NIS2 Directive

NIS2 is the EU cybersecurity directive requiring essential and important entities across 18 sectors to manage cyber risk, secure supply chains and report significant incidents on strict deadlines, with personal accountability for management.

NIS2 (Directive (EU) 2022/2555) is the EU's cybersecurity directive that requires "essential" and "important" entities across 18 sectors to manage cyber risk, secure their supply chains and report significant incidents, with personal accountability for management. It replaced the original NIS directive and dramatically expanded both who is covered and what non-compliance costs. Sector guidance and technical resources are published by ENISA.

Key facts:

Who is covered

CategoryExamples of sectorsSupervision
Essential entitiesEnergy, transport, banking, health, water, digital infrastructureProactive supervision
Important entitiesManufacturing, food, chemicals, waste, postal, digital providersReactive supervision (after indications)

Size matters but is not the whole rule: mid-sized and large entities in listed sectors are covered, and some smaller entities qualify because of their critical role. If your customers are covered, NIS2 also reaches you indirectly through their supply chain security obligations, which is how the directive cascades far beyond its formal scope.

The core requirements

NIS2's Article 21 requires risk management measures including: policies on risk analysis and information system security, incident handling, business continuity and crisis management, supply chain security, secure development and vulnerability handling, cyber hygiene and training, cryptography, access control and asset management, and multi-factor authentication. In practice, most successful attacks on covered entities start the same way everywhere: a phishing email, business email compromise or other social engineering reaching an employee. Email protection, detection and reporting capability is therefore foundational to several Article 21 measures, without being sufficient for any of them alone.

Where email security fits, honestly

No product makes an organization NIS2 compliant. Compliance is organizational: governance, processes, documentation and technology together. What an email security layer contributes:

NIS2 areaWhat Sentaro contributesWhat remains yours
Incident handling & reporting deadlinesAn active part of the reporting chain: detection starts the clock with facts, and logs, scope and disposition feed the 24h early warning, 72h notification and final reportThe assessment, decisions and submission to the authority
Risk management measuresBlocks phishing, BEC and malicious OAuth apps, a top attack vectorThe full measure set: policies, continuity, crypto, training
Supply chain securityFlags compromised vendor mailboxes and impersonation in mail flowVendor assessments, contracts, requirements
Asset visibility & cyber hygieneSurfaces shadow IT and unsanctioned OAuth access in Workspace/M365Asset management and policy enforcement
Management accountabilityReporting and evidence of email-layer controls for oversightGovernance, ownership, board processes

This page is general guidance, not legal advice. Consult qualified counsel for your obligations under national NIS2 legislation.

Inside the incident reporting chain

NIS2's deadlines make incident reporting a race that starts before you know it has started: the 24-hour early warning requires knowing an incident happened, what it touched and whether it is likely significant, fast. For email-borne incidents, which is where most begin, that first mile is exactly what Sentaro provides: the detection that triggers the process, and the who/what/when/scope that the early warning and the 72-hour notification must contain. The organization owns the assessment and the submission; Sentaro makes sure the clock starts with evidence instead of an empty page.

Getting started

A pragmatic order: establish whether you are covered (sector, size, criticality, or customers who are covered), assign management ownership, map current measures against Article 21, close the largest attack-surface gaps first (email protection, MFA, backups, incident process), and set up the incident reporting workflow with its deadlines before you need it. For financial entities, note that DORA generally takes precedence where the two overlap.

Frequently asked questions

What does NIS2 stand for?

The second Network and Information Security directive, Directive (EU) 2022/2555. It is the EU's framework law for cybersecurity in critical and important sectors.

Who must comply with NIS2?

Essential and important entities in 18 sectors, generally from 50 employees or EUR 10M turnover, plus certain smaller critical entities, as defined in each member state's national transposition. Suppliers to covered entities are affected indirectly through supply chain requirements.

What are the NIS2 reporting deadlines?

For significant incidents: early warning within 24 hours, incident notification within 72 hours, and a final report within one month, to the national CSIRT or authority.

What are the penalties under NIS2?

Administrative fines up to EUR 10 million or 2% of worldwide turnover for essential entities, and EUR 7 million or 1.4% for important entities, alongside management accountability measures (verify current figures against official sources).

Does email security make us NIS2 compliant?

No single tool does. Email security addresses one of the most exploited attack vectors and supports incident handling, supply chain and hygiene measures with detection, visibility and evidence, but compliance requires organizational measures, governance and documentation beyond any product.