NIS2 Compliance

NIS2 Compliance: The Complete Guide for European Businesses

Everything you need to know about NIS2 compliance — who is affected, what's required, deadlines, penalties, and how to become compliant. The definitive guide for EU organisations.

2026-03-07 · By Emre Salmanoglu

NIS2 Article 21 and 23: Incident Reporting and Supply Chain Security Need More Than an ISMS

NIS2 Article 21 and 23 require operational incident reporting (24h and 72h) and supply chain risk management. An ISMS helps governance, but not day to day execution.

2026-01-06 · By Anna Bley

What Is NIS2? The EU Cybersecurity Directive Explained

A clear explanation of NIS2 — what it is, why it matters, who it applies to, and what it requires. Understand the EU's most important cybersecurity regulation in plain language.

2026-03-07 · By Emre Salmanoglu

Vendor Assurance Under NIS2: What Article 21 Requires for Supply Chain Security

NIS2 Article 21(2)(d) requires continuous supply chain security. Point-in-time vendor assessments are no longer sufficient. Learn what the directive expects and how to meet it operationally.

2026-03-09 · By Anna Bley

NIS2 Supply Chain Security: Why Annual Vendor Assessments Are No Longer Enough

NIS2 Article 21(2)(d) requires continuous supply chain security – not point-in-time questionnaires. What's changing, why your ISMS hits its limits here, and how to build the operational layer that's actually required.

2026-02-22 · By Anna Bley

NIS2 Incident Reporting: How to Actually Meet the 24-Hour Deadline

NIS2 Article 23 requires an early warning within 24 hours, a qualified notification within 72 hours, and a final report within one month. Most organizations have an incident response plan. Very few can actually report under pressure.

2026-02-22 · By Anna Bley

You're NIS2-Affected — Now What? The Operational Gaps Beyond Your ISMS

You've checked whether your organization falls under NIS2. The answer is yes. You have an ISMS. And now you're discovering: between what your ISMS covers and what NIS2 operationally requires, there's a gap. This article shows where it lies – and how to close it.

2026-02-22 · By Anna Bley

NIS2 Compliance Checklist: What Your ISMS Covers and What It Doesn't

The complete overview: All ten risk management measures from Article 21, assessed against a typical ISO 27001 ISMS. Where you stand, where the gaps are, and what you need to add operationally.

2026-02-22 · By Anna Bley

Incident Response Plan vs. Incident Management System: What NIS2 Actually Requires

Every ISMS has an incident response plan. NIS2 requires an incident management system. The difference isn't semantic – it's operational. What an IMS must concretely deliver, which components it needs, and how to make the transition from plan to system.

2026-02-22 · By Anna Bley

NIS2 Audit Readiness: From Documentation to Continuous Evidence

NIS2 gives supervisory authorities the right to request evidence at any time. Not at your next audit. Not with advance notice. Any time. What this means for your evidence management – and why most organizations aren't prepared for it.

2026-02-22 · By Anna Bley

ISO 27001 Is Not NIS2 Compliance: What's Actually Missing

ISO 27001 provides the governance foundation for NIS2 – but not the operational execution. What's missing between ISMS documentation and actual NIS2 compliance, and why that's been a concrete problem since December 6, 2025.

2026-02-22 · By Anna Bley

NIS2 Third-Party Risk Documentation: What Auditors Actually Want to See

The specific evidence and documentation artifacts auditors check during NIS2 supply chain security assessments. Supplier registers, risk classifications, incident communication records, and how a trust center produces audit-ready third-party risk documentation as a natural byproduct.

2026-02-23 · By Anna Bley

NIS2: Internal Proof vs External Proof

Most organizations focus on internal controls. NIS2 raises the bar by expecting evidence for both your own security posture and the ecosystem you operate in.

2025-11-14 · By Emre Salmanoglu