GUIDE

NIS2, for the rest of us.

Not just for utilities and banks. Most SMBs in the supply chain are now in scope. Here's what to do.

What NIS2 actually is.

The EU's Network and Information Security Directive, version 2. Came into force October 2024 across member states. It's a cybersecurity-and-resilience law — not data privacy. Aimed at making essential services and their suppliers harder to disrupt.

Why it matters

Penalties up to €10 million or 2% of turnover, whichever is higher. Plus personal liability for directors who didn't take cybersecurity seriously.

Who is in scope.

  • Essential entities. Energy, transport, banking, healthcare, water, digital infrastructure, public administration. Strict regime.
  • Important entities. Postal, waste, chemicals, food, manufacturing of medical devices/computers/electrical equipment, digital providers, research. Slightly lighter.
  • Supply chain. If you supply software, IT services, or data processing to an essential or important entity, you're effectively in scope through them.
  • Digital service providers. Cloud, data centres, content delivery, online marketplaces, search engines, social platforms — regardless of size.

Key requirements.

  • Risk management. Documented cybersecurity risk-management framework. Reviewed and updated. Approved by management.
  • Incident reporting. Significant incidents reported to the national CSIRT within 24 hours of awareness. Final report within a month.
  • Supply-chain security. Assess and manage cyber risk from suppliers. Specific controls per supplier risk tier.
  • Business continuity. Backup, disaster recovery, crisis management. Tested at least annually.
  • Access control & MFA. MFA for all administrative access. Privileged-access management. Regular review.
  • Vulnerability handling. Process to receive, evaluate, and patch vulnerabilities. Including a coordinated disclosure policy.

Penalties.

  • Essential entities. Up to €10 million or 2% of global turnover. Director liability included.
  • Important entities. Up to €7 million or 1.4% of global turnover.
  • Personal liability. Directors who failed to ensure compliance can be held personally liable, including temporary bans.
  • Enforcement. Site inspections, security audits, ad-hoc requests. The DPA-equivalent for cyber.

Eight steps to be ready.

  • Confirm your scope. Are you essential, important, supply chain, or none of the above? Sector-by-sector criteria. Get a written answer.
  • Run a gap analysis. Against the full list of NIS2 controls. Score each as covered, partial, or open.
  • Document the risk framework. Methodology, scope, asset inventory, threat model, treatment plan. Approved by management.
  • Draft the policies. Acceptable use, access control, encryption, incident response, business continuity, supplier management. Six minimum.
  • Wire up incident response. Define what counts as significant. Who decides. Who notifies CSIRT. 24-hour clock starts on awareness.
  • Review your supply chain. Tier each supplier by risk. Ensure each has a DPA and security baseline. Add SBOMs for software suppliers.
  • Train management. Board-level cybersecurity training. Documented attendance. NIS2 expects directors to actually understand.
  • Monitor continuously. Detection, logging, response. Quarterly internal review. Annual tabletop.

How AIR-Tools helps with each.

  • Scope assessment. Five questions and Clair tells you whether NIS2 applies and at which tier.
  • Control coverage. Live gap analysis against NIS2 articles. Updates weekly.
  • Policy drafts. All six minimum policies, drafted to NIS2 wording.
  • Incident playbook. 24-hour clock, decision tree, CSIRT contact, draft notifications.
  • Supplier scoring. Each supplier tiered, scored, with DPA status and SBOM where relevant.
  • Audit-ready evidence. When the inspector knocks, the file already exists.

The short version.

NIS2 is mostly the security work you should already be doing. Documented. Clair makes the documentation a side-effect of the work.

FAQ

How do I know if NIS2 actually applies to me?
Two tests: sector (is it on the essential or important list?) and size (≥50 staff or €10m turnover, with exceptions). If you're a supplier to an essential entity, your customer's compliance often pulls you in too.
What's the deadline?
NIS2 came into force across the EU in October 2024. Member states are mid-enforcement now. The Dutch implementation (Cyberbeveiligingswet) is being applied from May 2025. Overdue is the honest answer.
Does ISO 27001 cover NIS2?
Mostly, but not entirely. ISO 27001 covers most controls. NIS2 adds incident-reporting timelines, director liability, and supply-chain specifics that ISO doesn't enforce. The overlap is high — about 80%.
Are directors really personally liable?
Yes, where they failed to ensure cybersecurity governance. This is new and it's why boards are paying attention. Documented training and oversight is the defence.
Who is the Dutch CSIRT?
The Nationaal Cyber Security Centrum (NCSC). 24-hour incident notifications go to them via the central reporting portal.

Find out where you stand.

See where you stand on NIS2 — a short demo with a founder, on your actual stack.

Request a demo