PECB Certified NIS2 Lead Implementer

NIS2 is now enforceable. Your board is personally liable.

Q: What is the difference between an Essential Entity and an Important Entity?

Essential Entities operate in Annex I sectors and face proactive supervision with fines up to 10 million euro or 2 percent of turnover. Important Entities come from Annex II and face reactive supervision with fines up to 7 million euro or 1.4 percent of turnover. Both must meet the same Article 21 security measures.

Certified implementation support for Essential and Important Entities across the European Union. Get a clear path to compliance in 90 days.

Take the 5-minute Scope Check Book a Call

Or download the free NIS2 checklist (no email required)

PECB Certified

EU Directive 2022/2555

ISO 27001 aligned

Essential & Important Entities

All EU Member States

NIS2 is the most significant cybersecurity legislation the European Union has ever enacted.

It covers more than 100,000 organizations across 18 sectors, imposes fines of up to 10 million euro or 2 percent of global turnover, and holds senior management personally accountable for cybersecurity failures.

Treated as a checkbox exercise, it is a cost. Treated as a program, it is a strategic advantage.

The opportunity

Why most of our clients stop calling it a burden

The ones who approach it properly come out with something they actually use.

This represents the evolution of business security standards.

The regulatory landscape is shifting toward greater accountability and transparency. NIS2 simply formalizes what resilient businesses have been building toward: robust cybersecurity as a competitive advantage.

What this means for your organization

Credibility with buyers

Evidence pack for procurement, due diligence, and security questionnaires

Less chaos during incidents

Playbooks, trained responders, and a reporting process that does not collapse under pressure

Fewer RFP knockouts

Security is now a buying criterion in most enterprise and public procurement

Readable board reporting

A risk picture your board can actually sign off on, required under Article 20

Less personal liability

Article 20 holds directors individually accountable. Documented oversight matters

The reality

The landscape

~160,000

entities in scope across the EU

Roughly ten times the NIS1 scope, per European Commission estimates across 18 sectors

€10M / 2%

maximum fine for Essential Entities

Whichever is higher, under Article 34. Important Entities face €7M or 1.4% of turnover

The official transposition deadline was 17 October 2024. Many member states are still catching up. Regulators have publicly signalled they will go after Essential Entities first.

The organizations treating NIS2 as a real program, not a checkbox, come out with something durable: an actual security function and a management body that understands the risk.

Your expert

Meet the expert behind NIS2 Compliant

With extensive experience in cybersecurity compliance and risk management, Burak helps European organizations transform NIS2 requirements into strategic business advantages.

Connect on LinkedIn Schedule a call

Burak Yazici

PECB Certified

NIS2 Lead Implementer

Free tools

Try these before booking a call

Self-serve tools to clarify scope, exposure, and regulatory status. No signup, no email required.

NIS2 Scope Checker

5-minute quiz. Are you in scope as an Essential Entity, Important Entity, or out of scope?

Start the check →

Fine Exposure Calculator

Enter your turnover. See your maximum exposure under Article 34, with director liability flagged.

Calculate exposure →

EU Transposition Tracker

Which member states have transposed NIS2, which are pending, and when their national laws take effect.

Check your country →

Sector guidance

NIS2 by industry

Sector-specific scope rules, typical gap areas, and implementation roadmaps. Choose your industry for a focused briefing.

Manufacturing

Medical devices, electronics, machinery, motor vehicles, and more. Annex II Important Entity.

Healthcare

Hospitals, reference labs, medical research. Annex I Essential Entity.

Energy

Electricity, oil, gas, hydrogen, district heating. Annex I Essential Entity.

Digital Infrastructure

Data centers, cloud providers, DNS, CDNs, trust services. Annex I Essential Entity.

Public Administration

Central and regional government bodies. Annex I, per member state scope.

All industries →

See the full list and find yours.

Frequently asked

NIS2 questions we hear most

If you cannot find your question, use the scope checker or book a call.

Is my organization in scope for NIS2?

Scope depends on your sector and size. Organizations with at least 50 employees or 10 million euro in annual turnover operating in one of the 18 sectors listed in NIS2 Annexes I and II are generally in scope. Smaller organizations can still be captured if they are the sole provider of a critical service in a member state. Use the scope checker for a 5-minute self assessment.

What is the difference between an Essential Entity and an Important Entity?

Essential Entities operate in sectors listed in Annex I (energy, transport, banking, health, drinking water, digital infrastructure, public administration, space) and face proactive supervision with higher fines (up to 10 million euro or 2 percent of turnover). Important Entities come from Annex II (postal, waste, chemicals, food, manufacturing, digital providers, research) and face reactive supervision with somewhat lower fines (up to 7 million euro or 1.4 percent of turnover). Both must meet the same Article 21 security measures.

Are board members really personally liable?

Yes. NIS2 Article 20 requires management bodies to approve, oversee, and take training on cybersecurity risk management measures. Member states must provide for liability of management bodies for breaches of these obligations. The concrete form (fines, temporary bans from management functions) is set by each national transposition. This is the biggest change from NIS1 and the reason board level attention is justified.

Do we need ISO 27001 to be NIS2 compliant?

No, but ISO 27001 covers most of the Article 21 security measures and is the fastest path to demonstrable compliance. Organizations already ISO 27001 certified typically need to add supply chain risk management, incident reporting procedures aligned to Article 23 timelines, and board governance evidence. See the detailed comparison in our NIS2 vs ISO 27001 guide.

What are the incident reporting timelines?

Article 23 sets three deadlines for significant incidents: an early warning within 24 hours of awareness, an incident notification within 72 hours, and a final report within one month. Each stage has specific content requirements. Our incident reporting playbook walks through what to include at each stage.

How long does NIS2 implementation take?

For an organization starting from scratch with no existing ISMS, a realistic timeline to foundational compliance is 90 to 180 days. For an ISO 27001 certified organization, the gap close is typically 30 to 60 days. Ongoing compliance, supply chain oversight, and incident response capability building continues beyond the initial window.

Is there a NIS2 certification we can get?

No. NIS2 is a directive that member states transpose into national law. There is no formal NIS2 certification in the way ISO 27001 has ISO 27001 certified status. What you can do is achieve ISO 27001 certification, document your Article 21 and Article 23 compliance, and keep board-approved policies and risk assessments on file for regulator audits.

Get clarity in one conversation

A 30-minute call with Burak covers your scope, biggest gaps, and a realistic implementation path. No obligation.

Book a Call Take the Scope Check

Prefer to read first? Download the free checklist, board briefing kit, or view our approach.