NIS2 is the EU Directive (EU) 2022/2555 on network and information security, which replaces the original NIS Directive and significantly broadens the range of affected companies. Preparing for NIS2 is not a one-off IT project but the build-up of resilient risk management with clear responsibilities, reporting processes, and evidence. The best way in is a logical sequence: first determine whether you are in scope, then close the gaps, then make sure you can demonstrate compliance on a lasting basis.
Step 1: Determine whether you are in scope
NIS2 distinguishes between essential and important entities. What matters is the sector, company size, and turnover. Check first:
- Sector: do you belong to one of the sectors covered by NIS2 (e.g. energy, health, digital infrastructure, ICT service providers, public administration, food)?
- Size: generally from 50 employees or 10 million euros in annual turnover, with exceptions for particularly critical providers.
- Supply chain: even if you are not directly affected, customers may pass NIS2 requirements on to you contractually.
Step 2: The key preparation measures
| Area |
What to do |
| Risk management |
Introduce systematic risk assessment and technical as well as organizational measures. |
| Incident management |
Build processes to detect, handle, and report security incidents. |
| Supply chain security |
Assess the security of suppliers and service providers and secure it contractually. |
| Business continuity |
Establish backup, emergency, and recovery concepts. |
| Access and encryption |
Implement access control, multi-factor authentication, and encryption. |
| Training and awareness |
Train employees and, in particular, leadership on a regular basis. |
Step 3: Mind the deadlines, reporting obligations, and liability
NIS2 brings binding obligations with short deadlines:
- Incident reporting deadlines: early warning within 24 hours, notification within 72 hours, final report within one month.
- Registration obligation: affected entities must register with the competent national authority.
- Management liability: leadership is personally responsible for implementation and can be held liable in the event of breaches.
Note: an existing ISO 27001 ISMS already covers a large part of the NIS2 requirements and is therefore an ideal starting point.
How Kertos simplifies NIS2 preparation
NIS2 was created in Europe for Europe, and that is exactly what Kertos was built for. Instead of retrofitting a North American solution, Kertos covers European frameworks from the ground up. Kertos combines an agentic compliance platform (KAIA) with accredited in-house experts who work alongside your team:
- Scope and gap analysis: the platform quickly clarifies whether and how NIS2 applies to you and reveals the gaps.
- Guided risk and incident management: risk assessment, reporting processes, and supplier management are structured and automated.
- Synergies with ISO 27001: existing measures are reused so you do not have to do the work twice.
- External CISO mandates: on request, Kertos takes on the subject-matter responsibility and supports leadership with its liability obligations.
This is reflected in Kertos's track record: a 100% audit pass rate, roughly 80% less manual compliance effort, a customer satisfaction of 98%, and customers like AskUI reaching ISO 27001 certification in just 8 to 10 weeks. This turns the complex task of NIS2 preparation into a predictable, continuous process rather than a one-off effort.
