Who is subject to NIS2?

NIS2 applies to medium and large organisations operating in 18 critical sectors, including energy, transport, banking, healthcare, digital infrastructure, and managed service providers. Some sectors have lower size thresholds. KaitoSec's classification wizard helps you confirm whether your organisation is in scope.

What are the fines for non-compliance with NIS2?

Essential entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face up to €7 million or 1.4% of global turnover. Beyond financial penalties, management can be temporarily banned from leadership roles.

What does the 24-hour incident reporting requirement mean in practice?

Within 24 hours of becoming aware of a significant incident, you must submit an early warning to your national competent authority or CSIRT. A detailed report follows within 72 hours, and a final report within one month. KaitoSec automates deadline tracking and provides structured report templates for each stage.

How does NIS2 relate to ISO 27001?

ISO 27001 certification does not automatically demonstrate NIS2 compliance, but there is significant overlap in security controls. KaitoSec maintains a cross-mapping so organisations with an existing ISMS can identify NIS2 gaps without duplicating work.

Does NIS2 apply to companies outside the EU?

NIS2 applies to any organisation providing services within the EU, regardless of where the organisation is headquartered. Non-EU entities providing services to EU customers in scope sectors must appoint an EU representative and comply with the Directive.

KaitoSec

NIS2 Directive

NIS2 is in force. Security measures, continuity, and a chain of evidence.

NIS2 Article 21 calls for security measures, business continuity, supply chain oversight and 24-hour incident reporting, with personal liability for management. KaitoSec runs all of it on one data model with the ISMS, BCMS, DSMS and AIMS.

Book a Demo Explore Platform

Sectors covered

Incident reporting window

0M€+

Maximum fine under NIS2

Management Liability Protection

NIS2 holds senior management personally accountable for cybersecurity failures. KaitoSec creates an auditable trail of board-level security approvals, risk acceptance decisions, and policy sign-offs that demonstrates active governance.

24-Hour Incident Reporting

NIS2 requires a preliminary incident report to the competent authority within 24 hours and a full report within 72 hours. KaitoSec's incident response module guides teams through structured reporting steps with pre-filled templates and deadline tracking.

Supply Chain Security Oversight

Essential and important entities must assess the security posture of their suppliers. KaitoSec's vendor management module runs automated questionnaires, tracks supplier risk ratings, and flags high-risk third parties before they become a liability.

NIS2 controls reused across BCMS, ISMS and DSMS

Article 21 calls for risk analysis, incident handling, business continuity, supply chain security, and policies for data protection. KaitoSec implements each control once, then maps it into the BCMS, ISMS and DSMS where the substance overlaps. An ISO 22301 BC exercise is also a NIS2 continuity evidence; an ISMS access policy is also a NIS2 measure. One control, every audit it belongs in.

NIS2 Obligation Dashboard

A single view of all NIS2 Article 21 security measures mapped to your organisation, from access control and encryption to business continuity and supply chain hygiene. Each obligation shows ownership, evidence status, and remediation timeline. The dashboard tracks your progress across all NIS2 Art. 21 obligations, including business continuity and crisis management.

Incident Response Playbooks

Pre-built response playbooks guide your team through detection, containment, and regulatory notification steps. KaitoSec automatically calculates reporting deadlines from the moment an incident is logged.

Sector Classification Wizard

NIS2 distinguishes between essential and important entities across 18 sectors, each with different obligations. KaitoSec's onboarding wizard identifies your classification and filters the requirement set to exactly what applies to you.

Business Continuity & Crisis Management

NIS2 Article 21 explicitly requires business continuity measures, including backup management, disaster recovery, and crisis management. KaitoSec maps these obligations to structured workflows: run your BIA, define recovery strategies, build BC plans, and manage crisis escalation. Every measure links back to your NIS2 obligation tracking, so you can demonstrate compliance at any point.

Built on open catalogs: BSI, MITRE, OWASP, ENISA

ISO 27001

ISO 22301

BSI IT-Grundschutz

NIST CSF

GDPR / DSGVO

SOC 2

NIS2

DORA

FAQ

Related platform features

Risk Management Business Continuity Compliance Mapping Reporting

NIS2 is in force. Security measures, continuity, and a chain of evidence.

Management Liability Protection

24-Hour Incident Reporting

Supply Chain Security Oversight

NIS2 controls reused across BCMS, ISMS and DSMS

NIS2 Obligation Dashboard

Incident Response Playbooks

Sector Classification Wizard

Business Continuity & Crisis Management

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal

NIS2 is in force. Security measures, continuity, and a chain of evidence.

Management Liability Protection

24-Hour Incident Reporting

Supply Chain Security Oversight

NIS2 controls reused across BCMS, ISMS and DSMS

NIS2 Obligation Dashboard

Incident Response Playbooks

Sector Classification Wizard

Business Continuity & Crisis Management

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal