hermes-brain/ideas/compliance/nis2.org

:PROPERTIES:
:ID:       auto-nis2
:CREATED:  [2026-05-23 Sat]
:END:
#+title: 
#+filetags: :passepartout:compliance:framework:nis2:


EU directive (effective October 2024, member states transpose by October 2025).
Replaces NIS (2016). Expands scope from 7 sectors to 15, covering: energy,
transport, banking, financial market infrastructure, health, drinking water,
wastewater, digital infrastructure, ICT service management, public administration,
space, postal services, food, chemicals, manufacturing (critical products).

Key requirements: risk management measures (supply chain security, incident
handling, business continuity), incident notification (24-hour early warning,
72-hour full report), C-level accountability (management can be held personally
liable for non-compliance), supply chain security for critical vendors.

Who must comply: ~160,000 entities across EU (up from ~30,000 under NIS).
Two tiers: essential (strict) and important (moderate). Extraterritorial — any
organization providing services to EU entities in covered sectors.

Penalties: Up to 10M EUR or 2% of global turnover (essential entities). Personal
liability for management.

Why it matters: NIS2 is the largest European cybersecurity mandate ever.
Every requirement maps to a gate rule: supply chain access verification,
incident notification triggers, business continuity approval chains. First-mover
advantage is urgent — the transposition deadline is October 2025 (17 months).
Organizations need gate packages now. No competitor has a declarative gate
model that maps to NIS2 requirements. $50K/yr NIS2 gate package is a fast sell.

** EU AI Act