NIS2 Guide · 10 min
How to comply with NIS2: a step-by-step roadmap
NIS2 isn't a checklist you complete once. It's an ongoing obligation backed by management liability and supervisory enforcement. But the path to compliance is well-defined. This guide lays out the steps in order: work out whether you're in scope, register with your authority, get leadership formally on the hook, implement the risk-management measures, secure your supply chain, stand up incident reporting, and keep it all evidenced over time. Each step links to a deeper guide where you need one.
Key takeaways
- NIS2 (Directive (EU) 2022/2555) was due in national law by 17 October 2024; obligations apply through each member state's transposing law.
- Compliance follows a clear sequence: scope → register → governance → Art. 21 measures → supply chain → incident reporting → continuous assurance.
- It's continuous, not a one-off. Management is accountable (Art. 20) and supervisory authorities can audit, order remediation and fine (Art. 34).
What “NIS2 compliance” actually means
NIS2 is an EU directive, so it applies through the national law each member state passed to transpose it (the transposition deadline was 17 October 2024; some states were late). It sets a baseline of cybersecurity risk-management measures (Art. 21), incident reporting (Art. 23), governance and accountability (Art. 20), and registration with a competent authority, enforced by audits and penalties (Art. 34).
Crucially, it's a management system, not a certificate. You don't “pass” NIS2 once; you operate, evidence and improve the measures continuously, and your leadership is personally accountable for that. The steps below get you to a defensible baseline and keep you there.
Who must comply
Essential and important entities: medium and large organisations in the Annex I/II sectors (energy, transport, health, water, digital infrastructure, public administration, manufacturing, and more). Use the “who is in scope” guide to confirm your tier.
Pulled in indirectly
Even if you're not designated, the supply-chain duty reaches you: in-scope customers must assess their suppliers (Art. 21(2)(d)), so you'll face questionnaires, evidence requests and continuous monitoring through your contracts.
The roadmap, step by step
Seven steps, in order. Each one builds on the last.
Confirm scope and tier. Determine whether you're an essential or important entity from the Annex I/II sectors and the size thresholds, and map where your own suppliers sit.
Register with your competent authority. Most member states require in-scope entities to register (name, sector, contacts, IP ranges) under their transposing law.
Put management on the hook. The management body must approve the risk-management measures, oversee them and be trained (Art. 20), and can be held liable.
Implement the Art. 21(2) measures: the ten baseline measures, applied proportionately to your risk (see the list below).
Secure your supply chain. Assess and monitor supplier cyber risk (Art. 21(2)(d)) with tiering, questionnaires and continuous evidence, not a one-off audit.
Stand up incident reporting. Be able to send the 24-hour early warning, 72-hour notification and one-month final report to your CSIRT (Art. 23).
Make it continuous and evidenced. Monitor, test, document and review so you can show, on demand, that the measures are working.
The Article 21(2) measures
Step 4 in detail. NIS2 requires, proportionately, at least:
- (a) Risk analysis and information system security policies.
- (b) Incident handling: detection, response and recovery.
- (c) Business continuity: backups, disaster recovery and crisis management.
- (d) Supply chain security, including the security of relationships with direct suppliers and service providers.
- (e) Security in acquisition, development and maintenance, including vulnerability handling and disclosure.
- (f) Policies and procedures to assess the effectiveness of the measures.
- (g) Basic cyber hygiene practices and security training.
- (h) Cryptography and, where appropriate, encryption.
- (i) Human-resources security, access control policies and asset management.
- (j) Multi-factor authentication, secured voice/video/text and secured emergency communications.
Why it never really “ends”
The measures aren't a project with a finish line. NIS2 expects you to assess their effectiveness (Art. 21(2)(f)), and supervisory authorities can carry out audits, request evidence, issue binding instructions and impose fines (Art. 34), for essential entities up to €10 million or 2% of global annual turnover, whichever is higher. Management can also be held personally responsible.
That's why the last step matters most: the gap between “we wrote a policy” and “we can show it's working today” is exactly what an auditor, or a customer's due diligence, asks you to close. Continuous monitoring and retained evidence turn a one-time effort into a defensible, repeatable position.
NIS2 applies through national law, and the details (registration mechanics, deadlines, sector specifics, penalty levels) vary by member state. Confirm the specifics with your national competent authority.
Where do you start?
Your first move depends on your situation:
You're clearly in scope (essential or important)
Start at Step 1 to confirm your tier, then register and brief management. Use the management-responsibility guide to engage the board early.
You're not sure whether you're in scope
Begin with the “who is in scope” guide (sectors and size thresholds) before investing in controls. Don't assume you're exempt; the supply chain may still reach you.
You're a supplier to in-scope customers
Even without your own designation, expect supplier questionnaires and monitoring. The supplier-questionnaire and checklist guides show what you'll be asked to evidence.
You already hold ISO 27001
Much of Step 4 carries over, but statutory incident reporting, registration and management liability do not. The ISO 27001 guide maps what's left.
Sources: Directive (EU) 2022/2555 (NIS2) and your national transposing law. NIS2 applies through national law; confirm registration mechanics, deadlines and penalty levels with your competent authority.
How norppa.io helps
norppa.io is built for Steps 5 and 7: the supply-chain and continuous-evidence parts most teams find hardest. It monitors every supplier domain across more than a hundred control points daily (the time-sensitive ones every six hours), maps each finding to the NIS2 article it touches, and keeps a dated, exportable record for your supplier file.
Self-assessment questionnaires capture the process and contractual controls, and each answer is set against the live technical profile, so when an auditor or a customer asks you to show that supply-chain security is actually operating, you have current, corroborated evidence instead of a spreadsheet from last spring.