What’s the main difference between NIS1 and NIS2?

NIS2 expands the scope of affected sectors and strengthens cybersecurity risk-management requirements. It adds stronger supply-chain obligations, demanding incident reporting timelines, and an enforcement regime that increases accountability at the management-body level.

Which companies must comply with NIS2?

It depends on sector, size and whether the entity qualifies as essential or important. In general, it covers medium and large organizations in critical sectors, and requirements may extend through contracts and the supply chain.

What incident reporting timelines does NIS2 require?

NIS2 sets staged reporting (e.g., early warning and subsequent notification) and a final report. The exact operational detail can depend on national transposition and guidance, so you should design processes capable of 24h/72h workflows and auditable reporting.

Directive (EU) 2022/2555 (NIS2)

NIS2 readiness: technical controls, evidence and governance.

We help reduce operational exposure and management risk. We implement Article 21 technical and governance measures with focus on essential/important entities and supply-chain security.

Request a Gap Assessment Does it apply to us?

Essential and Important Entities

NIS2 generally covers medium and large organizations in critical sectors, and may extend obligations through contracts and the supply chain.

High-Criticality Sectors (Essential)

Energy (Electricity, Oil, Gas)
Transport (Air, Rail, Maritime)
Banking and Financial Market Infrastructures
Healthcare
Drinking Water and Waste Water
Digital Infrastructure (Cloud, Data Centers)
Public Administration

Other Critical Sectors (Important)

Postal and Courier Services
Waste Management
Manufacture and Distribution of Chemicals
Food Production and Processing
Manufacturing (Electronics, Machinery)
Digital Providers (Marketplaces, Search Engines)

Enforcement and accountability

Accountability

Management body

The goal isn’t “paper compliance”: it’s governance, oversight and evidence. We implement traceability (requirement → control → evidence → review) to demonstrate due diligence.

Penalties

Fines and supervisory measures

NIS2 provides for significant penalties and supervisory actions, with exact application depending on national transposition. Real mitigation comes from operational controls, evidence and incident readiness.

24h

Early warning (indicative)

You need real detection and response capabilities to report significant incidents within demanding timelines (e.g., 24h/72h), with traceable evidence.

Technical readiness strategy (Art. 21)

Governance and Oversight

Management-body training, clear roles, policies and a measurable cybersecurity risk-management system.

Incident Management

Detect, contain and communicate: operational capability to report significant incidents (24h/72h) and deliver a final report.

Supply-Chain Security

Third-party risk: vendor assessments, contractual requirements, SLAs, controls and defensible evidence.

Cyber Hygiene & Zero Trust

IAM, strong MFA, hardening, segmentation and least-privilege for critical assets.

Cryptography & Encryption

Data protection in transit and at rest, key management and verifiable controls.

Business Continuity

BCP/DR, backups (incl. immutability where relevant), testing and crisis management with evidence.

NIS2 FAQ

What does management-body accountability mean in practice?

NIS2 strengthens accountability: the management body must approve and oversee risk-management measures. The practical approach is governance + metrics + periodic reviews + evidence (not just documents) to demonstrate due diligence.

How should incident reporting be implemented?

You need an operational workflow that supports staged reporting within demanding timelines (commonly 24h/72h), plus a final report. The key is detection, triage, containment and traceable reporting with an auditable trail.

What penalties can apply under NIS2?

NIS2 provides for significant penalties and supervisory measures, with exact application depending on national transposition. Real mitigation comes from operational controls, evidence, third-party governance and incident readiness.

Where should we start?

Start with a technical + governance gap assessment: confirm your essential/important classification, map Article 21 measures, assess third parties, and build a risk-based roadmap with quick wins and evidence.

Does it make sense to rely on an external CISO for NIS2?

Yes, especially when the organization falls within NIS2's scope and doesn't yet have a dedicated internal security leader. A virtual CISO (vCISO) service brings governance, board-level reporting, risk management, incident-response coordination, supply-chain security and continuity — precisely the areas NIS2 requires you to demonstrate.

How does NIS2 relate to DORA, ISO 27001 and ENS?

DORA is lex specialis for the financial sector — where it applies, it takes precedence over NIS2 for the digital operational resilience topics it regulates. ISO 27001 provides a reusable ISMS baseline and ENS applies in the Spanish public sector. The four are compatible if you design a single traceable evidence line. Details in the ENS vs ISO 27001 vs NIS2 vs DORA comparison.

Do NIS2 and PCI DSS apply at the same time?

They can. When an essential or important entity under NIS2 also stores, processes or transmits cardholder data — common for large e-commerce, digital service providers, banks and PSPs — both apply. NIS2 governs cyber risk at the organisation level; PCI DSS v4.0.1 adds the specific control set required inside the CDE (cardholder data environment). A coordinated evidence programme can serve both frameworks.

Are you ready for NIS2?

Don’t leave readiness to generalists. Hard2bit delivers engineering and execution to prove controls, reporting and response.

Request an NIS2 Gap Assessment