100% Hosted in the eu
Organisations that supply goods or services to direct suppliers of NIS2-obligated entities. Basic compliance measures apply.
Organisations that directly supply NIS2-obligated entities. Stricter requirements apply, including documented risk assessments and measures to protect shared data and services.
Full NIS2 obligations apply. The highest level of documented management measures is required.
Organisations must conduct their own risk assessments and take appropriate, documented measures to protect the services they provide and the information they handle. A verbal assurance is not sufficient. ISOPlanner™ includes a pre-configured risk register with all NIS2 management measures in place, so every control is tracked, documented, and available to regulators on request.
Incidents that significantly disrupt essential services must be reported to the competent supervisory authority and the CSIRT within 24 hours of detection. A complete notification follows within 72 hours, and a final report within one month. ISOPlanner™ includes an incident response workflow that tracks every phase and generates the required reporting evidence.
Organisations in scope are supervised by an independent regulator. The goal of the directive is to harmonise cybersecurity accountability across EU member states and their supply chains. ISOPlanner™ stores all compliance documentation in SharePoint, where regulators can review evidence directly without manual export or preparation.
NIS2 compliance builds a solid foundation for ISO 27001. The risk assessments, documented controls, and supplier oversight you put in place for NIS2 directly map to ISO 27001 requirements. ISOPlanner™ automatically links NIS2 management measures to ISO 27001 controls, so when you are ready to certify, your existing implementation carries forward.
01.
What is the difference between essential and important entities under NIS2?
NIS2 Article 3 divides in-scope organisations into two categories. Essential entities operate in critical sectors such as energy, transport, banking, health, and digital infrastructure. Important entities cover a broader set including postal services, waste management, food production, and digital providers. Essential entities face stricter supervision and higher maximum fines (up to €10M or 2% of global turnover). Important entities are subject to reactive supervision and lower maximum fines (€7M or 1.4%). ISOPlanner™ helps document the classification and governance obligations for either category.
02.
What security measures does NIS2 Article 21 require?
Article 21 requires appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. These include policies on risk analysis, incident handling, business continuity, supply chain security, secure development practices, cybersecurity training, and multi-factor authentication. ISOPlanner™ maps each Article 21 requirement to your risk register and control framework so every measure is tracked and evidenced.
03.
What are the NIS2 incident reporting timelines?
NIS2 Article 23 introduces a three-stage reporting timeline. An early warning must reach the national CSIRT or competent authority within 24 hours of detecting a significant incident. A full incident notification with initial assessment follows within 72 hours. A final report with root cause analysis, impact, and applied mitigations is due within one month. ISOPlanner™ includes an incident response workflow that tracks each stage and generates the required notification records.
04.
How does NIS2 address supply chain security?
Article 21 explicitly requires organisations to assess and manage cybersecurity risks from their supply chain and supplier relationships. This includes evaluating the security practices of direct suppliers and service providers, and considering how vulnerabilities in third-party products or services could affect your own security posture. ISOPlanner™ provides a supplier register and assessment template to document and monitor third-party security obligations under NIS2.
05.
What are the penalties for NIS2 non-compliance?
NIS2 imposes significant administrative fines. Essential entities can be fined up to €10 million or 2% of total global annual turnover, whichever is higher. Important entities face maximum fines of €7 million or 1.4% of global turnover. Beyond financial penalties, NIS2 also introduces personal liability for senior management who fail to implement required security measures. ISOPlanner™ helps document governance accountability to reduce management exposure.
06.
How does NIS2 relate to ISO 27001?
ISO 27001 and NIS2 are highly complementary. The security measures required by NIS2 Article 21 closely mirror the technical and organisational controls in ISO 27001 Annex A. Organisations with a certified ISO 27001 management system are well-positioned to meet NIS2 obligations, since ISO 27001 audit evidence can directly support NIS2 compliance demonstrations. ISOPlanner™ cross-maps NIS2 Article 21 requirements to ISO 27001 Annex A controls so a single evidence base serves both frameworks.
07.
Which sectors fall within NIS2 scope?
NIS2 covers a much broader set of sectors than its predecessor. Highly critical sectors include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (cloud, data centres, DNS, trust services), public administration, and space. Additional critical sectors include postal services, waste management, chemicals, food production, medical device manufacturing, and digital providers such as online marketplaces, search engines, and social networks.
Log in to your ISOPlanner™ workspace, or start a free trial.
Log in Start your free trial