NIS2 Compliance, made clear in 15 minutes

Free 15-minute consultation

In a free, no-obligation call with a local Trustlinks specialist, we’ll discuss whether the NIS2 EU Directive is likely to apply to your organisation and what compliance typically involves. The conversation is informational only and does not constitute legal advice.

Annelie Demred, CEO Whistlelink & Trustlinks.

Annelie Demred

Compliance specialist, Trustlinks

+46 (0)706 838288
annelie.demred@trustlinks.com

THE NIS2 DIRECTIVE IN BRIEF

What is the NIS2 Directive?

The NIS2 Directive (EU) 2022/2555 is the European Union’s updated cybersecurity law. It massively expands the scope of the original NIS Directive, covering far more sectors and company sizes,  and raises the bar on risk management, incident reporting, supply-chain security and management accountability. EU member states were required to transpose NIS2 into national law by 17 October 2024, and national authorities are now actively enforcing it.

WHO IS IN SCOPE

Does NIS2 apply to your organisation?

NIS2 splits in-scope organisations into two tiers – Essential and Important entities, generally covering medium and large companies (50+ employees or €10M+ turnover) in the sectors below. Some critical providers are in scope regardless of size.

Essential entities Highest oversight & strictest fines
Important entities Risk-based supervision, post-incident enforcement
WHAT NIS2 REQUIRES

The six pillars of NIS2 compliance

Article 21 of the directive sets minimum risk-management measures every in-scope organisation must implement, proportionate to its size, exposure and the likelihood of incidents.

Risk management measures

Policies on risk analysis, system security, cryptography, access control, MFA, and secure development – proportionate to the risks faced.

Incident reporting (24h / 72h / 1 month)

Early warning within 24 hours, full incident notification within 72 hours, and a final report within one month to your national CSIRT.

Supply-chain security

Assess and manage cybersecurity risks across direct suppliers and service providers, not just your own perimeter.

Governance & accountability

Management bodies must approve cybersecurity measures, oversee implementation, and undergo regular training. Personal liability applies.

Business continuity

Backup management, disaster recovery, and crisis-management procedures, all tested regularly.

Vulnerability handling & disclosure

Coordinated processes for receiving, triaging and remediating vulnerabilities in your products and services.

THE COST OF INACTION

Penalties for non-compliance

NIS2 introduces some of the toughest cybersecurity penalties in the EU, and personal accountability for senior management.

Essential entitiesUp to €10,000,000

or 2% of global annual turnover

Important entitiesUp to €7,000,000

or 1.4% of global annual turnover

Management bodies can be held personally liable for breaches, including temporary bans from leadership roles in serious cases.

FREQUENTLY ASKED

NIS2 questions, answered

Does NIS2 apply to my company?

If your organisation operates in one of the listed essential or important sectors and has at least 50 employees or €10M turnover, NIS2 is likely to apply — and the size threshold is waived for some critical providers (e.g. DNS, top-level domain registries, public administration). A 15-minute call is a good way to talk this through, though a definitive determination should be confirmed with qualified legal counsel.

NIS2 covers far more sectors (about 15 vs 7), removes the member-state discretion that led to inconsistent NIS scoping, introduces stricter incident-reporting timelines, requires supply-chain risk management, and adds personal liability for senior management with significantly higher fines.

An early warning to your national CSIRT within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours (including an initial assessment), and a final report within one month.

Up to €10 million or 2% of global annual turnover (whichever is higher) for essential entities, and up to €7 million or 1.4% for important entities. Senior managers can also face personal sanctions, including temporary management bans.

NIS2 entered into force on 16 January 2023, and EU member states were required to transpose it into national law by 17 October 2024. National enforcement is now active across the EU.

NIS2 doesn’t mandate a specific framework, but ISO 27001 (and equivalents) cover the majority of NIS2 risk-management requirements and make compliance significantly easier to demonstrate. Trustlinks maps your existing controls to NIS2 articles for you.

An initial compliance setup typically takes several months depending on your organisation’s size and maturity. Gap assessment takes 2–4 weeks; remediation and evidence collection is the larger investment. But NIS2 compliance isn’t a one-time checkbox – it’s continuous work embedded in your organisation’s operations. Trustlinks centralises everything from gap assessment and risk analysis to supplier management and evidence collection in one platform, so you stay in control at every stage.

We discuss whether NIS2 is likely to be in scope for your organisation, talk through the entity tier that may apply, surface common gap areas, and outline what a realistic compliance roadmap can look like. It’s an informational conversation — not legal advice — and there’s no sales pressure. For a binding determination of your obligations, we recommend consulting qualified legal counsel.

READY WHEN YOU ARE

Get clarity on NIS2 in 15 minutes, for free.

Talk to a local Trustlinks specialist. No prep needed,  bring your questions and we’ll discuss where you may stand and what next steps typically look like. Informational only; not legal advice.

This consultation is informational and does not constitute legal advice or create a client relationship. For a binding assessment of your obligations, please consult qualified legal counsel.

Annelie Demred, CEO Whistlelink & Trustlinks.

Annelie Demred

Compliance specialist, Trustlinks

+46 (0)706 838288
annelie.demred@trustlinks.com

Trustlinks logo white.

Talk to Sales

Have questions about pricing, frameworks, or how Trustlinks fits your organisation? Our team is here to help you find the right approach.

→ Or explore our Frequently Asked Questions

Get Product Support

Need help using the platform or experiencing an issue? Our support team is ready to assist you.

Contact us

Book a meeting

Send us a message and our team will get back to you shortly.