NIS2 Directive Compliance

What is NIS2?

The EU's expanded cybersecurity directive — extending mandatory obligations to a significantly broader set of organisations.

NIS2 (Network and Information Security Directive 2) replaced the original NIS Directive in January 2023 and significantly expanded the scope of mandatory cybersecurity obligations across the EU. It covers essential entities (healthcare, energy, transport, water, banking, financial market infrastructure, digital infrastructure) and important entities (postal services, waste management, manufacturing, food, chemicals, research, and digital providers).

NIS2 introduces personal liability for senior management, 24-hour incident notification obligations, mandatory supply chain security requirements, and significant penalties for non-compliance — up to €10 million or 2% of global turnover for important entities, and €20 million or 4% for essential entities.

Why it matters

NIS2 compliance has real commercial and legal consequences.

The cost of NIS2 non-compliance

✕Personal liability for leadership: NIS2 introduces personal liability for senior management — including CEOs and board members — for cybersecurity failures. This is a significant shift from previous frameworks where only the organisation bore liability.

✕24-hour incident notification breach: NIS2 requires initial notification within 24 hours of a significant incident, with full notification within 72 hours. Without documented processes, meeting these deadlines is practically impossible.

✕Supply chain exclusion: NIS2 essential entities must ensure their suppliers meet equivalent security standards. Businesses without NIS2-aligned documentation risk exclusion from critical infrastructure supply chains across the EU.

What NIS2 compliance delivers

✓Critical infrastructure access: NIS2 compliance is the entry requirement for supplying into EU critical infrastructure sectors — healthcare, energy, transport, and financial services supply chains that represent significant commercial value.

✓Board-level security governance: NIS2's personal liability provisions have driven security governance to board level in many EU organisations. Documented compliance demonstrates that leadership has taken their obligations seriously.

✓Alignment with GDPR and DORA: NIS2 shares significant overlap with GDPR and DORA. 786 Cyber's tagging system means controls implemented for NIS2 progress these frameworks simultaneously.

"NIS2 is the first European cybersecurity directive to hold individual executives personally accountable for security failures. For leadership teams, documented compliance is no longer optional — it is personal risk management."

How 786 Cyber helps

786 Cyber generates your NIS2 policy suite — incident response, business continuity, and supply chain security — and tracks your compliance progress.

🧭

AI Compliance Wizard

6-step assessment identifies your gaps, prioritises actions, and produces a clear NIS2 roadmap in minutes.

📝

Auto-generated policies

All policies required for NIS2 generated and pre-populated with your organisation's context — ready to publish.

🏷️

Cross-framework tagging

NIS2 controls tagged to related frameworks — implement once, progress across multiple frameworks simultaneously.

📊

Progress tracking

Visual progress rings show your NIS2 completion percentage and what actions remain before certification.

📋

Audit trail & evidence vault

Every control implementation logged automatically. Evidence compiled and ready when needed.

👥

Role-based access & team management

Assign Admin, Security Lead, or Viewer roles. Monthly summaries keep leadership informed of compliance progress.

NIS2 — the EU's updated network and information security directive. Broader scope. Stricter obligations. Board-level accountability.