NIS-2 Directive
Cybersecurity for Critical Infrastructures

The NIS-2 Directive creates a uniform, mandatory minimum standard for cybersecurity, risk and incident management in the EU. The goal is to establish a high common level of security for network and information systems – for more resilient digital infrastructures.

Learn More

What is NIS-2?

Directive (EU) 2022/2555 replaces the original NIS Directive and establishes harmonized requirements for cybersecurity, risk and incident management. A unified framework for the European single market – from risk management to reporting obligations to supervision and sanctions.

Scope & Affected Entities

NIS-2 distinguishes between essential entities and important entities. Cloud and IT service providers like ayedo explicitly fall within the addressee scope.

Essential Entities

Critical sectors with highest requirements. Energy, transport, banking, financial market infrastructures, health, drinking water, digital infrastructure (cloud, DNS, data centers, CDN). Public administrations. Companies above SME threshold. Intensive supervision.

Important Entities

Indirectly critical actors. Smaller or less systemically relevant organizations in the same sectors. Proportionally reduced but still mandatory requirements. Supervision on risk basis.

Cloud & IT Service Providers

Explicitly included. Cloud computing service providers, data centers, CDN operators, managed service providers, managed security services, trust service providers. ayedo falls into this category as a managed service/cloud platform provider.

Thresholds & Size Classes

According to EU SME definition. Essential entities: usually over 250 employees or €50M revenue. Important entities: below that, but systemically relevant. National authorities can adjust thresholds. Proportionality for smaller actors.

Governance & Responsibility

Art. 20 anchors cybersecurity as a management duty. Management bodies must approve and oversee risk management measures and can be held personally liable.

Board Responsibility

Board bears ultimate responsibility. Approval of cybersecurity measures, oversight of implementation, budget release. Personal liability for gross negligence. NIS-2 makes cyber resilience a board-level issue – analogous to DORA.

Mandatory Training

Awareness at all levels. Boards must complete cybersecurity training. Regular security awareness programs for all employees. Specialized training for IT/security teams. Documentation/evidence obligation.

Oversight & Reporting

Continuous board updates. Regular reports on security posture, incidents, measure effectiveness. KPIs/KRIs for cyber resilience. Audit trails for decisions. Demonstrable governance structures.

Security & Risk Management Measures

Art. 21 defines minimum requirements for technical, operational and organizational measures. These must be state-of-the-art, proportionate to risk and cover the entire lifecycle.

Risk Analysis & Security Concepts

Continuous assessment. Systematic threat analysis, risk assessment of assets/processes, documented security concepts. Consider supply chains, third parties, technological developments. Annual reviews mandatory.

Incident Handling

Procedures for detection, reporting, response. Structured processes for detection, triage, escalation, remediation. Incident response plans, playbooks, defined responsibilities. Integration with CSIRTs and authorities. 24h/72h/1M reporting path.

Business Continuity

BCP, backup, recovery. Business continuity planning, disaster recovery, tested backups, redundancy. RTO/RPO targets defined and demonstrated. Emergency and crisis management plans. Annual tests with documentation.

Supply Chain Security

Supply chain risk management. Contractual protection of sub-providers, auditing, assessment of cybersecurity practices. Consider specific vulnerabilities. Due diligence processes. Vendor risk register.

Secure Development & Maintenance

Secure-by-design principles. Secure software development (SSDLC), vulnerability management, CVE scanning, patch management. Code reviews, SAST/DAST. Change management with audit trails.

Effectiveness Assessment

Regular audits & tests. Internal/external security audits, penetration tests, red team exercises. Vulnerability assessments. Effectiveness proof of measures. Continuous improvement based on findings.

Cyber Hygiene & Training

MFA, least privilege, awareness. Multi-factor authentication mandatory, principle of least privilege, access controls. Security awareness training for all. Phishing simulations. Password policies.

Cryptography & Key Management

Encryption & key management. Use of state-of-the-art cryptography (TLS 1.3+, AES-256), secure key storage, rotation, separation of keys and data. Customer-managed keys where possible.

Personnel Security & Access Control

Roles, rights, reviews. RBAC/ABAC models, segregation of duties, background checks for critical roles. Joiner/mover/leaver processes. Privileged access management (PAM). Audit logs for all access.

MFA & Secure Communication

Authentication & emergency comms. Strong authentication for all systems, encrypted communication channels (email, chat, VoIP). Emergency communication plans with redundant channels. Out-of-band verification for critical actions.

Supply Chain & Third-Party Management

Art. 21(3) explicitly requires consideration of cybersecurity practices of sub-providers. NIS-2 thus anchors a supply chain security mandate, similar to DORA.

Vendor Risk Register

Complete supplier overview. Register of all sub-providers, service providers, critical suppliers. Information: services, criticality, locations, jurisdiction, certifications. Regular updates. Available for audits/supervision.

Pre-Contract Due Diligence

Systematic review before commissioning. Security assessments, certifications (ISO 27001/9001), audit reports, financial stability, jurisdiction risks. Assessment of overall quality of cybersecurity practices. Score-based decision.

Contractual Protection

NIS-2-compliant clauses. SLAs for security/availability, incident reporting obligations, audit rights, sub-contracting disclosure, data processing locations, exit strategies. Cooperation obligation with authorities.

Continuous Monitoring

Ongoing vendor monitoring. Regular re-assessments, tracking of security incidents at suppliers, certification status updates. Trigger-based reviews for material changes. Escalation processes for non-compliance.

Security Incident Reporting Obligations

Art. 23 ff. establishes a multi-tiered reporting system – structurally identical to DORA. Coordination via national CSIRTs and central contact points.

Early Warning: 24 Hours

Initial notification within 24h. As soon as awareness of a significant security incident exists, an early warning must be submitted to the competent authority/CSIRT. Minimal information: type of incident, impact, initial assessment.

Incident Report: 72 Hours

Detailed report within 72h. Comprehensive description: affected systems/data, severity, impacts, IoCs (indicators of compromise), initial countermeasures. Coordination with CSIRT, data protection/law enforcement authorities for personal data.

Final Report: 1 Month

Final report within 30 days. Root cause analysis, timeline, implemented remediation measures, lessons learned, preventive measures for the future. Structured documentation for regulatory traceability and internal improvement.

Definition ‘Significant’

Thresholds & criteria. Significant = significant impairment of services, data integrity/confidentiality, availability of critical systems. Impact on business operations, financial position or third parties. National authorities specify.

Supervision, Sanctions & Enforcement

Chapter VII grants national authorities extensive control and enforcement powers. Sanctions must be effective, proportionate and dissuasive.

Authority Powers

Extensive supervisory instruments. On-site inspections, security scans, ad-hoc audits, information requests, document requests. Interviews with management/staff. Access to systems/logs (with conditions). No advance notice required.

Sanction Mechanisms

Significant fines possible. Essential entities: up to €10M or 2% of global annual turnover. Important entities: up to €7M or 1.4% of turnover. Nationally regulated but EU minimum requirements. Additionally: public announcement.

Suspension Powers

Temporary service/management suspension. For serious violations, authorities can temporarily prohibit services or suspend management functions. Last resort, but legally possible. Immediate enforcement if danger imminent.

Burden of Proof

Burden of proof on entity. Burden of proof for compliance lies with entity, not authority. Documentation, audit reports, test results, process evidence must be available. Missing evidence = indication of non-compliance.

ayedo and NIS-2

Our Software Delivery Platform and Managed Services are designed for NIS-2 compliance – from risk management to 24/7 incident response to supply chain transparency.

ISO 27001 Risk Management

Certified ISMS processes. ISO 27001/9001-based operations model with documented policies, annual reviews, board-suitable KPI/KRI dashboards. Asset inventories, risk assessments, continuous improvement. Audit-ready.

Zero-Trust & MFA

Strong authentication throughout. Network segmentation, MFA/OIDC integration, secrets management with customer-managed keys, least privilege principle. GitOps-based change control. RBAC/ABAC models. PAM for privileged access.

24/7 Detection & Monitoring

Comprehensive observability. Metrics, logs, traces with standardized interfaces. Defined alerting thresholds, escalation runbooks, 24/7 SOC integration. MTTA/MTTR tracking. Threat intelligence feeds. SIEM integration possible.

Business Continuity & DR

Tested backup/restore processes. Multi-AZ/region designs, documented RTO/RPO targets. Automated backups with standards-compliant object storage, point-in-time recovery. Annual DR tests including switchover. Forensic backup retention. Segregated restore networks.

Incident Response & NIS-2 Reporting

Structured 24h/72h/1M processes. Triage thresholds for ‘significant incidents’, dedicated reporting paths to authorities/CSIRTs. Incident timeline documentation, post-incident reviews, lessons-learned integration. Crisis comms playbooks. ENISA-compatible formats.

Security Testing & Audits

Regular assessments. Vulnerability scans, penetration tests, internal/external audits. CVE scanning in CI/CD. SBOM generation. Red team exercises on request. Remediation tracking with SLAs. Audit reports available for authorities/customers.

Supply Chain Transparency

Vendor risk register & due diligence. Complete documentation of sub-providers (cloud, data centers, OSS maintainers). ISO 27001 certifications preferred. EU-based operations, GDPR compliance. Vendor scoring, regular re-assessments.

Crypto & Secrets Management

State-of-the-art encryption. TLS 1.3+, AES-256, secure key rotation. Customer-managed keys, BYOK/BYOHSM capable. Separation of keys and data. Secrets management with audit trails. No-escrow policy.

NIS-2 Enablement Packages

Turnkey compliance roadmaps. Gap assessment against NIS-2 requirements, risk management framework setup, incident response playbooks, supply chain register, board training, audit preparation. Support for authority interaction.

NIS-2 in Regulatory Context

NIS-2 is the cross-cutting framework for cybersecurity in the EU. It integrates with DORA, CRA, Cloud Sovereignty Framework, Data Act and GDPR.

NIS-2 & DORA

DORA is lex specialis for financial sector. NIS-2 applies in principle to critical/important entities; DORA specifies and expands for financial institutions. No double compliance: DORA-compliant financial entities typically also fulfill NIS-2. Structurally identical reporting paths (24h/72h/1M). More about DORA.

NIS-2 & Cyber Resilience Act

Complementary at operator/product level. NIS-2 concerns infrastructure and operator obligations (operations). CRA addresses cybersecurity of products (development, lifecycle). Together: secure products + resilient operating environments. More about CRA.

NIS-2 & Cloud Sovereignty

Sovereignty reduces NIS-2 risks. Cloud Sovereignty Framework evaluates exit capability, EU control, supply chain transparency – all factors that directly address NIS-2 risk management and supply chain requirements. EU-based stacks minimize jurisdictional risks. More about the Framework.

NIS-2 & Data Act

Interoperability supports resilience. Data Act requires data portability and lock-in avoidance – directly relevant for NIS-2 BCP/exit strategies. Open standards, standardized interfaces facilitate disaster recovery and provider switching during incidents. More about Data Act.

NIS-2 & GDPR

Complementary requirements. GDPR focuses on data protection. NIS-2 addresses cybersecurity and availability. Overlaps: security measures (Art. 32 GDPR), incident reporting (NIS-2 to CSIRT, GDPR to DPA). Coordinated compliance, parallel processes required.

ayedo Compliance Overview

Comprehensive compliance approach. How ayedo systematically addresses NIS-2, DORA, CRA, Data Act, GDPR, ISO 27001. Certifications, processes, technical measures, audit readiness – find our complete roadmap here. To overview.

Strategic Implications

NIS-2 fundamentally changes how digital infrastructures must be operated. From board responsibility to supply chain management to sanction risks – here are the core implications.

Cybersecurity Becomes Board-Level

Board responsibility & personal liability. Boards must approve cybersecurity measures, oversee implementation, release budgets. Personal liability for gross negligence. Training obligations. Cyber resilience anchored as strategic board topic.

Engineering Discipline Mandatory

Comprehensive documentation mandatory. Complete asset inventories, risk assessments, data flow diagrams, dependency maps. Segmented architectures, change/patch processes demonstrable. RTO/RPO defined and tested. SSDLC evidence.

24/7 Operations & Incident Response

Continuous monitoring mandatory. 24/7 capability for detection, alerting, incident response. Structured reporting paths (24h/72h/1M). Crisis communication, post-mortems. Annual BCP/DR tests. Integration with CSIRTs.

Supply Chain Governance

Systematic vendor risk management. Due diligence before commissioning, vendor scoring, contractual protection, continuous monitoring. Register of all sub-providers. Re-assessments for material changes. Escalation for non-compliance.

Testing & Assurance

Regular assessments mandatory. Vulnerability scans, penetration tests, red team exercises. Internal/external audits. Effectiveness proof of all measures. Remediation tracking. Continuous improvement based on findings.

Sanction Risks Real

Significant fines possible. Up to €10M or 2% of global annual turnover. Public announcement. Service suspension possible. Burden of proof on entity. Non-compliance can be existential.

Start Your NIS-2 Compliance

Whether cloud provider, managed service provider or critical infrastructure – we support you with systematic implementation of all NIS-2 requirements. From gap assessment to full compliance.

NIS-2 Gap Assessment

We analyze your organization against NIS-2 requirements: governance, risk management, incident response, BCP/DR, supply chain, testing maturity. Gap identification, prioritization, structured roadmap with quick wins and long-term measures. Board-level reporting.

NIS-2 Compliance Platform

We implement the complete toolchain: asset inventories/CMDB, observability stack (metrics/logs/traces/alerts), GitOps CI/CD with policy gates, backup/DR automation, incident response integration, vendor risk register, KPI/KRI dashboards. ISO 27001 compliant.

24/7 NIS-2-Compliant Operations

Managed operations with 24/7 monitoring, incident response, coordinated CSIRT reporting (24h/72h/1M paths), security hotfix deployment. Long-term support commitments, tested BCP/DR processes, annual resilience tests. Board-level reporting. Audit support.