NIS2 Directive

Agent Navigation: For section discovery, use /regulations/eu/nis2/llms.txt

Quick Reference

The NIS2 Directive (Directive 2022/2555) establishes cybersecurity risk management and incident reporting obligations for essential and important entities across the EU. Replaces NIS1 with significantly expanded scope and stricter requirements.

Applies to: Medium+ enterprises (50+ employees or €10M+ turnover) in 18 critical sectors, plus some smaller entities regardless of size (DNS, TLDs, trust services)

Key rules:

• Must implement appropriate cybersecurity risk management measures [Art 21]
• Must report significant incidents within 24 hours (early warning), 72 hours (full report) [Art 23]
• Management bodies must approve and oversee cybersecurity, receive training [Art 20]
• Must assess and manage supply chain security risks [Art 21(2)(d)]
• Must maintain business continuity and crisis management capabilities [Art 21(2)(c)]

Question	Answer	Citation
Who’s covered?	Essential + important entities in 18 sectors	Art 2, Annex I-II
Size threshold?	50+ employees or €10M+ turnover	Art 2
Incident notification deadline?	24 hours (early warning)	Art 23(4)(a)
Full incident report deadline?	72 hours	Art 23(4)(b)
Maximum fine (essential)?	€10M or 2% global turnover	Art 34
Maximum fine (important)?	€7M or 1.4% global turnover	Art 34

---

Regulation Map (All Chunks)

Every section of NIS2 Directive coverage is listed here for full-text lookup and agent navigation.

Definitions

• NIS2: Scope and Definitions

Requirements

• NIS2: Governance and Accountability
• NIS2: Incident Reporting
• NIS2: Information Sharing
• NIS2: Cybersecurity Risk Management
• NIS2: Supply Chain Security

Enforcement

• NIS2: Enforcement and Penalties

Scenarios

• NIS2: Common Scenarios