Resources · Guide · Compliance · 1 min read

NIS2 explained: obligations, entities and deadlines

NIS2
In short

NIS2 is EU Directive 2022/2555 on the security of network and information systems. It requires essential and important entities to adopt security measures and to notify significant incidents to the national CSIRT: an early warning within 24 hours, a notification within 72 hours, a final report within 30 days. Penalties reach EUR 10 million or 2% of turnover. It is transposed into national law by each member state.

What changes with NIS2

NIS2 broadens significantly the set of entities covered compared with NIS1 and raises the bar: stricter security measures, accountability placed on management bodies, and notification obligations with precise deadlines. Each EU member state transposes it into national law.

Two categories of entity

The directive distinguishes essential entities (proactive supervision, higher penalties) from important entities (reactive supervision). The category depends on sector and company size.

The obligations in practice

Two families: risk management measures (monitoring, detection, response, continuity, supply chain) and notification of significant incidents to the national CSIRT on the 24h/72h/30d schedule. The operational part is covered by a continuous outpost: Fortgale compliance advisory.

Comparison

Essential vs important entities

EssentialImportant
Example sectorsEnergy, transport, health, finance, digital infrastructurePostal, waste, chemicals, food, manufacturing, research
Max penaltyEUR 10M or 2% of turnoverEUR 7M or 1.4% of turnover
SupervisionProactive (ex ante)Reactive (ex post)
Field-observed proof · a real incident

In Operation Storming Tide the Fortgale team contained an intrusion and collected the evidence useful for notification: continuous monitoring and the ability to document an incident are exactly what NIS2 requires.

Read the analysis →
FAQ

Frequently asked.

Who is covered by NIS2?

Essential and important entities in the sectors set by the directive (energy, transport, health, finance, digital infrastructure, manufacturing, space, water, waste, public administration), generally medium and large organisations. The qualification is verified with the national competent authority.

What are the NIS2 notification deadlines?

An early warning within 24 hours, a full notification within 72 hours, a final report within 30 days, to the national CSIRT.

Is the NIS2 notification the same as the data protection one?

No. NIS2/CSIRT concerns the security incident; the notification to the data protection authority (GDPR art. 33) concerns personal data. A ransomware case with data exfiltration can trigger both. See data breach GDPR.

How do you become NIS2 compliant?

With risk management measures (monitoring, detection, response, governance) and notification capability. A managed SOC/MDR covers the operational part: 24·7 monitoring, IOC collection and support for notifications.

How Fortgale delivers it

From theory to a real operation.

What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Fortgale compliance advisory.

Related resources: Data breach GDPR · What is a SOC

Want to go deeper with an analyst?

A technical conversation, not a funnel.

Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.

Response time: < 1 business day.