on-site and off-site inspections, targeted security scans, requests for evidence and information, and access to data and documents needed for supervision. These are ex-ante powers — authorities can audit proactively without waiting for an incident. For important entities (Art. 33), supervision is ex-post — generally triggered by evidence of non-compliance. However, competent authorities can still conduct inspections and audits when justified.
What is the difference between essential and important entities?
The classification determines the supervisory regime and penalty ceiling. Essential entities include large enterprises (250+ employees or EUR 50M+ turnover) in Annex I sectors, plus designated types (trust service providers, TLD registries, DNS providers, telecom providers, central government). They face ex-ante supervision (proactive audits and inspections) and fines up to EUR 10M or 2% of turnover. Important entities are the remaining in-scope entities — those meeting the medium-enterprise threshold in Annex I or II sectors. They face ex-post supervision (triggered by non-compliance evidence) and fines up to EUR 7M or 1.4% of turnover.
How should supply chain security be managed under NIS2?
Article 21(2)(d) requires security measures addressing relationships with direct suppliers and service providers. Article 21(3) specifies assessment factors: supplier-specific vulnerabilities, overall product quality and cybersecurity practices including secure development procedures, and coordinated EU-level supply chain risk assessments. In practice, this requires: supplier risk assessment during due diligence, contractual security clauses, continuous monitoring of supplier posture, incident notification requirements in supplier contracts, and response procedures for supply chain compromise scenarios. MSPs and MSSPs are themselves in scope of NIS2, creating cascading obligations.
What cybersecurity measures does NIS2 require?
Article 21(2) lists ten mandatory measures: (a) risk analysis and information system security policies, (b) incident handling, (c) business continuity and crisis management, (d) supply chain security, (e) security in system acquisition/development/maintenance including vulnerability handling, (f) policies for assessing effectiveness of measures, (g) basic cyber hygiene and cybersecurity training, (h) cryptography policies and procedures, (i) human resources security and access control, (j) multi-factor authentication, continuous authentication, and secured communications. All ten must be addressed — implementation depth follows the proportionality principle based on entity size, risk exposure, and sector.
This content is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for compliance decisions.
Automate NIS2 Compliance with FortisEU
Turn regulatory obligations into actionable controls with evidence workflows, real-time dashboards, and EU-sovereign AI assistance.