NIS2 explained: obligations, entities and deadlines
NIS2 is EU Directive 2022/2555 on the security of network and information systems. It requires essential and important entities to adopt security measures and to notify significant incidents to the national CSIRT: an early warning within 24 hours, a notification within 72 hours, a final report within 30 days. Penalties reach EUR 10 million or 2% of turnover. It is transposed into national law by each member state.
What changes with NIS2
NIS2 broadens significantly the set of entities covered compared with NIS1 and raises the bar: stricter security measures, accountability placed on management bodies, and notification obligations with precise deadlines. Each EU member state transposes it into national law.
Two categories of entity
The directive distinguishes essential entities (proactive supervision, higher penalties) from important entities (reactive supervision). The category depends on sector and company size.
The obligations in practice
Two families: risk management measures (monitoring, detection, response, continuity, supply chain) and notification of significant incidents to the national CSIRT on the 24h/72h/30d schedule. The operational part is covered by a continuous outpost: Fortgale compliance advisory.
Essential vs important entities
| Essential | Important | |
|---|---|---|
| Example sectors | Energy, transport, health, finance, digital infrastructure | Postal, waste, chemicals, food, manufacturing, research |
| Max penalty | EUR 10M or 2% of turnover | EUR 7M or 1.4% of turnover |
| Supervision | Proactive (ex ante) | Reactive (ex post) |
In Operation Storming Tide the Fortgale team contained an intrusion and collected the evidence useful for notification: continuous monitoring and the ability to document an incident are exactly what NIS2 requires.
Read the analysis →Frequently asked.
Who is covered by NIS2?
Essential and important entities in the sectors set by the directive (energy, transport, health, finance, digital infrastructure, manufacturing, space, water, waste, public administration), generally medium and large organisations. The qualification is verified with the national competent authority.
What are the NIS2 notification deadlines?
An early warning within 24 hours, a full notification within 72 hours, a final report within 30 days, to the national CSIRT.
Is the NIS2 notification the same as the data protection one?
No. NIS2/CSIRT concerns the security incident; the notification to the data protection authority (GDPR art. 33) concerns personal data. A ransomware case with data exfiltration can trigger both. See data breach GDPR.
How do you become NIS2 compliant?
With risk management measures (monitoring, detection, response, governance) and notification capability. A managed SOC/MDR covers the operational part: 24·7 monitoring, IOC collection and support for notifications.
From theory to a real operation.
What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Fortgale compliance advisory.
Related resources: Data breach GDPR · What is a SOC
A technical conversation, not a funnel.
Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.