The NIS2 Directive (EU 2022/2555) stopped being a future problem the moment the transposition deadline passed in October 2024. By now, national supervisors across the EU have moved from awareness campaigns to actual audits, and the penalty ceilings are real: up to 10 million EUR or 2 percent of global turnover for essential entities, with management bodies personally accountable for approving and overseeing the measures.
The most common failure mode we see is treating NIS2 as a legal reading exercise. It is not. Article 21 of the directive is, underneath the legislative prose, a control catalog — and almost everything in it maps to work an engineering team already knows how to do. The gap is rarely capability; it is translation and evidence.
First, confirm whether you are actually in scope
Annex I covers essential sectors — energy, transport, banking, health, drinking water, digital infrastructure, ICT service management, public administration, space. Annex II covers important entities — postal services, waste, chemicals, food, manufacturing of critical products, and digital providers. The size-cap rule generally pulls in organizations with 50 or more employees or over 10 million EUR turnover, but there are carve-outs: DNS providers, TLD registries, and trust service providers are in scope regardless of size.
Even if you fall outside direct scope, you are probably in indirect scope. NIS2 obliges covered entities to manage supply chain risk, which means their security requirements flow down to you contractually. If your customers are hospitals, banks, or energy companies, expect NIS2-shaped questionnaires either way.
Article 21 is a control catalog in disguise
The ten minimum measures translate cleanly:
- ▸Risk analysis and information security policies: this is an ISMS. If you already run ISO 27001, you have most of the skeleton.
- ▸Incident handling: detection tooling, a triage process, and runbooks with named owners — not a PDF policy.
- ▸Business continuity and crisis management: tested backups, documented recovery time objectives, and at least one real restore exercise per year.
- ▸Supply chain security: a supplier register with criticality ratings and security clauses in contracts, reviewed on renewal.
- ▸Secure development and vulnerability handling: an SDLC with dependency scanning, a patching cadence, and a coordinated disclosure channel.
- ▸Cryptography, MFA, and access control: an encryption policy you can defend, phishing-resistant MFA on anything privileged, and access reviews that actually run.
The reporting clock is an architecture requirement
NIS2 imposes a three-stage regime for significant incidents: an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. Those numbers have engineering consequences. Severity classification must be agreed before an incident, not negotiated during one. Detection latency now has regulatory weight — if your mean time to detect is measured in days, the 24-hour clock expires before you know it started. On-call needs the authority to trigger notification without waiting for a Monday steering committee, and notification templates should be drafted, reviewed by legal, and stored where the incident commander can find them at 3 a.m.
Management liability changes the budget conversation
NIS2 makes management bodies responsible for approving cybersecurity risk measures and requires them to undergo training. For engineers, this is an unusual gift: an executive audience with a legal reason to listen. Frame gaps in the language of Article 21 obligations and reporting deadlines, and long-deferred items — asset inventory, log retention, DR testing — suddenly get sponsorship.
A pragmatic sequence for the next two quarters:
1. Get a written scope determination with legal counsel — essential, important, or indirect via customers. 2. Run a gap assessment against ISO 27001:2022 Annex A, which covers most Article 21 ground and doubles as certification prep. 3. Build the asset inventory first; you cannot classify or report incidents on systems you cannot enumerate. 4. Write the incident runbook with regulator timers embedded and pre-approved notification templates. 5. Stand up the supplier register and add security flow-down clauses at contract renewal. 6. Automate evidence collection and establish a quarterly board reporting cadence.
The business case goes beyond avoiding fines. NIS2 work compounds: the same asset inventory, incident process, and supplier register feed ISO 27001 certification, DORA obligations if you touch financial services, and every enterprise security questionnaire your sales team will see this year. Organizations that treat the directive as a one-time legal project will redo the work for each regime; those that build it as an engineering system will answer the next regulation with artifacts they already have.
