Skip to main content

Getting Started with NIS2

The NIS2 Directive (EU 2022/2555) expands EU cybersecurity obligations to a much wider range of sectors than the original NIS Directive. Member states were required to transpose NIS2 into national law by October 17, 2024. If you are an essential or important entity, you are now subject to enforceable cybersecurity requirements — including mandatory incident reporting and potential personal liability for management. Matproof maps NIS2 requirements to a set of controls, policies, and incident workflows so you can demonstrate compliance to your national competent authority (NCA).
Activate NIS2 under Settings → Frameworks → NIS2. Your control set will be pre-populated and mapped to the 10 minimum security measures under Article 21.

Am I in Scope?

NIS2 distinguishes two tiers of entities:

Essential Entities (EE)

Subject to proactive supervision and higher penalties (up to €10M or 2% of global annual turnover, whichever is higher):
  • Energy (electricity, oil, gas, hydrogen, district heating and cooling)
  • Transport (air, rail, water, road)
  • Banking (credit institutions)
  • Financial market infrastructures
  • Health (hospitals, laboratories, pharma manufacturers)
  • Drinking water supply and distribution
  • Wastewater collection, disposal, and treatment
  • Digital infrastructure (DNS, TLDs, cloud computing services, data centres, CDNs, trust services, IXPs, electronic communications networks and services)
  • ICT service management (MSPs, MSSPs)
  • Public administration (central government)
  • Space

Important Entities (IE)

Subject to reactive supervision (lower penalties — €7M or 1.4% of global annual turnover, whichever is higher):
  • Postal and courier services
  • Waste management
  • Chemicals manufacturing and distribution
  • Food production and distribution
  • Manufacturing (medical devices, computer/electronic products, electrical equipment, machinery, motor vehicles, other transport equipment)
  • Digital providers (online marketplaces, search engines, social networks)
  • Research
Size thresholds apply: medium enterprises (50+ employees or €10M+ turnover) or large enterprises (250+ employees or €50M+ turnover) in these sectors are in scope. Smaller entities may be in scope if they are sole providers of critical services. Note: medium-sized entities in Annex I sectors are generally classified as Important entities, while large entities (250+ employees) in Annex I sectors are classified as Essential entities.

The 10 NIS2 Minimum Security Measures

Article 21 requires essential and important entities to implement these 10 measures:
#MeasureMatproof Module
1Policies on risk analysis and information system securityPolicies, Risk Management
2Incident handlingIncidents
3Business continuity (BCP, DR, crisis management)Policies, Controls
4Supply chain security (ICT product/service security)Vendor Risk
5Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosureControls
6Policies to assess effectiveness of cybersecurity measuresAudit Programs
7Basic cyber hygiene practices and cybersecurity trainingPeople, Policies
8Policies and procedures on cryptography and encryptionPolicies, Controls
9Human resources security, access control policies, asset managementPeople, Controls
10Multi-factor authentication or continuous authentication, secured voice, video and text communications, and secured emergency communication systemsControls, Evidence

Management Accountability

NIS2 introduces management accountability with potential personal liability. Governing bodies:
  • Must approve cybersecurity risk management measures
  • Are liable for infringements by the entity
  • Must undergo cybersecurity training
  • The scope of personal liability depends on national transposition of the Directive.
Document management sign-off on your NIS2 risk management measures and policies. Matproof tracks policy approvals with timestamps — this is your evidence that management has approved and reviewed the program.
1
Step 1 — Determine your entity classification and NCA
2
Identify whether you are an essential entity or important entity based on your sector and size. Register with your national competent authority (NCA) — most member states require self-registration. Check your national NIS2 transposition law for deadlines and registration requirements.
3
Document your entity classification in Settings → Organization.
4
Step 2 — Conduct a risk assessment
5
NIS2 Article 21(1) requires risk management measures proportionate to the risks. Start with a formal risk assessment:
6
  • Go to Risk Management → New Risk Assessment
  • Assess risks to your network and information systems
  • Include supply chain risks (ICT vendors and service providers)
  • Score each risk and assign treatment plans
  • Document your risk acceptance criteria
    • 7
    The risk assessment is the foundation for the policies you generate next.
    8
    Step 3 — Generate NIS2 policies
    9
    Go to Policies → Generate and generate the NIS2 policy set. Key policies to prioritize:
    10
  • Information Security Policy
  • Incident Response Policy
  • Business Continuity and Disaster Recovery Policy
  • Supply Chain Security Policy
  • Cryptography and Encryption Policy
  • Access Control Policy
  • Cybersecurity Training Policy
    • 11
    Assign each policy to a member of the management body as owner — this documents management accountability.
    12
    Step 4 — Configure the Incidents module
    13
    NIS2 incident reporting requirements are strict:
    14
    Report TypeDeadlineRecipientEarly warning24 hours after becoming aware of significant incidentNational CSIRT or NCAIncident notification72 hoursNational CSIRT or NCAFinal report1 month after incident notificationNational CSIRT or NCA
    15
    If the incident is still ongoing when the final report is due, submit a progress report instead, then a final report within one month of handling the incident.
    16
  • Go to Incidents → Settings and configure your NIS2 incident classification criteria
  • Define what constitutes a “significant incident” for your sector
  • Set up escalation workflows so the right people are alerted within 24 hours
  • Document your CSIRT/NCA contact details
    • 17
    The 24-hour early warning obligation is stricter than most other frameworks. Do not wait for full investigation — the early warning only requires that you are aware of the incident and its basic nature.
    18
    Step 5 — Map and assess your supply chain
    19
    NIS2 Article 21(2)(d) specifically requires supply chain security. This is one of the most operationally demanding requirements.
    20
  • Go to Vendor Risk and import or add all ICT vendors and service providers
  • Classify each vendor by criticality to your network and information systems
  • Send a NIS2 Supplier Assessment to critical vendors
  • Review vendors’ own security practices and policies
  • Document exit plans for critical single-source providers
    • 21
    Step 6 — Complete Article 21 controls
    22
    Work through the NIS2 control set in Controls → NIS2:
    23
  • For each of the 10 minimum measures, link the relevant policies and evidence
  • Controls for human resources (Measure 9) should link to records in the People module
  • Controls for MFA and access (Measure 10) should be backed by integration evidence from your identity provider
    • 24
    Step 7 — Cybersecurity training
    25
    NIS2 requires cybersecurity awareness training for all staff and specialized training for management.
    26
  • Go to People → Training
  • Assign cybersecurity awareness training to all employees
  • Assign a management-level cybersecurity briefing to your governing body
  • Track completion and link records as evidence against the relevant control
    • 27
    Step 8 — Audit and ongoing monitoring
    28
  • Go to Audit Programs → New Audit → NIS2
  • Run an internal audit against the 10 measures
  • Document findings as Corrective Actions
  • Set a recurring schedule — annual audit is the minimum for most entities

    • Incident Reporting Quick Reference

    TriggerTimelineAction
    Significant incident detectedT+0Classify the incident, initiate internal escalation
    Within 24 hoursT+24hSend early warning to NCA/CSIRT (whether suspected unlawful/malicious cause, whether cross-border impact possible)
    Within 72 hoursT+72hSend incident notification (updated assessment, indicators of compromise)
    Within 1 monthT+1 monthSend final report (root cause, remediation, lessons learned). If the incident is still ongoing when the final report is due, submit a progress report instead, then a final report within one month of handling the incident.
    Use the Incidents module to track timeline, auto-generate draft notifications, and attach evidence to each report.

    Key Differences from NIS1

    If you were already compliant with the original NIS Directive:
    AreaNIS1NIS2
    Scope7 sectors18 sectors
    Notification deadline”Without undue delay”24h early warning + 72h notification
    Management liabilityNoYes — personal liability
    Supply chainRecommendedMandatory measure
    PenaltyNational lawUp to €10M/2% global turnover
    EnforcementReactiveProactive for essential entities

    Next Steps

    • Incidents — configuring NIS2-compliant incident classification and multi-stage reporting
    • Vendor Risk — supply chain security assessments and monitoring
    • People Module — employee training records and access management
    • Risk Management — risk assessments proportionate to your sector