Skip to main content Skip to navigation Skip to footer
Limited time: Design Partner Program — BUSINESS plan free for life

Free download · 24 pages · A4 PDF

NIS2 Directive: English Summary for CISOs and Compliance Leads

A 24-page English-language summary of Directive (EU) 2022/2555. Covers scope, the ten Article 21 measures, the 24h/72h/1-month Article 23 reporting timeline, Annex I and II sectors, administrative fines, and a 10-step practical compliance roadmap. Authored by Rediacc; not an authoritative translation.

Download the PDF Open in browser

This document is an unofficial summary. For binding interpretation, consult the official text at OJ L 333/80, 27.12.2022.

What is in the PDF

Nineteen sections, structured for the working CISO or compliance lead who wants the directive's substance without wading through 73 pages of recitals and articles.

  1. Executive Summary
  2. Purpose and Legal Basis
  3. From NIS1 to NIS2: Why a New Regulation?
  4. Scope and Excluded Areas
  5. Key Definitions
  6. Entity Categories: Essential and Important Entities
  7. Sectors in Scope (Annex I and Annex II)
  8. Member State Obligations
  9. Cybersecurity Risk Management Measures (Article 21)
  10. Incident Reporting Obligations (Article 23)
  11. Supply Chain Security
  12. Management Body Responsibility
  13. EU-level Cooperation Structures
  14. Supervision and Enforcement
  15. Administrative Fines
  16. Implementation Timeline and Transition
  17. Implications for Non-EU Businesses
  18. Practical Compliance Roadmap (10 Steps)
  19. Conclusion and Assessment

Three companion guides

The PDF maps the directive. The companion guides turn the obligations into procurement and operational decisions, one audience at a time.

Article 21(2)(d) is a vendor question

Why the third-party-ICT register shrinks when the data plane never leaves your tenancy. For CISOs and procurement leads renegotiating DPAs in 2026.

Read the guide →

Continuous effectiveness without theatre

Article 21(2)(e), (f), and 23 read together. The constant-time fork that makes weekly drills realistic, and the Article 23 reporting timeline you cannot meet without forensic-grade artefacts. For SRE and ops leads.

Read the guide →

What buyers told us in the first NIS2 audit cycle

The five-tool compliance stack mid-market essential entities are quietly assembling, what a self-hosted control plane collapses, and the line items that stay yours either way. For CFOs and buyers heading into a renewal cycle.

Read the guide →

Frequently asked

Is this an authoritative translation of the directive?

No. It is an unofficial English-language summary intended to make the directive's structure and obligations accessible. For binding interpretation, consult the official text at OJ L 333/80 (27 December 2022) or via EUR-Lex (CELEX 32022L2555). National transposition acts in your Member State may impose stricter or differently-scoped obligations than the directive itself.

Who is in scope under NIS2?

Entities operating in Annex I (high-criticality) or Annex II (other critical) sectors that meet the medium-sized enterprise threshold (50+ employees or EUR 10 million+ turnover, per Recommendation 2003/361/EC). Some entities are in scope regardless of size, including TLD registries, DNS providers, trust service providers, and central public administration. Sections 4, 6, and 7 of the PDF cover scope in detail.

When did NIS2 enter into force, and what is the transposition deadline?

The directive entered into force on 16 January 2023. Member States had until 17 October 2024 to transpose it into national law; application began on 18 October 2024 (the same date NIS1 was repealed). The full timeline including the entity-list-to-Commission deadline (17 April 2025) and the periodic-review schedule is in Section 16.

What are the maximum fines?

For essential entities: EUR 10,000,000 or 2% of global annual turnover, whichever is higher. For important entities: EUR 7,000,000 or 1.4% of global annual turnover, whichever is higher. The directive also permits non-monetary sanctions including temporary management bans for senior management of essential entities (last-resort measure). Section 15 covers fine determination factors.

Does NIS2 apply to non-EU companies?

Yes, in two ways. Directly: non-EU DNS, cloud, data centre, CDN, MSP/MSSP, online marketplace, search, and social-networking providers offering services in the EU must appoint an EU representative and comply. Indirectly: any non-EU supplier providing products or services to EU essential or important entities will be subject to supply-chain security contractual requirements imposed by their EU customers under Article 21(2)(d). Section 17 covers both.

How does Article 23 incident reporting work?

Three deadlines, all triggered by "becoming aware" of a significant incident: 24 hours for an early warning, 72 hours for a full incident notification, and one month for the final report. Service recipients must also be notified without undue delay if a significant cyber threat is likely. Section 10 has the full reporting matrix.

About this summary

Rediacc is a self-hosted infrastructure platform registered in Estonia (OÜ 17363830, VAT EE102920091). This summary was authored as part of our NIS2 content programme. The companion guides above describe how Rediacc addresses specific articles of the directive, including the gaps where Rediacc is not the answer (no certifications yet; no GRC layer; no managed Article 23 reporting; portal-only MFA). For the public capability mapping, see NIS2 and DORA in the documentation.

Send us your vendor questionnaire or your three biggest security line items from last year's budget. We will respond against a deployed instance, in writing, including the gaps. Or download the PDF and forward it to a colleague.

Download the PDF