Talk to a security advisor — a free 30-minute review
AlphaCISO®
Contact us
All servicesService

NIS2 Directive

Resilience for essential and important entities.

When the directive applies to you — and why the board now owns it

Directive (EU) 2022/2555 replaced the 2016 NIS Directive, with a national transposition deadline of 17 October 2024. It widens scope dramatically across energy, transport, banking, health, digital infrastructure, ICT service management, public administration, manufacturing, food, and more, splitting in-scope organisations into two tiers — "essential" and "important" entities — that face the same baseline obligations but different supervisory regimes.

What changed is not only the breadth but the accountability. Management bodies must approve and oversee risk-management measures and can be held personally liable, so this is a board-level matter, not an IT housekeeping task.

How we work

  • Scope first. We determine whether you are essential or important, in which member states, and where transposition has actually landed.
  • Measure the gap. We assess you against the Article 21 measures — policies, incident handling, business continuity, supply-chain security, and crypto.
  • Build the reporting muscle. We stand up workflows for the 24-hour early warning, 72-hour notification, and the final report within one month.
  • Brief the board. We equip the management body to evidence its oversight to national CSIRTs and competent authorities.

For APAC and India-based firms in scope

If you operate in, or supply services into, the EU, NIS2 can reach you through the activities of your European establishments or customers. We help firms headquartered in APAC and India interpret their exposure and build one program that satisfies EU supervisors without duplicating effort at home.