Choose language
A blonde woman is sitting in front of the computer and talking to a colleague

NIS2 compliance guide

Requirements, Article 21, Article 23 and documentation

Learn how to approach NIS2 compliance with structure and control.

Understand the key requirements, prepare for incident reporting, strengthen risk management, and document compliance work more effectively.

NIS2 explained

What this page covers

NIS2 raises the bar for how organisations manage cybersecurity risk, document decisions and respond to significant incidents.

This page explains the key requirements, including Article 21 on risk management measures, Article 23 on incident reporting, management accountability, supplier risk and compliance documentation.

Whether you are assessing if NIS2 applies to your organisation or preparing for local implementation, this guide gives you a structured overview of what to know, what to document and how to move forward with clarity.

Navigate this page

NIS2 summary: Key requirements for affected organisations  

NIS2 requires affected organisations to manage cybersecurity risks, implement appropriate security measures, involve senior management, report significant incidents and document compliance activities. The directive is especially important for organisations in critical sectors, their suppliers and companies that need to show customers, boards or authorities how cybersecurity risk is governed.

For many organisations, the most relevant parts of NIS2 are Article 21, which covers cybersecurity risk management measures, and Article 23, which covers reporting obligations for significant incidents. 

FAQ: Frequently asked questions about NIS2

What is NIS2?

NIS2 is the EU cybersecurity directive that strengthens requirements for cyber risk management, security measures, management accountability and incident reporting. It applies to organisations in critical and important sectors, and can also affect suppliers that are part of regulated customers’ value chains.

Who does NIS2 apply to?

NIS2 applies to organisations in sectors such as energy, transport, healthcare, finance, digital infrastructure, public administration, waste management, manufacturing and digital services. Both “essential entities” and “important entities” are covered, although supervision and penalties may differ between the two categories.

Does NIS2 apply to companies outside the EU?

NIS2 can affect companies outside the EU if they provide services to EU customers, operate within EU regulated sectors, or are part of a supply chain for an organisation covered by NIS2. Non-EU organisations should assess customer requirements, contractual obligations and local implementation rules. 

 

What is the difference between essential and important entities under NIS2?

Essential entities are organisations in sectors considered highly critical for society and the economy. Important entities are also covered by NIS2, but may be subject to different supervisory intensity. Both categories must meet requirements for cybersecurity risk management, security measures, management oversight and incident reporting. 

What does NIS2 require from organisations?

NIS2 requires organisations to take a structured approach to cybersecurity risk management, incident reporting, management accountability and documentation. Compliance is not only about having technical security controls in place. Organisations must also be able to show how risks are assessed, how measures are approved, who is responsible, and how incidents are handled and reported. 

 

Main NIS2 requirements

  • Cybersecurity risk management: Organisations must identify, assess and manage cybersecurity risks across systems, processes, people and suppliers.

  • Security measures under Article 21: Organisations must implement appropriate technical, operational and organisational measures, including incident handling, business continuity, access control, supply chain security and security training.

  • Incident reporting under Article 23: Significant incidents must be reported within defined timelines, including an early warning, an incident notification and a final report.

  • Management responsibility: Senior management must approve, oversee and follow up cybersecurity risk management measures.

  • Supply chain security: Organisations must assess and manage cybersecurity risks related to suppliers and service providers.

  • Documentation and audit trails: Organisations must document risks, measures, responsibilities, decisions, status, approvals and incident handling activities.  

 

NIS2 management accountability and board responsibility 

NIS2 makes cybersecurity a management responsibility. Senior management must approve, oversee and follow up cybersecurity risk management measures, and understand how cyber risk can affect operations, suppliers and service delivery.

This means organisations need more than technical security controls. They need documented decisions, clear ownership, follow-up routines and evidence that management is involved in the NIS2 compliance process.

 

What management should document

  • Which cybersecurity risks have been assessed.

  • Which measures have been approved.

  • Who owns each measure.

  • How progress is followed up.

  • How supplier and incident risks are monitored.

  • How decisions and approvals are recorded.

 

NIS2 Article 21: Cybersecurity risk management measures

NIS2 Article 21 requires organisations to implement appropriate and proportionate cybersecurity risk management measures. These measures must cover technical, operational and organisational risks, and should help prevent incidents, reduce their impact and protect the continuity of essential services.

In practice, Article 21 requires organisations to work systematically with risk, security measures, responsibilities and documentation.

 

Key measures under NIS2 Article 21 include:

  • Risk analysis and information system security: Organisations must identify and assess cybersecurity risks related to systems, processes, data, people and suppliers.

  • Incident handling: Organisations must have processes for detecting, managing, escalating and documenting cybersecurity incidents.

  • Business continuity and crisis management: Organisations must prepare for disruptions through continuity planning, backup management, disaster recovery and crisis procedures.

  • Supply chain security: Organisations must assess and manage cybersecurity risks related to suppliers, service providers and direct dependencies.

  • Access control and asset management: Organisations must control access to systems, manage user rights and maintain an overview of critical assets.

  • Cyber hygiene and security training: Organisations must promote basic cyber hygiene practices and provide relevant cybersecurity training to management and employees.

  • Encryption and secure communication: Organisations must use appropriate measures such as encryption, multi-factor authentication and secure communication where relevant.

 

Why Article 21 matters

Article 21 is where NIS2 becomes operational. It is not enough to have security policies in place. Organisations must be able to show which risks have been assessed, which measures have been selected, who owns them, how they are followed up and how management is involved.

 

NIS2 Article 23: Incident reporting requirements

NIS2 Article 23 requires organisations to report significant cybersecurity incidents within defined deadlines. To comply, organisations must be able to detect incidents, assess their impact, escalate them internally, notify the right authority and document actions and decisions throughout the incident lifecycle.

NIS2 incident reporting timeline

Within 24 hours (early warning)

Organisations must submit an early warning when a significant incident is suspected. The warning should indicate whether the incident is likely to have been caused by unlawful or malicious activity and whether it may have cross-border impact. 

Within 72 hours (incident notification)

Organisations must submit a more detailed incident notification with an initial assessment of the incident, including severity, impact and indicators of compromise where available. 

Within one month (final report)

Organisations must submit a final report describing the incident, its cause, impact, mitigation measures and any ongoing or completed actions. 

NIS2 Article 23: How organisations can prepare for reporting deadlines

To meet the Article 23 reporting deadlines, organisations should define internal roles, escalation routines, decision criteria and documentation requirements before an incident occurs. The 24-hour deadline is difficult to meet without a clear process for identifying significant incidents and collecting the right information quickly.
 
 

Why Article 23 matters

Article 23 is not only a reporting obligation. It requires operational readiness. Organisations need to know who decides whether an incident is reportable, who prepares the notification, what information must be included and how the full incident history is documented.
 
 

How to document NIS2 compliance

NIS2 compliance should be documented through a clear record of risks, measures, responsibilities, decisions, approvals, supplier follow-up and incident handling. Documentation helps organisations show that cybersecurity risk is managed systematically and that management is involved in the process.

Organisations should document: 

  • Risk assessments

  • Selected security measures

  • Responsible owners

  • Deadlines and status

  • Supplier assessments

  • Management approvals

  • Incident logs

  • Reporting decisions

  • Audit trails

A structured governance process can make it easier to keep NIS2 documentation updated, assign responsibility and prepare evidence for internal reviews, customers or supervisory authorities.

 

How to prepare for NIS2 compliance

NIS2 compliance is easier to manage when risk, responsibilities, measures, suppliers, incidents and documentation are handled as part of a structured governance process. Organisations should start by understanding whether they are affected, mapping existing controls, identifying gaps and defining how progress will be followed up.

A practical first step is to review:

  • Which NIS2 requirements are relevant to the organisation.

  • Which risks and controls are already documented.

  • Which suppliers and dependencies should be assessed.

  • Who owns cybersecurity measures and reporting routines.

  • How management approvals and decisions are recorded.

  • How incident reporting deadlines will be met.

A NIS2 gap analysis can help organisations compare existing controls, documentation and reporting routines against the requirements of NIS2. The output should be a prioritised action plan with responsible owners, deadlines, status and follow-up routines. 

Need a clearer overview of NIS2 requirements?

Download this guide to:

  • Get NIS2 requirements explained in a simple and clear way.
  • Learn how leadership should handle their new statutory responsibilities.
  • Understand the deadlines for reporting security incidents.
  • Learn how to conduct a gap analysis to identify weaknesses in your current routines.

This resource is written for executives, board members, IT managers, and governance professionals, who all share the responsibility of translating regulatory requirements and security risks into practical management. 

NIS2 requirements: A guide for affected organizations

FAQ: Practical questions about NIS2 preparation

NIS2 compliance work should be reviewed regularly, especially after major changes to systems, suppliers, services, risk exposure or incident response routines.

NIS2 preparation should involve IT, security, senior management, compliance, legal, procurement, risk owners and operations. NIS2 is a governance responsibility, not only an IT task.

Organisations should prioritise critical services, high-risk systems, key suppliers, incident reporting readiness and areas where documentation or ownership is missing.

Procurement helps manage supplier risk by including security requirements in contracts, collecting supplier documentation and tracking critical third-party dependencies.

Organisations can show progress by documenting risks, measures, owners, deadlines, status updates, supplier follow-up and management decisions in a structured way.

NIS2 is difficult to manage when responsibilities, evidence, suppliers, decisions and reporting routines are spread across different teams, systems and documents.

Comparison of NIS2 and related cybersecurity regulation across markets

 

Overview of local NIS2-related legislation, status, regulators, security duties and incident reporting requirements for Norway, Sweden, Denmark and the United Kingdom.

Comparison of NIS2 implementation and cybersecurity compliance requirements in Norway, Sweden, Denmark and the United Kingdom.
Feature Norway Sweden Denmark United Kingdom
Local law name Digital sikkerhetsloven Cybersäkerhetslagen NIS 2-loven Cyber Security and Resilience Bill
Status NIS1 implemented. NIS2 implementation pending through the EEA process. Implemented. In force from 15 January 2026. Implemented. In force from 1 July 2025. UK-specific NIS reform. Bill in progress, not EU NIS2 implementation.
Primary regulator NSM, with sector responsibilities depending on implementation. National cyber authority and sector-specific supervisory authorities. Sector-specific supervisory authorities, coordinated nationally. Relevant competent authority depending on sector.
Article 21 focus Expected alignment with Norwegian cyber security principles and risk management practices. Management accountability, risk management measures and sector supervision. Cybersecurity measures, management obligations and sector-specific requirements. Expanded cyber resilience and security duties under UK NIS reform.
Article 23 reporting Current national reporting channels may apply; NIS2 process to be confirmed. National incident reporting process or designated portal. Reporting via virk.dk; forwarded to relevant sector authority and CSIRT. Reporting routes depend on sector and final UK rules.
Language for compliance Norwegian Swedish Danish English

 

Last updated: May 2026. NIS2 implementation and reporting processes vary by country and sector. Organisations should verify local requirements with the relevant national authority.  

 

Disclaimer: House of Control is a software company and does not provide legal advice or NIS2 compliance consulting services. This guide is for general information only and does not guarantee compliance with NIS2 or national implementation requirements. Organisations should seek legal or specialist advice where needed.

Explore more NIS2 compliance resources

Explore more guidance on key NIS2 compliance topics.

  1. A man sitting in front of the pc at the House of Control office

    The NIS2 24-hour rule: Handling incident reporting requirements

    The NIS2 Directive introduces strict incident reporting requirements. This is how the 24-hour rule affects how essential and important entities must detect, escalate and report significant cyber incidents.

    Read the full article
  2. A woman in a black blazer is sitting in a meeting and smiling at the office

    NIS2 documentation: What auditors expect to see

    NIS2 compliance is assessed through documented evidence, not assumptions. This is what auditors expect to see in governance, risk management, incident handling and third-party control documentation.

    Read the full article
  3. A blonde woman is walking down the stairs at the office

    Why contract management is the foundation of NIS2 compliance

    NIS2 shifts cybersecurity responsibility from IT teams to executive management. This is why structured contract management is essential for documenting, enforcing and monitoring supplier-related risks.

    Read the full article
  4. A brown haired woman is outside smiling

    What’s the difference between NIS2 and ISO 27001?

    NIS2 and ISO 27001 both address cybersecurity risk management, but they are not interchangeable. This is how the mandatory EU directive differs from the voluntary certification standard.

    Read the full article
  5. A blonde woman is smiling in a meeting at the office

    How much can NIS2 non-compliance cost?

    NIS2 non-compliance can lead to significant financial and personal consequences. This is how fines, management accountability and weak governance can increase enforcement risk for affected organisations.

    Read the full article

Prepare for NIS2 compliance with a single source of truth

House of Control is building a platform designed to provide a single source of truth for NIS2 compliance. The goal is to help teams spend less time chasing documents and more time focusing on assessments, decisions and follow-up.

We are opening early dialogues with IT managers, CEOs and compliance leaders who want to get ahead of NIS2 now.

Request a detailed briefing to learn more.