NIS2 COMPLIANCE
Achieve compliance with the EU NIS2 Directive with confidence. Meroi Security helps essential and important entities implement risk-management measures, incident reporting, and governance required under Directive (EU) 2022/2555.
Understanding the EU NIS2 Directive
The NIS2 (Directive (EU) 2022/2555) strengthens the EU's cybersecurity baseline for "essential" and "important" entities across critical sectors (e.g., energy, transport, health, financial market infrastructures, digital infrastructure, ICT service management, public administration). It extends scope, harmonises supervision and enforcement, and introduces detailed risk-management measures and incident reporting. See also the European Commission's overview of NIS2 here. :contentReference[oaicite:0]

Key requirements of NIS2
NIS2 sets out risk-management measures (Article 21) that apply across the organisation and supply chain:
- Policies and Governance: Risk analysis, information system security policies, and roles at management level.
- Incident Handling: Detection, response, and recovery capabilities; business continuity and crisis management.
- Supply-Chain Security: Security in procurement, development, and operations; third-party and managed service oversight.
- Secure by Design/Default: Development, vulnerability handling and disclosure; patching and updates.
- Operational Security: Network and system security, access control and MFA, logging/monitoring, encryption and key management.
- Testing and Audits: Policies for testing, auditing and “independent reviews” at planned intervals and after major changes/incidents.
- Awareness and Training: Staff security awareness and role-based training.
These measures are elaborated in Article 21 of the Directive and further detailed for certain digital providers in Commission Implementing Regulation (EU) 2024/2690.
Scope of NIS2
NIS2 applies to essential and important entities in sectors such as energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure (e.g., DNS, TLD registries, IXPs, cloud and data centre providers), ICT service management (managed service providers), public administration, space, postal/courier, waste management, chemicals, food, manufacturing of critical products, and digital providers (online marketplaces, search engines, social networking platforms). Micro and small enterprises may be included based on criticality. See the Commission overview and the Directive text for full sector listings.
Incident reporting under NIS2
Entities must submit:
- Early warning within 24 hours of becoming aware of a significant incident (or near miss where relevant).
- Incident notification within 72 hours with an initial assessment and indicators of compromise (if available).
- Final report typically within one month of the incident notification (or an interim report if investigation is ongoing).
Templates and criteria for when an incident is “significant” are further specified for certain providers in Implementing Regulation (EU) 2024/2690. Guidance on timelines is also provided by ENISA.
Examples of entities in scope
- Essential entities: Electricity TSO/DSOs; operators of gas networks and LNG; air, rail and maritime infrastructure operators; banks and financial market infrastructures; hospitals; drinking water suppliers; DNS service providers; TLD registries; trust service providers.
- Important entities: Managed service providers (including MSSPs), cloud computing providers and data centres not classified as essential, postal/courier services, waste management, chemicals manufacturing, food production, and certain public administration entities.
These categories determine supervisory regime and sanctions. Refer to sector definitions and Annexes in the Directive and the Commission overview.
Supervision and penalties
- Management accountability: Members of management bodies must approve and oversee NIS2 measures and may be held liable for breaches.
- Enforcement: Essential entities face proactive supervision; important entities are supervised primarily ex-post.
- Administrative fines: Up to at least €10 million or 2% of total worldwide annual turnover for essential entities; and at least €7 million or 1.4% for important entities, as defined by national transposition (Article 34).
See Articles 29–34 of the Directive for detailed supervision and penalty frameworks.
How NIS2 interacts with other EU rules
NIS2 complements sectoral frameworks and may defer to sector-specific Union acts where requirements are at least equivalent in effect (e.g., DORA for financial entities). It also interfaces with GDPR on security and breach handling, and with EU cybersecurity certification schemes coordinated by ENISA.
Why choose Meroi Security for NIS2 compliance
Meroi Security provides:
- Directive-aligned implementation: Article-21 risk controls mapped to your operations and suppliers.
- Incident readiness: 24h/72h workflows, playbooks, and report templates aligned to NIS2 and Implementing Regulation 2024/2690.
- Governance & assurance: Policies, KPIs, and independent review cadence that withstand supervisory scrutiny.
- Cross-reg alignment: Consistent treatment with GDPR security/breach processes and sectoral regimes (e.g., DORA).
How Meroi Security helps you achieve NIS2 compliance
Our services align with Articles 20–23 and 29–34:
- Gap Analysis: Assess current controls against Article 21 measures and sector obligations.
- Risk & Supply-Chain: Integrate supplier security, MSP/MSSP oversight, and vulnerability handling.
- Incident Reporting: Standing operating procedures for early warnings, 72h notifications, and final reports.
- Testing & Reviews: Table-top exercises, red/purple teaming coordination, independent reviews post-incident.
- Governance & Training: Management briefings, role-based training, and evidence collection for audits.
Contact us today for a free NIS2 compliance consultation
Strengthen resilience and meet EU supervisory expectations. Partner with Meroi Security to implement NIS2 efficiently. Contact us at [email protected]
