Frameworks/NIS2

NIS2

NIS2 Directive (EU) 2022/2555

NIS2 is the EU directive on cybersecurity for essential and important entities. It expands the scope of NIS1 and introduces stricter security requirements and incident reporting obligations.

Key requirements

What NIS2 requires.

  • Risk management and cybersecurity policies
  • Incident handling and reporting (within 24h/72h/1 month)
  • Business continuity and crisis management
  • Supply chain security
  • Access control and multi-factor authentication
EU Network and Information Security Directive

NIS2 Directive (EU) 2022/2555

How Acuna helps

NIS2 across all four panes.

Comply

Map NIS2 articles to your organizational scope and define applicable security measures.

Implement

Implement and evidence all required cybersecurity measures across affected systems.

Operate

Manage incident response plans, BIA for critical services, supply chain risk.

Assure

Track incident reports, KPIs, and prepare evidence for competent authority reviews.

FAQ

Common questions about NIS2.

Which organizations must comply with NIS2?

NIS2 applies to essential entities (energy, transport, banking, health, water, digital infrastructure) and important entities (postal, waste, chemicals, food, manufacturing, digital providers) with 50+ employees or 10M+ turnover in the EU.

What are the NIS2 incident reporting deadlines?

NIS2 requires an early warning within 24 hours of awareness, an incident notification within 72 hours, and a final report within one month.

How does Acuna support NIS2 supply chain requirements?

Acuna's integrated Supplier Shield module manages third-party risk assessments and continuous monitoring, directly addressing NIS2 Article 21 supply chain security obligations.

Can Acuna map NIS2 controls to ISO 27001?

Yes. NIS2 and ISO 27001 have significant overlap. Acuna's cross-framework mapping reuses controls across both frameworks without duplicated work.

What is the difference between NIS2 essential and important entities?

Essential entities face stricter supervision including proactive audits. Important entities face reactive supervision triggered by incidents or complaints. Both must implement the same security measures under Article 21.

Related answers

Questions practitioners ask.

What is NIS2 and who does it apply to?

NIS2 (Directive (EU) 2022/2555) is the EU directive on cybersecurity for essential and important entities. It expands the scope of NIS1, introduces stricter security requirements under Article 21, and mandates incident reporting within 24 hours (early warning), 72 hours (notification), and one month (final report). Essential entities include energy, transport, banking, health, water, and digital infrastructure. Important entities cover postal, waste, chemicals, food, manufacturing, and digital providers with 50+ employees or EUR 10M+ turnover. Acuna maps NIS2 articles to controls, manages supply chain risk, and tracks incident reporting deadlines.

Built for:CISOsCompliance LeadersMSSPs

See how Acuna handles NIS2.

Get access and our team will walk you through the NIS2 implementation in Acuna.

Get Access