name: eu-nis2-compliance description: Implement NIS2 Directive (2022/2555) cybersecurity obligations for essential and important entities — risk management, incident reporting, supply chain security. version: "1.0.0" last-updated: "2026-04-17" model_tested: "claude-sonnet-4-6" category: compliance platforms: [claude-code, codex, gemini-cli, cursor, copilot, windsurf, cline] language: en geo_relevance: [eu, fr] priority: critical dependencies: mcp: [] skills: [eu-regulatory-router] apis: [] data: [] update_sources:

• url: "https://eur-lex.europa.eu/eli/dir/2022/2555/oj" check_frequency: "quarterly" last_checked: "2026-04-17" license: MIT

EU NIS2 Compliance

DISCLAIMER: This skill provides guidance only. It does not constitute legal or cybersecurity advice. Always verify with qualified professionals.

When to Use

• Determining if your organization falls under NIS2 scope
• Implementing cybersecurity risk management measures
• Setting up incident reporting procedures
• Auditing supply chain security
• Preparing for national authority inspections

Step 1: Scope — Am I Affected?

NIS2 applies to entities in these sectors meeting size thresholds:

Essential Entities (stricter obligations)

Important Entities (lighter obligations)

Size Thresholds

• Medium: 50-249 employees OR turnover EUR 10-50M
• Large: 250+ employees OR turnover > EUR 50M
• Some entities included regardless of size (DNS, TLD, qualified trust services)

Step 2: Risk Management Measures (Article 21)

Implement at minimum:

1. Risk analysis and information system security policies
2. Incident handling — detection, response, recovery
3. Business continuity and crisis management — backups, disaster recovery
4. Supply chain security — assess security of direct suppliers
5. Security in network and information system acquisition, development, and maintenance — vulnerability handling, disclosure
6. Policies and procedures to assess effectiveness — testing, auditing
7. Basic cyber hygiene and cybersecurity training
8. Cryptography and encryption policies
9. Human resources security, access control, and asset management
10. Multi-factor authentication or continuous authentication — where appropriate

Step 3: Incident Reporting (Article 23)

Timeline

Significant Incident Criteria

An incident is significant if it:

• Caused or can cause severe operational disruption or financial loss
• Has affected or can affect other natural or legal persons by causing material or non-material damage

Reporting Authority

Report to the national CSIRT or competent authority. In France: ANSSI (Agence nationale de la securite des systemes d'information).

Step 4: Supply Chain Security

For each critical supplier:

1. Assess their cybersecurity maturity
2. Include security requirements in contracts
3. Monitor their security posture continuously
4. Have contingency plans for supplier failure or compromise

Step 5: Governance (Article 20)

• Management body must approve cybersecurity risk management measures
• Management body must oversee implementation
• Management body members must receive cybersecurity training
• Personal liability possible for management body members in case of non-compliance

Penalties

Key Dates

• 17 October 2024: Transposition deadline (member states must transpose into national law)
• 17 April 2025: List of essential and important entities established
• 17 October 2027: Commission review of the Directive

What This Skill Does NOT Do

• Does not perform penetration testing
• Does not configure security tools (firewalls, SIEM, etc.)
• Does not manage incident response execution
• Does not replace ANSSI or national authority guidance