NIS2 Readiness Assessment

The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated cybersecurity legislation, replacing the original NIS Directive from 2016. It establishes a high common level of cybersecurity across the Union by setting obligations for organizations in critical and important sectors.

NIS2 entered into force on 16 January 2023, and EU member states were required to transpose it into national law by 17 October 2024. The directive significantly expands the scope of the original NIS, covering more sectors, imposing stricter requirements, and introducing personal liability for management.

Where the original NIS Directive covered approximately 7 sectors and an estimated 15,000 entities, NIS2 now covers 18 sectors and an estimated 160,000+ organizations across the EU. If your organization operates in the EU and has 50 or more employees in a covered sector, NIS2 almost certainly applies to you.

NIS2 categorizes organizations into two groups with different oversight regimes:

Essential Entities (Stricter Supervision)

These organizations are subject to proactive regulatory supervision, including on-site inspections, regular audits, and the full range of enforcement powers. Essential entities include organizations in: energy (electricity, oil, gas, hydrogen, district heating), transport (air, rail, water, road), banking and financial market infrastructures, health (hospitals, laboratories, pharmaceutical manufacturing), drinking water supply and distribution, wastewater management, digital infrastructure (DNS, TLD registries, cloud computing, data centres, CDNs, trust services), ICT service management in B2B contexts, public administration, and space operations.

Important Entities (Reactive Supervision)

These organizations face lighter, ex-post supervision — meaning authorities typically get involved only after an incident or evidence of non-compliance. Important entities include those in: postal and courier services, waste management, chemical manufacturing and distribution, food production and distribution, manufacturing (medical devices, computers, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networking platforms), and research organizations.

Size Thresholds

Generally, NIS2 applies to medium-sized organizations (50+ employees or €10M+ annual turnover) and large organizations in covered sectors. However, some entities are covered regardless of size — including providers of DNS services, TLD name registries, cloud computing services, data centre services, content delivery networks, managed security services, qualified trust services, and public electronic communications networks.

NIS2 Article 21 establishes ten minimum cybersecurity risk management measures that covered entities must implement. Our assessment tool evaluates your readiness across these areas:

1. Risk Analysis and Information System Security Policies

Organizations must implement an ICT risk management framework that includes documented policies, regular risk assessments, and defined risk treatment approaches. This framework must be approved by the management body and reviewed regularly.

2. Incident Handling

NIS2 introduces strict incident reporting timelines. Organizations must submit an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours with an initial assessment, and a final report within one month including root cause analysis and remediation measures. These timelines are among the strictest in any EU regulation.

3. Business Continuity and Crisis Management

Covered entities must maintain business continuity plans that address ICT-related disruptions, including backup management, disaster recovery procedures, and crisis management processes. Plans must be tested regularly and updated based on lessons learned.

4. Supply Chain Security

NIS2 places particular emphasis on supply chain risk. Organizations must assess and manage security risks arising from their relationships with direct suppliers and service providers. This includes contractual security requirements, ongoing supplier monitoring, and addressing concentration risk.

5. Security in Network and Information Systems

Organizations must implement appropriate technical measures including vulnerability handling and disclosure, network segmentation, access control, and encryption. The specific measures must be proportionate to the risk.

6. Cybersecurity Training

NIS2 explicitly requires that management body members undergo cybersecurity training, and that all employees receive regular awareness training. This is not optional — it is a legal obligation tied to management liability.

7. Cryptography and Encryption

Covered entities must have policies and procedures for the use of cryptography and, where appropriate, encryption. This includes protecting data at rest and in transit with appropriate cryptographic standards.

One of the most significant changes NIS2 introduces is personal liability for management. Under Article 20, management bodies must approve cybersecurity risk management measures, oversee their implementation, and can be held liable for infringements.

For essential entities, competent authorities can impose temporary bans on management positions if individuals are found to have failed in their duties. This makes NIS2 compliance a board-level concern, not just an IT issue.

Management body members are also required to undergo cybersecurity training to maintain sufficient knowledge of cybersecurity risks and practices. This training must be relevant to the nature and complexity of the services and systems the organization operates.

NIS2 introduces penalties comparable to GDPR in magnitude:

Essential entities face fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher. They are also subject to proactive supervision, including regular audits and on-site inspections.

Important entities face fines of up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher. They face ex-post supervision, meaning enforcement typically follows an incident or complaint.

Beyond financial penalties, non-compliance can result in public disclosure of the violation, binding instructions from the competent authority, and for essential entities, temporary suspension of certifications and authorizations.

Our NIS2 Readiness Assessment evaluates your organization across 9 security domains based on the requirements of NIS2 Article 21. The 10-step wizard starts with a screening question to determine if NIS2 applies to you, then assesses approximately 50 controls covering governance, risk management, incident handling, business continuity, supply chain security, network security, vulnerability management, training, and encryption.

For each control, you indicate whether it is fully implemented ("Yes"), partially implemented ("Partially"), or not implemented ("No"). The tool calculates a compliance percentage for each domain and an overall readiness score.

All calculations happen in your browser — no data is sent to any server. Your answers are not stored or tracked. You can run the assessment as many times as you need.