The Art of CTO NIS2 Readiness tool assesses organizational preparedness for the EU NIS2 Directive, which establishes cybersecurity requirements for critical infrastructure operators and essential service providers.
Frequently Asked Questions
What is the NIS2 Directive and who does it apply to?
NIS2 is the updated EU directive on network and information security, significantly expanding the scope of the original NIS Directive. It applies to essential entities (energy, transport, health, digital infrastructure) and important entities (manufacturing, food, chemicals, digital services including cloud providers and SaaS platforms). Companies with 50+ employees or over 10 million euros in revenue operating in covered sectors must comply, with penalties up to 10 million euros or 2% of global turnover.
How does NIS2 differ from the original NIS Directive?
NIS2 dramatically expands scope from a few hundred organizations to an estimated 160,000+ entities across the EU. Key changes include mandatory incident reporting within 24 hours (initial notification) and 72 hours (full report), personal liability for management bodies, mandatory supply chain security assessments, and harmonized penalties across EU member states. The directive also introduces a peer review mechanism and stricter enforcement powers for national authorities.