Catalogue / NIS2

Network & Information Security Directive 2

Directive (EU) 2022/2555

NIS2 raises the cybersecurity baseline for essential and important entities across the EU — risk-management measures, management accountability and strict incident reporting, backed by real supervision and penalties.

In practice that means the ten baseline risk-management measures — policies, incident handling, business continuity, supply-chain security, encryption and access control — approved and overseen by the management body, registering with your national authority, and reporting significant incidents on a 24-hour / 72-hour / one-month clock.

Who must comply: Medium and large entities in the NIS2 sectors — energy, transport, banking, health, water, digital infrastructure, public administration and more — plus the suppliers they depend on. Senior management can be held personally liable, and entities must self-register — being in scope isn’t optional.

  • Ten baseline risk-management measures
  • Management-body approval, oversight & accountability
  • Incident reporting — 24h early warning, 72h, 1-month
  • Supply-chain security & registration with your authority
BEST VALUE
COMPLETE BUNDLE
All 6 NIS2 templates
169one-time234SAVE €65
All 6 editable NIS2 templates
START-HERE guide + inline “what to change” guidance in every file
The Currency Stamp — kept current as the rules move
30-day money-back guarantee
Buy now →
Pay once·30-day money-back·EU VAT handled
Just the essentials? Starter — €89

Does this sound like your NIS2 project?

Am I even in scope?

Sector, size and your member state's transposition all matter — and they differ across the EU.

Essential or important?

The category changes supervision and penalties, and it isn't always obvious which one you are.

The board is on the hook

Article 20 makes management bodies approve, oversee and potentially carry liability — they need a record of it.

24h / 72h / one month

The Article 23 reporting clock starts at awareness. The templates and timelines have to exist before an incident, not after.

The shape of the regulation, in plain terms

Art. 21

Risk-management measures

The baseline ten measure areas: policies, incident handling, business continuity, supply-chain security, cryptography, access control and more.

Art. 23

Incident reporting

Early warning within 24 hours, a full notification within 72 hours, and a final report within one month.

Art. 20

Governance & accountability

Management bodies must approve and oversee the measures — and can be held personally liable for failures.

Supply chain

Supplier security

Address cybersecurity risk in supplier and service-provider relationships, all the way down the chain.

Supervision

Registration & oversight

Register with your authority; essential entities face proactive supervision, important entities ex-post.

6 professional tools

How it's packaged · Measures-based — a scope self-assessment plus the Article 21 measure set and the reporting playbook.
Pricing

Buy the NIS2 kit

SINGLE TOOLS
39–59each
Best for
one specific gap — buy only what you need
Included
  • Any of the 6 tools individually
  • Mix and match as you go
Format
Editable Word / Excel
Updates
Re-buy when revised
Browse the tools
STARTERsave ~30%
89one-time
Best for
getting started fast on the essentials
Included
  • The core starter templates
Format
Editable Word / Excel
Updates
Kept Current eligible
Buy now
COMPLETEsave ~30%
169234one-time
Best for
full coverage & consultants serving several clients
Included
  • All 6 NIS2 templates
Format
Editable Word / Excel
Updates
Kept Current eligible
Buy now

Questions, answered plainly

If you're a medium or large entity in a NIS2 sector — or an important supplier to one — it likely does, but it depends on your member state's transposition. The self-assessment walks you through it.