Record of Processing Activities
Transfer Impact Assessment
Privacy Impact Assessment
Cybersecurity Controls
Cybersecurity Risk Management
Interactive Awareness Program
EU NIS2 Directive
Directive (EU) 2022/2555 — the EU's updated cybersecurity directive covering 18 critical sectors. Management liability, 10 security measures, and 24-hour incident reporting. Available on the Premium plan.
The EU's upgraded cybersecurity
compliance obligation
The NIS2 Directive (Directive EU 2022/2555) replaced the original NIS Directive in October 2024. It significantly expands the scope of EU cybersecurity requirements — from 7 to 18 sectors — and introduces personal liability for management bodies that fail to implement required security measures.
NIS2 mandates 10 minimum security measures under Article 21, a three-stage incident reporting process, and supply chain security requirements. Unlike GDPR (which applies globally), NIS2 applies to entities established in the EU operating in covered sectors.
NIS2 is closely aligned with ISO 27001:2022. Organizations already certified under ISO 27001 have a significant head start — roughly 60–70% of NIS2 Article 21 requirements are covered by an existing ISO 27001 ISMS.
The 10 NIS2 security measures
every entity must implement
Article 21 defines the minimum cybersecurity risk management measures. All essential and important entities must implement and document all 10.
Risk analysis & security policies
Documented policies for information system risk analysis. Periodic reviews and updates to policies.
Incident handling
Processes for detecting, analysing, containing, and recovering from cybersecurity incidents. Defined roles and escalation paths.
Business continuity & crisis management
Backup management, disaster recovery plans, and crisis response procedures to ensure continuity of essential services.
Supply chain security
Security measures covering supplier relationships and third-party service providers. Contractual security requirements for key suppliers.
Security in network & information systems
Secure development and acquisition practices. Vulnerability handling in systems used for essential service delivery.
Policies & procedures for assessing effectiveness
Regular testing and assessment of cybersecurity measures. Processes to evaluate and improve control effectiveness.
Cybersecurity hygiene & training
Basic cybersecurity hygiene practices. Regular employee security awareness training and education programmes.
Cryptography & encryption
Policies for use of cryptography and encryption. Implementation of encryption for sensitive data at rest and in transit.
Human resources security & access control
Access control policies. Privileged access management. HR security procedures for joiners, movers, and leavers.
Multi-factor authentication (MFA)
MFA or continuous authentication solutions for all network and system access. Encrypted voice, video, and text communications where appropriate.
Essential vs Important entities — know which you are
Essential entities
Subject to proactive supervision and stricter requirements. Management bodies have direct personal liability.
- Energy (electricity, gas, oil, hydrogen)
- Transport (air, rail, road, maritime)
- Banking & financial market infrastructure
- Health sector
- Drinking & waste water
- Digital infrastructure (IXPs, DNS, TLDs, cloud, data centres)
- ICT service management (B2B MSPs)
- Space
- Public administration
Important entities
Subject to reactive supervision — investigated following incident or complaint. Same technical requirements apply.
- Postal & courier services
- Waste management
- Manufacture of critical products (pharma, medical devices, chemicals)
- Food production & distribution
- Digital providers (online marketplaces, search engines, social networks)
- Research organisations
Size threshold: medium-sized entities (>50 employees OR >€10M turnover) and above. Some sectors have no size threshold.
NIS2 three-stage incident reporting
Early warning
Notify national CSIRT or competent authority if there are grounds to believe a significant incident has occurred.
Incident notification
Submit full incident notification including initial assessment of impact, severity, and indicators of compromise.
Final report
Submit a final report with detailed incident description, threat category, applied mitigations, and cross-border impact.
What changed from NIS1 to NIS2
| Area | NIS1 (repealed) | NIS2 (current) |
|---|---|---|
| Scope | ~7 sectors, operators of essential services | 18 sectors, essential AND important entities |
| Company size threshold | Case-by-case national determination | >50 employees or >€10M turnover (with exceptions) |
| Management liability | No personal liability | Management bodies can be personally liable |
| Supply chain | Not addressed | Mandatory supply chain security measures (Art. 21d) |
| Fines | Member state discretion | Essential: €10M or 2% global turnover; Important: €7M or 1.4% |
| Incident reporting | 72 hours (some states) | 24h early warning + 72h notification + 1 month final report |
How Unicis covers NIS2 requirements
Unicis Atlassian Apps
Unicis Platform Modules
Who does NIS2 apply to?
NIS2 applies to medium and large organisations operating in critical sectors across the EU — including energy, transport, health, digital infrastructure, managed services, and public administration. It also extends to supply chain entities that support these sectors.
Multi-Framework Support
11 Compliance Frameworks Supported
From the minimum viable security baseline to enterprise-grade standards — coverage for every compliance requirement.
Start meeting NIS2 requirements with Unicis
Unicis maps your security controls to all 10 NIS2 Article 21 measures — with automated GAP analysis, risk management, and audit-ready reporting. Available on the Premium plan.