NIS2 compliance,before the regulator comes knocking.
The EU's NIS2 Directive expanded mandatory cybersecurity obligations to 18 sectors. ONTRACE.AI will manage risk assessments, incident reporting workflows, supply chain monitoring, and management accountability — all autonomously.
Framework Overview
What is NIS2?
The Network and Information Security Directive 2 (NIS2) is the EU's updated cybersecurity legislation, replacing the original NIS Directive. It dramatically expanded the scope of organisations required to implement cybersecurity risk management measures and report incidents to national authorities.
Essential Entities
Large organisations in critical sectors — subject to proactive supervision
Important Entities
Medium/large organisations in important sectors — reactive supervision
Fines
Up to €10M or 2% of global turnover (essential) / €7M or 1.4% (important)
Covered Sectors
18 sectors. Is yours covered?
Energy
Electricity, gas, oil, hydrogen
Transport
Air, rail, water, road
Banking & Finance
Credit institutions, financial market infrastructure
Health
Hospitals, healthcare networks, R&D
Water & Waste
Drinking water, wastewater management
Digital Infrastructure
IXPs, DNS, TLD registries, cloud, CDN, datacentres
ICT Services
Managed service providers, managed security services
Public Administration
Central and regional government
Space
Ground-based space infrastructure
Postal & Courier
Postal service providers
Waste Management
Hazardous waste management
Manufacturing
Medical devices, electronics, machinery, vehicles
Food
Production, processing, and distribution
Digital Providers
Online marketplaces, search engines, social networks
Research
Research organisations
Key Obligations
What NIS2 requires from your organisation.
Risk Management Measures
Policies on risk analysis and information system security, incident handling, business continuity, supply chain security, and more — documented and implemented.
Incident Reporting
Early warning within 24 hours, incident notification within 72 hours, and final report within one month — to the national CSIRT or competent authority.
Supply Chain Security
Assess and manage cybersecurity risks in relationships with direct suppliers and service providers, considering their security posture.
Vulnerability Management
Policies for handling and disclosing vulnerabilities, basic cyber hygiene practices, and cybersecurity training for all staff.
Management Accountability
NIS2 explicitly holds management bodies responsible for approving risk management measures and overseeing their implementation. Personal liability applies.
Encryption & Access Controls
Use of cryptography and encryption where appropriate, multi-factor authentication, and secure communications policies.
Available Now
ISO 27001 addresses the majority of NIS2's risk management obligations.
EU guidance from ENISA explicitly recognises ISO 27001 as a suitable baseline for meeting NIS2's risk management requirements. Organisations that are ISO 27001 certified typically satisfy the majority of NIS2's technical and operational obligations already.