NIS2: Common Scenarios
Common Scenarios
Practical guidance for applying NIS2 to real-world situations.
Scenario 1: Are We Covered?
Question: We’re a SaaS company with 80 employees, €15M revenue, serving businesses across the EU. Does NIS2 apply?
Answer: Possibly. Assess against:
- Size threshold: 50+ employees + €10M+ turnover = Medium enterprise ✓
- Sector: If you’re a “digital provider” (marketplace, search, social) → Important entity
- Service type: If providing managed IT/security services (MSP/MSSP) → Could be essential
If covered: Implement Art 21 measures and prepare for incident reporting.
Citation: Art 2, 3, Annex I, Annex II
Scenario 2: Ransomware Attack
Question: We’ve discovered ransomware on our systems at 2pm Monday. What are our reporting obligations?
Answer: Report within 24 hours (early warning by 2pm Tuesday):
| Deadline | Action |
|---|---|
| +24h | Early warning to CSIRT: “Suspected ransomware incident, potentially malicious, assessing cross-border impact” |
| +72h | Incident notification: Initial assessment of severity, impact, IoCs if available |
| +1 month | Final report: Root cause, full impact, mitigation measures |
Also: Inform affected service recipients without undue delay if service impacted.
Citation: Art 23
Scenario 3: Cloud Provider Selection
Question: We’re choosing between two cloud providers. How should NIS2 influence our decision?
Answer: Supply chain security (Art 21(2)(d)) requires you to assess:
| Factor | Assessment |
|---|---|
| Security certifications | ISO 27001? SOC 2? CSA STAR? |
| Incident history | Previous breaches? |
| Incident notification | Will they notify you of incidents affecting your data? |
| Audit rights | Can you audit or request reports? |
| Data location | Jurisdiction and data residency |
| Contractual terms | Security SLAs, liability caps |
Document your due diligence — it’s evidence of compliance.
Citation: Art 21(2)(d)
Scenario 4: Board Training
Question: Our board has no cybersecurity expertise. What training do they need?
Answer: Art 20 requires management body training covering:
| Topic | Level |
|---|---|
| Cyber risks | Understand threats relevant to your sector |
| Risk management | Know what Art 21 measures you’ve implemented |
| Impact assessment | Understand how incidents could affect services |
| Governance role | Know their approval and oversight duties |
Format: Can be briefings, workshops, or formal training. Document completion.
Citation: Art 20(2)
Scenario 5: Discovered Vulnerability
Question: Our security team found a critical vulnerability in software we use. What now?
Answer: Coordinated vulnerability disclosure (Art 21(2)(e)):
- Assess impact — How critical? What’s exposed?
- Notify vendor — Report to software provider
- Apply mitigations — Temporary controls while awaiting patch
- Patch promptly — When fix available, prioritize deployment
- Verify remediation — Confirm vulnerability is addressed
If actively exploited: Consider reporting as incident if significant impact.
Citation: Art 21(2)(e)
Scenario 6: Near Miss
Question: Our SOC detected and blocked an intrusion attempt. No systems were compromised. Do we report?
Answer: Voluntary, not mandatory. Near misses may be reported under Art 30:
| Consideration | Guidance |
|---|---|
| Mandatory? | No — only significant incidents with actual impact require reporting |
| Recommended? | Yes — contributes to threat intelligence sharing |
| Benefits? | Helps CSIRT community, no penalties for voluntary reporting |
Consider reporting if: Sophisticated attack, novel technique, could help others defend.
Citation: Art 23 (mandatory), Art 30 (voluntary)
Scenario 7: Subsidiary Scope
Question: We’re a large group. Our manufacturing subsidiary has 40 employees. Is it covered?
Answer: Likely not covered on its own. Assessment is per entity:
| Parent | Subsidiary | Covered? |
|---|---|---|
| Large | 40 employees, under thresholds | Subsidiary NOT separately covered |
But: If subsidiary is in critical sector and sole provider, or has critical impact, may still be covered regardless of size (Art 2(2)).
Also: Parent’s obligations don’t automatically extend to subsidiaries — but parent may require subsidiaries to meet standards as internal policy.
Citation: Art 2(1), Art 2(2)
Scenario 8: MFA Implementation
Question: Is MFA required for all systems under NIS2?
Answer: Where appropriate. Art 21(2)(j) requires:
use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications
Practically:
- Required: Critical systems, privileged access, remote access
- Recommended: All user accounts where feasible
- Risk-based: Assess what’s “appropriate” for your risk profile
Not prescriptive — but lack of MFA on critical systems would be hard to justify.
Citation: Art 21(2)(j)
Scenario 9: Overlap with DORA
Question: We’re a bank. Do we comply with NIS2 or DORA?
Answer: DORA takes precedence for financial entities. Art 4 of NIS2:
| Principle | Application |
|---|---|
| Lex specialis | Sector-specific rules (DORA) prevail over general rules (NIS2) |
| Financial entities | Banks, insurers, investment firms primarily subject to DORA |
| Gap-filling | Where DORA doesn’t address an issue, NIS2 may still apply |
Practical: Comply with DORA as your primary framework; NIS2 generally won’t add obligations.
Citation: Art 4, Recital 28
Scenario 10: Documentation Requirements
Question: What documentation do we need to demonstrate NIS2 compliance?
Answer: No prescribed format, but must evidence compliance with Art 20-21:
| Document | Purpose |
|---|---|
| Risk assessment | Evidence of Art 21(2)(a) |
| Security policies | All 10 measures documented |
| Incident response plan | Art 21(2)(b) and Art 23 readiness |
| BCP/DR plans | Art 21(2)(c) |
| Supplier assessments | Art 21(2)(d) |
| Training records | Art 20(2) management training |
| Board minutes | Art 20 approval and oversight |
| Audit reports | Art 21(2)(f) effectiveness assessment |
Key: Be able to demonstrate each of the 10 measures is addressed.
Citation: Art 20, 21
Quick Reference Table
| Scenario | Key Rule | Citation |
|---|---|---|
| Coverage assessment | Size + sector | Art 2, 3 |
| Incident reporting | 24h/72h/1mo | Art 23 |
| Supplier selection | Due diligence | Art 21(2)(d) |
| Board training | Mandatory | Art 20(2) |
| Vulnerability handling | Coordinated disclosure | Art 21(2)(e) |
| Near miss | Voluntary | Art 30 |
| Group structure | Per-entity assessment | Art 2(1) |
| MFA | Where appropriate | Art 21(2)(j) |
| Financial sector | DORA prevails | Art 4 |
| Max fine (essential) | €10M or 2% | Art 34 |