NIS2 · Directive (EU) 2022/2555

Cybersecurity compliance for NIS2

NIS2 expanded the EU cybersecurity directive to cover thousands more companies — with personal liability for management. Normado generates your cybersecurity policies, maps all 66 NIS2 requirements, and tracks incident readiness — so your directors can sign off with confidence.

First 100 customers get all Enterprise features at €49/mo for year one.

You're on the list! We'll be in touch soon.

Example NIS2 dashboard

app.normado.io/gap-analysis
NIS2 · Live Compliance
NIS2 requirements covered48 / 66
Cybersecurity policies approved10 / 12
Management attestations7
Incident reporting runbooks8

What NIS2 actually requires

Three pillars, plain language

NIS2 replaces the 2016 NIS Directive and applies to far more sectors — from manufacturing and food to waste management and postal services. Here's what you actually need to do.

1

Cybersecurity risk management

Ten mandatory measures under Article 21: risk analysis, incident handling, business continuity, supply chain security, vulnerability disclosure, HR security, encryption, access control, asset management, and multi-factor authentication.

2

Management accountability

NIS2 Article 20 makes management bodies directly responsible. Directors approve cybersecurity measures, oversee implementation, and can be held personally liable. Training is mandatory.

3

Incident reporting within 24 hours

Significant incidents must be reported to your national CSIRT within 24 hours (early warning), 72 hours (incident notification), and 1 month (final report). Late reports draw scrutiny.

Want the full breakdown? Read our NIS2 deep-dive.

How Normado covers it

Built end-to-end for NIS2

  • 12 AI-generated policies mapped to Article 21Information security, access control, incident response, business continuity, supplier management — all 10 Article 21 measures covered.
  • All 66 NIS2 requirements pre-loadedCovering Chapter IV (risk management, reporting) plus annexes for essential and important entities, with plain-language implementation guidance.
  • Management accountability workflowsBoard attestation, sign-off records, training logs — the audit trail NIS2 Article 20 demands from directors.
  • Supply chain risk registerLink suppliers to ICT services, track contractual security requirements, and flag single-points-of-failure across your vendor base.
  • Incident reporting aligned to 24/72/30-day timelinesTemplates and escalation paths pre-wired for your national CSIRT — so the clock starts on your terms.
Example org compliance
73%NIS2
Policies23 / 25
Controls18 / 25
Risks16 / 25
Evidence12 / 25

A living platform, not a one-off project

What ongoing compliance looks like

Consultants deliver a snapshot in time — then you maintain it yourself, re-engage every year, and answer auditor questions from static Word docs. Normado is the living system underneath: always current, always auditable, owned by your team.

Consultant engagement

€15,000 – €50,000
6 – 12 months per cycle
  • Tailored through months of interviews and workshops
  • Static deliverables you maintain yourself afterward
  • Evidence collection, version control, audit prep on you
  • Re-engage every year for refreshes and new frameworks
  • Expertise leaves when the engagement ends

Normado platform

€49 – €299 / month
Audit-ready in weeks
  • AI-generated policies tailored to your org in minutes
  • Gap analysis, risk register, and controls all in one place
  • Evidence management with expiry tracking built in
  • Always current — new frameworks and requirements rolled out automatically
  • Your team owns the system, always audit-ready

Frequently asked

NIS2 questions we hear most

Am I an essential or important entity under NIS2?
NIS2 splits in-scope organizations into essential entities (energy, transport, banking, healthcare, digital infrastructure, public admin, space) and important entities (postal, waste management, chemicals, food, manufacturing, digital providers, research). Size thresholds apply — generally medium-sized (50+ employees, €10M+ turnover) and above, with some sectors in scope regardless of size. Your national transposition law gives the final determination.
When did NIS2 come into force?
NIS2 was adopted in December 2022. The transposition deadline was 17 October 2024. Most EU member states have now transposed it into national law. In the Netherlands, the Cyberbeveiligingswet is in effect; in Germany, the NIS-2UmsuCG; in France, the relevant ANSSI-supervised decrees.
What are the penalties?
For essential entities: fines up to €10 million or 2% of global turnover (whichever higher). For important entities: up to €7 million or 1.4% of global turnover. Management can be held personally liable, with potential suspension from management roles for severe breaches.
How is NIS2 different from NIS1?
NIS2 covers far more sectors (13 essential + 7 important vs NIS1's 7), tightens incident reporting (24-hour early warning vs NIS1's looser timelines), introduces management liability, standardizes fines across the EU, and adds supply chain security requirements. The scope expansion is the single biggest change.
Is my data stored in the EU?
Yes. All Normado infrastructure runs on EU servers (Supabase EU/Ireland region). Cybersecurity documentation, incident logs, and evidence never leave EU jurisdiction.
Does Normado also cover other frameworks?
Yes — all Normado-supported frameworks are available in Professional and Enterprise tiers. One control implemented once often satisfies multiple frameworks simultaneously.

Get NIS2 ready before the regulators arrive

Join the waitlist and be the first to get access. First 100 customers get all Enterprise features at €49/mo for year one.

No credit card required. Cancel anytime.

You're on the list! We'll be in touch soon.