Mandatory · lawEuropean UnionEUv2022/2555

NIS2

NIS2 Directive (EU 2022/2555)

The EU directive raising the baseline for cybersecurity risk management and incident reporting across critical sectors. Article 21 sets the minimum security measures; Article 23 sets incident reporting timelines.

Official source ↗

Who it applies to

Essential & important entitiesEUCritical sectors

Medium and large organizations operating in critical sectors across the EU — energy, transport, health, banking, digital infrastructure, public administration, water, waste and more — classified as 'essential' or 'important' entities.

Article 21 — Risk-management measures

Art. 21(2)(a) Risk analysis and information system security policies
Establish policies on risk analysis and information system security as a foundation of the security programme.
16 mapped
Art. 21(2)(b) Incident handling
Implement processes to prevent, detect, analyse and respond to security incidents.
13 mapped
Art. 21(2)(h) Cryptography and encryption
Adopt policies and procedures on the use of cryptography and, where appropriate, encryption.
15 mapped
Art. 21(2)(i) Access control and asset management
Apply human-resources security, access control policies and asset management.
16 mapped

Article 23 — Reporting

Art. 23 Reporting obligations
Notify the CSIRT or competent authority of significant incidents — an early warning within 24 hours and a fuller notification within 72 hours.
13 mapped