← All frameworks
EU EU · 8 Policy & Process · EU

NIS2

NIS2 Directive (EU) 2022/2555

2022/2555

10 controls · 1 domain
Mandatory for: Mandatory for in-scope essential/important entities
Start assessment in platform →

About this framework

NIS2 is the EU directive that raises cybersecurity requirements across essential and important sectors. It expands earlier rules to more industries and adds stricter risk management, incident reporting, and management accountability.

Who needs this

Applies to medium and large organisations in essential EU sectors like energy, transport, health, and digital infrastructure.

Cross-framework coverage

Controls in NIS2 also cover:

NIST CSF 12 shared
CIS Controls 12 shared
NCA ECC-2 12 shared
Qatar NIA 12 shared
UAE IA 12 shared

See how NIS2 connects to the rest → the Security Universe

Control domains

art21 · Article 21(2) Risk-Management Measures 10
21.2.a
Risk analysis & information system security policies
Policies on risk analysis and on the security of network and information systems.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICSNCA CCC
21.2.b
Incident handling
Incident handling, including prevention, detection, and response to incidents.
NIST CSFCIS ControlsPCI DSS 4.0.1GDPR (EU)UK GDPRISO 27001DORAHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
21.2.c
Business continuity
Business continuity — backup management, disaster recovery, and crisis management.
NIST CSFCIS ControlsISO 27001DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IANCA OTCCADHICS
21.2.d
Supply chain security
Supply-chain security, including security-related aspects of relationships with direct suppliers and service providers.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
21.2.e
Security in acquisition, development & maintenance
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusDORANCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
21.2.f
Effectiveness assessment
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICSNCA CCC
21.2.g
Cyber hygiene & training
Basic cyber-hygiene practices and cybersecurity training.
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
21.2.h
Cryptography & encryption
Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICSDORA
21.2.i
HR security, access control & asset management
Human-resources security, access-control policies, and asset management.
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001Cyber EssentialsCyber Essentials PlusGDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICSDORA
21.2.j
Multi-factor authentication & secured communications
Use of multi-factor or continuous authentication, secured voice/video/text communications, and secured emergency communication systems.
NIST CSFCIS ControlsPCI DSS 4.0.1Cyber EssentialsCyber Essentials PlusHIPAA Security RuleNCA ECC-2Qatar NIAUAE IANCA OTCCADHICSISO 27001GDPR (EU)UK GDPRNCA CCCSAMA CSF

Ready to assess against NIS2?

Start free trial →