NIS 2 Directive Requirements: Complete Guide to EU Cybersecurity Obligations

Management bodies (boards, C-suite) must approve cybersecurity risk management measures adopted under Article 21 and oversee their implementation. Management cannot fully delegate this responsibility — they must maintain active oversight and can be held personally liable for infringements.

Members of management bodies must undergo cybersecurity training to gain sufficient knowledge to identify risks, evaluate cybersecurity practices, and oversee the implementation of measures. Similar training should be offered to all employees on a regular basis.

You must establish comprehensive policies covering risk analysis and the security of your network and information systems. These policies must be documented, approved by management, communicated to relevant personnel, and reviewed regularly.

You must establish procedures for preventing, detecting, and responding to cybersecurity incidents. This includes classification criteria, escalation procedures, containment and eradication processes, and post-incident review. The procedures must align with Article 23 reporting obligations.

You must implement business continuity management including backup management, disaster recovery, and crisis management procedures. Plans must be documented, tested regularly, and cover scenarios relevant to your critical services.

You must address security in your supply chain, including security-related aspects of relationships with direct suppliers and service providers. This means assessing supplier cybersecurity practices, including security requirements in contracts, and monitoring supplier compliance on an ongoing basis.

You must include security throughout the lifecycle of network and information systems from acquisition through development and ongoing maintenance. This includes vulnerability handling and disclosure processes for discovered vulnerabilities.

You must have policies and procedures to assess whether your cybersecurity risk management measures are effective. This includes regular testing, audits, and evaluation of whether controls are achieving their intended outcomes.

You must implement basic cyber hygiene practices (patching, password management, secure configuration) and provide cybersecurity training for all personnel. Training must be regular and cover topics relevant to each employee role and exposure.

You must establish policies and procedures for the use of cryptography and, where appropriate, encryption. This covers data at rest, data in transit, and key management practices.

You must implement human resources security measures, access control policies, and asset management procedures. This includes background checks, access provisioning based on least privilege, regular access reviews, and secure offboarding procedures.

You must use multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems where appropriate within the organization.

You must submit an early warning to the competent authority or CSIRT within 24 hours of becoming aware of a significant incident. The early warning must indicate whether the incident is suspected to be malicious and whether it could have cross-border impact.

You must submit an incident notification within 72 hours of awareness, updating the early warning with an initial assessment of severity and impact, indicators of compromise, and mitigation measures taken. This provides authorities with actionable information about the incident scope.

You must submit a final report within one month of the incident notification containing a detailed description, root cause analysis, mitigation measures applied, and cross-border impact assessment. If the incident is ongoing, a progress report is due at one month with a final report due after resolution.