What is NIS2?
NIS2 (Directive (EU) 2022/2555) is the European Union's cybersecurity law. It widens the scope of the original NIS directive to many more sectors and sets harmonised obligations on risk management, incident reporting and supervision across all Member States.
Organisations are classified as essential or important entities. Both must implement appropriate technical and organisational measures, report significant incidents, and put their management bodies on the hook — directors can be held personally accountable for non-compliance.
What NIS2 requires
Management accountability (Art. 20)
10 minimum measures (Art. 21)
Incident reporting (Art. 23)
Supply-chain security
NIS2 with ResiPlan
ResiPlan maps the NIS2 articles into an actionable maturity assessment, tracks your 24h/72h incident-notification workflow, and keeps board-ready evidence of every measure.
Because NIS2 overlaps heavily with ISO 27001 and the national baselines, ResiPlan reuses your existing assessments — cross-mapping fills the equivalent controls automatically.
Frequently asked questions
Who is in scope for NIS2?
Medium and large organisations in 18 sectors (energy, transport, banking, health, digital infrastructure, public administration and more), classified as essential or important entities.
What are the NIS2 reporting deadlines?
An early warning within 24 hours of becoming aware of a significant incident, a full notification within 72 hours, and a final report within one month.
Can directors be held liable under NIS2?
Yes. Article 20 makes management bodies responsible for approving and overseeing cybersecurity measures; sanctions and personal accountability apply for non-compliance.
How does NIS2 relate to ISO 27001?
The NIS2 measures map closely to ISO 27001 Annex A. In ResiPlan an ISO 27001 assessment auto-fills the equivalent NIS2 requirements through cross-mapping.