NIS 2 Directive · EU 2022/2555

NIS 2 isn't coming — the deadline already passed.

Since the 17 October 2024 transposition deadline, essential and important entities across the EU must run cybersecurity risk-management measures, report significant incidents within tight windows, and answer for it at board level. Setu Innovation joins the advisory that reads the obligation to the engineering that satisfies it, in one accountable team — so you close the gap with measures that hold, not a policy binder.

Talk to our team What NIS 2 requires
Key facts
  • In force · Jan 2023
  • Transposition · 17 Oct 2024
  • Reporting · 24h / 72h / 30d
  • Fines up to €10M / 2%
Scope · Are you in scope?

If you're a medium or large entity in a covered sector, NIS 2 likely applies.

NIS 2 covers essential and important entities — generally organisations with 50+ staff or over €10M annual turnover operating in one of the sectors the Directive lists as high-criticality (Annex I) or other critical (Annex II).

In scope regardless of size? Some providers are always covered — DNS service providers, TLD registries, trust-service and public electronic-communications providers, and the sole provider of a critical service in a Member State.

A 20-second self-check

  • Do you have 50+ employees, or over €10M annual turnover?
  • Do you operate in energy, transport, health, water, digital infrastructure, ICT management, manufacturing, food, chemicals, postal, waste, research or public administration?
  • Do you provide services or operate within the EU?
  • Are you a key supplier to organisations that are themselves in scope?

Mostly "yes"? You're likely an essential or important entity — and which one shapes how heavily you're supervised. Financial-sector entities are largely governed by DORA instead (lex specialis). A short call confirms it.

Obligations · What NIS 2 demands

What you'll have to put in place.

NIS 2 turns cybersecurity into a governed, evidenced programme — owned by management, not delegated and forgotten.

Art. 20

Governance & management liability

Management bodies must approve the risk-management measures, oversee their implementation, and take regular training. Responsibility sits at the top — members can be held personally liable for failures.

Art. 21

Risk-management measures

A ten-point, all-hazards minimum: risk analysis and security policies, incident handling, business continuity and backups, secure acquisition and development, cryptography, access control and MFA, and basic cyber hygiene and training.

Art. 21(2)(d)

Supply-chain security

Assess and address the security risks your direct suppliers and service providers introduce — including the security of their products and the quality of their development practices.

Art. 23 · 24h / 72h / 30d

Incident reporting

For significant incidents: an early warning within 24 hours, a full notification within 72 hours, and a final report within one month — to your national CSIRT or competent authority.

Registration

Registration & information duties

Register with the competent authority and keep your entity and contact details current. Certain entity types (e.g. DNS, cloud, data-centre providers) are registered centrally via ENISA.

Essential vs Important

Two tiers of supervision

Essential entities face proactive (ex-ante) supervision; important entities are supervised reactively (ex-post). The tier also sets how high the penalties can go.

Classification · Which tier are you?

Essential, or important?

NIS 2 sorts in-scope organisations into two tiers, set by sector and size. The tier decides how you're supervised and how high the fines can go.

— 01

Essential entities

Larger organisations in the high-criticality sectors (Annex I): energy, transport, banking, health, water, digital infrastructure, ICT management, public administration, space. Proactive supervision.

Annex IEx-ante supervision≤ €10M / 2%
— 02

Important entities

Medium-sized entities in Annex I sectors, plus the "other critical" sectors (Annex II): postal, waste, chemicals, food, manufacturing, digital providers, research. Reactive supervision.

Annex IIEx-post supervision≤ €7M / 1.4%
— 03

In scope regardless of size

Some providers are covered whatever their headcount: DNS service providers, TLD registries, trust-service and public electronic-communications providers, and the sole provider of a critical service in a Member State.

DNS · TLDTrust servicesPublic comms
— 04

Where DORA takes over

Financial entities follow DORA as lex specialis for ICT risk and incident reporting — so banks, insurers and investment firms look to DORA first, with NIS 2 in the background.

DORAFinanceLex specialis
How Setu helps · Advise · Build · Assure

NIS 2 is owned in the org, and proven in the systems.

The Directive names the duties; the evidence lives in your policies, your incident process, and your suppliers. Setu does the advisory and the engineering, in one team.

01 — Advise

Scope & govern

Confirm whether you're an essential or important entity, map a prioritised gap against Article 21, and stand up the board-level governance and accountability the Directive requires.

02 — Build

Engineer the measures

Implement the risk-management measures — security policies, incident-response runbooks, backups and continuity, access control and MFA, supply-chain security, and vulnerability handling.

03 — Assure

Get reporting-ready

Wire up the 24h / 72h / 30-day reporting path to your CSIRT, rehearse it, complete registration, and brief management before a supervisory authority ever calls.

Frequently asked

NIS 2, answered plainly.

When does NIS 2 apply?

It entered into force on 16 January 2023, and Member States had to transpose it by 17 October 2024. The national laws implementing it are now landing across the EU — so for most in-scope entities the obligations already apply. Where a Member State is late, the duties still arrive; the prudent assumption is that you're already on the clock.

Is my organisation in scope?

Generally if you have 50+ employees or over €10 million in annual turnover and operate in one of the Directive's high-criticality (Annex I) or other-critical (Annex II) sectors. Some providers — DNS, TLD registries, trust and public-communications services — are in scope regardless of size.

What are the penalties?

For essential entities, up to €10 million or 2% of total worldwide annual turnover, whichever is higher; for important entities, up to €7 million or 1.4%. Authorities can also issue binding instructions and, for essential entities, suspend management functions or certifications.

How fast must we report an incident?

For a significant incident: an early warning within 24 hours, a full notification within 72 hours, and a final report within one month — to your national CSIRT or competent authority.

We're certified to ISO 27001 — does that cover NIS 2?

It's a strong foundation, but not automatic compliance. NIS 2 adds specific duties — board accountability and liability, 24/72-hour reporting, supply-chain security and registration — that an ISO 27001 ISMS doesn't fully cover. We map what you have to what NIS 2 requires and close the gap.

Don't wait for the first audit

Turn NIS 2 obligations into working controls.

A focused review: whether you're essential or important, the gap against Article 21, your reporting path, and the realistic route to compliance. Tell us where you are and we'll take it from there — or ask for a call if that's easier.

Talk to our team