NIS2 Directive Compliance — Assessment, Implementation & Ongoing
NIS2 expands EU cybersecurity regulation to cover 160,000+ organisations across 18 sectors — with fines up to $10 million and personal liability for management. Most organisations are not ready. Opsio's NIS2 compliance services take you from gap assessment through full implementation to ongoing compliance.
Trusted by 100+ organisations across 6 countries · 4.9/5 client rating
NIS2
Specialist
18
Sectors Covered
$10M+
Max Fine
24h
Incident Report
What is NIS2 Directive Compliance?
NIS2 Directive Compliance is the process of meeting the EU's expanded cybersecurity requirements including risk management measures, 24-hour incident reporting, supply chain security, and board-level accountability for essential and important entities across 18 sectors.
NIS2 Compliance Before Enforcement Begins
The NIS2 Directive (Network and Information Security Directive 2) represents the most significant expansion of EU cybersecurity regulation in a decade. It applies to essential entities (energy, transport, banking, health, water, digital infrastructure, space, public administration) and important entities (manufacturing, food, waste, chemicals, postal, digital providers) — covering an estimated 160,000+ organisations across 18 sectors, far more than the original NIS Directive's limited scope.
NIS2 requires comprehensive risk management measures, incident reporting within 24 hours for significant incidents (not 72 hours like GDPR), supply chain security management, business continuity measures, board-level accountability with personal liability for management, and regular security testing. Opsio implements all required measures using established frameworks — ISO 27001, NIST CSF, and ENISA guidance — ensuring your compliance programme is both effective and auditable.
Without NIS2 compliance, organisations face fines up to $10 million or 2% of annual global turnover for essential entities ($7 million or 1.4% for important entities), plus the unprecedented provision of personal management liability. Board members and C-suite executives can face sanctions if they fail to ensure adequate cybersecurity measures — a fundamental shift from previous regulation that makes cybersecurity a board-room priority.
Every Opsio NIS2 engagement includes entity classification (essential vs important), gap assessment against all Article 21 requirements, risk management framework implementation, incident reporting procedures meeting 24h/72h/1-month deadlines, supply chain security assessment and vendor management framework, board-level awareness training, and continuous compliance monitoring with regulatory change tracking.
Common NIS2 compliance challenges we solve: organisations unsure whether they fall within NIS2 scope, lack of documented risk management measures meeting Article 21 requirements, no incident reporting procedures meeting the 24-hour initial notification deadline, missing supply chain security assessments that most organisations have never performed, board members unaware of their personal liability obligations, and no framework for demonstrating ongoing compliance to supervisory authorities.
Following NIS2 compliance best practices, our readiness assessment evaluates your current security posture against every NIS2 requirement and builds a prioritised implementation roadmap. We align NIS2 controls with ISO 27001 and NIST CSF to maximise control reuse if you hold existing certifications. Whether you are starting NIS2 compliance from scratch or building on existing security programmes, Opsio delivers the expertise to meet requirements efficiently. Wondering about NIS2 compliance cost, timeline, or whether your organisation is in scope? Our free assessment answers every question.
How We Compare
| Capability | DIY / Internal | GRC Tool Only | Opsio Managed NIS2 |
|---|---|---|---|
| Scope classification | Best-guess interpretation | Checklist-based | ✅ Expert legal + technical analysis |
| Risk management | Basic risk register | Template-driven | ✅ ISO 27005 / NIST aligned |
| Incident reporting | Ad-hoc procedures | Workflow automation | ✅ Full 24h/72h/1mo process |
| Supply chain security | ❌ Usually missing | Basic questionnaires | ✅ Full framework + monitoring |
| Board training | ❌ Not addressed | ❌ Not included | ✅ Tailored executive training |
| Ongoing compliance | Annual self-assessment | Tool monitoring | ✅ Continuous + regulatory tracking |
| Typical annual cost | $30-60K (internal effort) | $20-40K (tool + setup) | $36-96K (fully managed) |
What We Deliver
NIS2 Scope & Gap Assessment
Determine whether your organisation qualifies as essential or important under NIS2, which specific requirements apply based on your sector and size, and evaluate your current security posture against all Article 21 measures. Deliverable: prioritised remediation roadmap with effort estimates and compliance timeline.
Risk Management Implementation
Design and implement the risk management measures NIS2 Article 21 requires: risk analysis methodologies aligned with ISO 27005, security policies, access control, encryption, vulnerability management, security testing programmes, and network security — all documented to ENISA NIS2 implementation guidance standards.
Incident Reporting Procedures
Establish the multi-stage incident reporting process NIS2 mandates: early warning to CSIRT/authority within 24 hours, incident notification within 72 hours with initial assessment, and final report within one month with root cause analysis. Includes severity classification framework, reporting templates, and communication channels.
Supply Chain Security
Assess and manage cybersecurity risks across your supply chain and critical vendor relationships — a key NIS2 Article 21(2)(d) obligation most organisations have never formally addressed. Implement supplier security questionnaires, contractual security requirements, risk scoring, and ongoing monitoring procedures.
Board-Level Accountability
NIS2 Article 20 holds management bodies personally accountable for cybersecurity. We provide board and executive training on cyber risk governance, help establish oversight structures, develop management-level reporting frameworks, and ensure directors understand their personal liability under the directive.
Continuous NIS2 Compliance
NIS2 compliance is ongoing — supervisory authorities can audit at any time. We provide continuous monitoring of security measures, regular compliance assessments, regulatory change tracking as member states transpose the directive, and support for supervisory authority interactions and audits.
Ready to get started?
Get Your Free NIS2 AssessmentWhat You Get
“Opsio's focus on security in the architecture setup is crucial for us. By blending innovation, agility, and a stable managed cloud service, they provided us with the foundation we needed to further develop our business. We are grateful for our IT partner, Opsio.”
Jenny Boman
CIO, Opus Bilprovning
Investment Overview
Transparent pricing. No hidden fees. Scope-based quotes.
NIS2 Gap Assessment
$8,000–$20,000
One-time
Full Implementation
$30,000–$100,000
Scope-dependent
Ongoing Compliance
$3,000–$8,000/mo
Continuous
Pricing varies based on scope, complexity, and environment size. Contact us for a tailored quote.
Questions about pricing? Let's discuss your specific requirements.
Get a Custom QuoteWhy Choose Opsio
NIS2 scope expertise
Deep understanding of entity classification, sector-specific requirements, and member state transposition differences.
Technical and governance combined
We implement technical security measures AND governance frameworks — NIS2 requires both equally.
Cross-framework alignment
NIS2 controls aligned with ISO 27001 and NIST CSF to maximise reuse and reduce redundant implementation effort.
Supply chain security focus
Specialised expertise in the supply chain requirements that most compliance providers overlook entirely.
Board training included
Management awareness programmes meeting NIS2 Article 20 board accountability and personal liability requirements.
Multi-country experience
Understanding of NIS2 transposition differences across EU member states for multinational organisations.
Not sure yet? Start with a pilot.
Begin with a focused 2-week assessment. See real results before committing to a full engagement. If you proceed, the pilot cost is credited toward your project.
Our Delivery Process
Scoping & Classification
Determine essential vs important entity status, identify which NIS2 requirements apply to your organisation, and assess current compliance maturity. Deliverable: NIS2 applicability report. Timeline: 1-2 weeks.
Gap Assessment & Roadmap
Evaluate current security posture against all applicable NIS2 Article 21 measures. Identify gaps, estimate remediation effort, and build a prioritised compliance roadmap. Timeline: 2-3 weeks.
Implementation
Implement risk management measures, incident reporting procedures, supply chain security framework, board governance structures, and technical security controls. Timeline: 8-16 weeks.
Ongoing Compliance
Continuous monitoring, regular assessments, regulatory change tracking as member states update transposition, and support for supervisory authority interactions. Timeline: Ongoing.
Key Takeaways
- NIS2 Scope & Gap Assessment
- Risk Management Implementation
- Incident Reporting Procedures
- Supply Chain Security
- Board-Level Accountability
Industries We Serve
Energy & Utilities
Essential entity obligations including OT/ICS security for energy infrastructure.
Healthcare
Essential entity obligations for hospitals, laboratories, and medical device manufacturers.
Transport & Logistics
Essential entity requirements for air, rail, water, and road transport operators.
Digital Infrastructure
Essential entity obligations for DNS, cloud, data centre, and CDN service providers.
NIS2 Directive Compliance — Assessment, Implementation & Ongoing FAQ
What is the NIS2 Directive?
NIS2 (Network and Information Security Directive 2) is the EU's updated cybersecurity regulation replacing the original NIS Directive. It significantly expands scope to cover 18 sectors and an estimated 160,000+ organisations, introduces stricter security requirements under Article 21, mandates incident reporting within 24 hours, requires supply chain security management, and introduces personal liability for management bodies. NIS2 was adopted in January 2023 with member states required to transpose it into national law by October 2024.
Does NIS2 apply to my organisation?
NIS2 applies to essential entities covering energy, transport, banking, health, water, digital infrastructure, space, public administration, and ICT service management, as well as important entities including manufacturing, food, waste, chemicals, postal, digital providers, and research. Medium-sized organisations with 50 or more employees or exceeding ten million euros in turnover within these sectors are in scope. Micro and small enterprises are generally excluded unless they provide critical services like DNS, TLD registries, or trust services. Opsio's scoping assessment determines your exact classification and identifies which specific NIS2 obligations apply based on your sector, size, and service criticality.
How much does NIS2 compliance cost?
A NIS2 gap assessment costs $8,000-$20,000 depending on organisation size and number of business units. Full implementation programmes range from $30,000-$100,000 or more based on current maturity, number of gaps, and organisation complexity. Ongoing compliance support runs $3,000-$8,000/month covering policy maintenance, incident reporting readiness, and regulatory change tracking. Board awareness training is $3,000-$8,000 per session. Organisations with existing ISO 27001 certification typically require 40-60% less implementation effort, significantly reducing costs. We provide detailed cost estimates after the gap assessment, allowing you to budget accurately and prioritise investments based on risk severity.
How long does NIS2 compliance take?
A typical NIS2 compliance programme takes 6-12 months from gap assessment to full implementation: 1-2 weeks for scoping and entity classification, 2-3 weeks for gap assessment against all Article 21 requirements, 8-16 weeks for implementation of technical controls, policies, and governance structures, and 2-4 weeks for testing and documentation finalisation. Organisations with ISO 27001 can accelerate to 4-6 months due to significant control overlap. The timeline depends on current security maturity, scope of required changes, and stakeholder availability. We recommend starting as early as possible since supervisory authorities are actively preparing enforcement programmes.
What are the NIS2 penalties?
Essential entities face fines up to $10 million or 2% of annual global turnover. Important entities face fines up to $7 million or 1.4% of turnover. Critically, NIS2 introduces personal liability for management bodies — directors and executives can face individual sanctions including temporary bans from management positions if they fail to ensure adequate cybersecurity measures. This personal accountability provision is unprecedented in EU cybersecurity regulation and represents a significant shift in enforcement approach. Supervisory authorities also have the power to suspend certifications, issue binding instructions, and appoint monitoring officers, making non-compliance operationally disruptive beyond financial penalties alone.
What is the NIS2 incident reporting requirement?
NIS2 requires a three-stage incident reporting process for significant incidents: first, an early warning to your national CSIRT or supervisory authority within 24 hours of becoming aware of the incident; second, an incident notification within 72 hours with initial assessment of severity and impact; and third, a final report within one month with root cause analysis, mitigation measures, and cross-border impact assessment. This is significantly faster than GDPR's 72-hour single-stage notification. Opsio prepares your team with pre-built reporting templates, clear internal escalation procedures, and rehearsed workflows so you can meet these tight deadlines under the pressure of an active incident.
How does NIS2 relate to ISO 27001?
NIS2 and ISO 27001 share approximately 70% overlap in security control requirements. Organisations with ISO 27001 certification have a significant head start — risk assessment, access controls, incident management, business continuity, and many technical controls already satisfy NIS2 measures. However, NIS2 adds requirements ISO 27001 does not cover: supply chain security, board accountability, specific incident reporting timelines, and supervisory authority cooperation. Opsio maps controls across both frameworks to identify exactly which additional measures are needed. This approach typically reduces NIS2 implementation effort by 40-60% for ISO-certified organisations, saving months of work and tens of thousands in implementation costs.
What does NIS2 require for supply chain security?
NIS2 Article 21(2)(d) requires organisations to address cybersecurity risks in their supply chain, including security-related aspects of relationships with direct suppliers and service providers. This means assessing vendor cybersecurity posture, including security requirements in contracts, monitoring supplier compliance, and managing supply chain risks throughout the relationship lifecycle. Many organisations have never formally assessed their supply chain cybersecurity — making this one of the largest NIS2 compliance gaps. Opsio helps by designing vendor assessment questionnaires, establishing risk-tiered due diligence processes, drafting security contract clauses, and implementing ongoing monitoring of critical supplier security posture to satisfy supervisory authority expectations.
What is NIS2 board accountability?
NIS2 Article 20 requires management bodies to approve cybersecurity risk management measures, oversee their implementation, and be held personally liable for infringements. Board members must undergo cybersecurity awareness training to demonstrate adequate understanding. This means cybersecurity is no longer just an IT responsibility — directors face personal sanctions including temporary management bans if the organisation fails to comply. Opsio provides board training and governance frameworks to meet this requirement, including executive briefing materials that translate technical risks into business impact terms, quarterly reporting templates for board meetings, and documented evidence of management oversight that satisfies supervisory authority expectations.
Can Opsio help with NIS2 across multiple EU countries?
Yes — NIS2 is an EU directive that each member state transposes into national law, creating differences in implementation details, supervisory authorities, and reporting channels. Opsio has experience with transposition across Scandinavian and EU member states and can implement a compliance programme that satisfies requirements across multiple jurisdictions while accounting for local differences in reporting requirements and supervisory authority expectations. For multinational organisations, we establish a unified baseline compliance programme that meets the strictest national interpretation, then layer jurisdiction-specific additions where needed — an approach that is more efficient than maintaining separate compliance programmes for each country.
Still have questions? Our team is ready to help.
Get Your Free NIS2 AssessmentReady for NIS2 Compliance?
NIS2 covers 160,000+ organisations with fines up to $10M and personal board liability. Get a free readiness assessment and build your compliance roadmap.
NIS2 Directive Compliance — Assessment, Implementation & Ongoing
Free consultation