GB EN IT IT ES ES
Directive (EU) 2022/2555 — NIS2 enforceable across the Union
⚠ Enforcement active 2026

NIS2 Compliance, done properly.
Zero fines. Zero surprises.

We turn the NIS2 Directive into real operational resilience. Gap analysis, ENISA-aligned remediation, supply chain audit and incident-management support for Essential and Important Entities across the EU and UK.

Free NIS2 Quiz → Request Free NIS2 Audit → The 10 Mandatory Measures
€10M
Max fine for Essential Entities
24h
Maximum incident early-warning window
2%
Of global turnover (alternative cap)
27
EU member states in scope

Scope of application

Is your organisation
in scope for NIS2?

Directive 2022/2555 splits in-scope entities into two categories with different obligations and supervisory regimes. The classification directly impacts your sanctions exposure.

Criterion 🔴 Essential Entities (EE) 🟡 Important Entities (IE)
Typical sectors Energy, Transport, Health, Drinking water, Digital infrastructure, Space, Banking, Public administration Postal services, Waste management, Chemicals, Food, Manufacturing, Digital providers
Supervision Ex-ante and Ex-post
Regular and proactive inspections		 Ex-post
Only on evidence of a breach
Maximum fine €10,000,000 or 2% global turnover €7,000,000 or 1.4% global turnover
Management liability Direct — board, CEO and CISO personally accountable Direct — with mandatory training obligations
National registration ✓ Mandatory ✓ Mandatory
💡

Not sure if you are in scope? Some SMEs are included automatically by sector — regardless of headcount or turnover (DNS providers, TLD registries, trust service providers). Scope verification is always the first step — request it for free.

🛠️

We don't just assess — we implement.

Webristle is a full cybersecurity agency, not only a compliance advisor. Beyond the NIS2 gap analysis and reports, our engineers deliver the security work the Directive actually requires: system hardening, MFA and identity governance, encryption and PKI, network segmentation, EDR and 24/7 monitoring, backup and disaster recovery, penetration testing and incident response. One team takes you from assessment to a fully implemented, audit-ready and resilient infrastructure.

Article 21 — Directive (EU) 2022/2555

The 10 mandatory
NIS2 security measures.

Every Webristle engagement covers the full set of technical and organisational requirements set by ENISA and national authorities. No shortcuts.

Measure 01

Risk Analysis & Information Security Policies

Formal threat assessment, Business Impact Analysis (BIA) and board-approved risk appetite, with documented information security policies.

Measure 02

Incident Handling

Operational procedures for detection, classification and reporting to the national CSIRT: 24h early warning, 72h full notification, one-month final report.

Measure 03

Business Continuity & Disaster Recovery

Continuity plans, backup management, tested disaster recovery and crisis management with documented RTO and RPO targets.

Measure 04

Supply Chain Security

Audit and risk assessment of critical suppliers. NIS2-aligned contractual clauses and ongoing third-party security monitoring.

Measure 05

Network & System Security

Structured vulnerability management, periodic penetration testing and hardening across IT and OT infrastructure.

Measure 06

Security Effectiveness Assessment

Policies and procedures to assess the effectiveness of cybersecurity risk management measures, including audits and red-team exercises.

Measure 07

Access Control & MFA

Zero-trust architecture, mandatory MFA on all critical systems, IAM governance and Privileged Access Management (PAM).

Measure 08

Human Resources Security

Training and awareness programmes, secure onboarding/offboarding procedures and insider-threat risk management.

Measure 09

Basic Cyber Hygiene & Training

Systematic patch management, asset inventory, endpoint security and documented BYOD policies enforced across the organisation.

Measure 10

Cryptography & PKI

Encryption of data at rest and in transit as a minimum standard. Key management policies, digital certificates and compliant electronic signatures.

How we work

A structured path
to NIS2 compliance.

No one-size-fits-all. Every organisation starts from a different position — we begin there.

01

Discovery & Scoping

We determine whether you are in the NIS2 perimeter and which critical assets are covered. Free scope verification.

02

Gap Analysis

Technical-legal report mapping the gaps against the 10 measures of Article 21 with a severity rating.

03

Remediation Plan

Prioritised roadmap with effort, cost and a realistic timeline. Highest sanction-risk items first.

04

Implementation

Technical hardening, documented policies, management training and national-authority registration.

NIS2 across Europe

NIS2 compliance,
country by country.

Every member state transposes the Directive with its own law, authority and deadlines. We run dedicated, locally-grounded compliance for each market — select yours.

Germany flagGermanyNIS2UmsuCG in force · BSI United Kingdom flagUnited KingdomEU supply-chain obligations Ireland flagIrelandSI 2024/540 · DPC & NCSC Belgium flagBelgiumCCB · CyberFundamentals (CyFun®) Denmark flagDenmarkNIS2 Act (L 141) · CFCS Netherlands flagNetherlandsCyberbeveiligingswet · 2026 Malta flagMaltaS.L. 460.41 · CIPD · iGaming Poland flagPolandKSC update · CERT Polska Sweden flagSwedenNIS2-lagen · NCSC-SE

Start today

How far are you
from compliance?

The gap analysis is the mandatory starting point. In 5 working days you will have a precise picture of your position against the NIS2 Directive.

  • Scope verification and EE/IE classification
  • Assessment of the 10 Article 21 measures
  • Supply chain risk analysis
  • Review of incident reporting procedures
  • Technical-legal report for the management team
  • Remediation roadmap with priorities and budget
  • Support with national authority registration

Request your NIS2 Audit

Our senior consultants will get back to you within 4 working hours with a free preliminary assessment.

Request Your NIS2 Audit →

No commitment. First consultation is free. Reply within 4 working hours.

FAQ

Frequently asked questions
about NIS2 in the EU.

The questions we hear most often from CISOs, CEOs and legal counsel.

Do you only run the gap analysis, or also implement the security measures?+
Both — and that is the difference. Webristle is a full cybersecurity agency, not just a compliance auditor. Beyond the NIS2 gap analysis and remediation roadmap, our engineers implement the technical and organisational measures themselves: system hardening, MFA and identity governance, encryption, network segmentation, EDR and monitoring, backup and disaster recovery, penetration testing and incident response. You get one team from assessment through to a fully compliant, resilient infrastructure — with no need to hire separate vendors to execute the remediation.
What is the maximum NIS2 fine? +
For Essential Entities, administrative fines can reach €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. For Important Entities the cap is €7,000,000 or 1.4% of turnover. Personal liability applies: directors and senior managers can be temporarily suspended from their duties in cases of repeated non-compliance.
How does the 24-hour incident reporting obligation work? +
Article 23 of NIS2 mandates a three-stage process: (1) Early warning to the national CSIRT within 24 hours of awareness of a significant incident; (2) Incident notification with an initial assessment within 72 hours; (3) Final report within one month covering root-cause analysis, mitigation measures and impact assessment. Managing this end-to-end requires documented, tested internal procedures — one of the most common gaps we find.
Does my SME need to comply with NIS2? +
Generally yes, if you operate in one of the critical sectors with more than 50 employees OR more than €10M annual turnover. Important caveat: some categories are in scope regardless of size (domain name registrars, DNS providers, qualified trust service providers, public administrations). Scope verification is the first step we always run — at no cost.
When do businesses need to be NIS2 compliant? +
Member states had until 17 October 2024 to transpose NIS2 into national law. By 2026 most national authorities have opened registration platforms and enforcement is active. There is no single EU-wide "compliance deadline" — your obligations apply from the date of national transposition. The right moment to start was yesterday. The next best is now.
What exactly does a Webristle NIS2 gap analysis include? +
Our gap analysis covers: scope verification and EE/IE classification, assessment of the 10 mandatory Article 21 measures with severity ratings, supply chain risk review, audit of incident management procedures, management interviews and a full technical-legal report with a remediation roadmap prioritised by cost and impact. Delivered in 5 working days.
Do NIS2 and GDPR overlap? Do I need to do both? +
They overlap partially but they are not interchangeable. GDPR protects personal data; NIS2 covers the operational resilience of your entire infrastructure, including OT systems, networks and supply chain. Some NIS2 measures (incident management, risk assessment) align with GDPR obligations without replacing them. We run both tracks in an integrated way to avoid duplicate effort.
Does NIS2 apply to UK-based companies? +
The UK is not bound by NIS2 directly, but UK-based companies that offer services in the EU are in scope and must designate a representative in the Union. The UK's own NIS Regulations 2018 update (UK NIS) tracks closely with NIS2 principles. If you serve EU clients from the UK, NIS2 compliance is not optional.
Webristle NIS2 Compliance

Don't wait for your first regulator visit.

Start with a free scope verification. No commitment, response within 4 working hours.

Request Free Audit → All Cybersecurity Services
Free NIS2 Quiz → Free NIS2 Audit →