EU Regulatory Compliance

NIS2 Compliance:
Not Optional.
Not Later.

The EU Network and Information Security Directive 2 (NIS2) came into national law across EU member states in October 2024. For critical entities and essential services — including fintech, digital infrastructure, and managed service providers — non-compliance carries executive liability and penalties up to €10M or 2% of global turnover.

Explore Solutions

// NIS2 Enforcement Timeline

Jan 2023

NIS2 Directive enters into force

Oct 2024

Transposition deadline — all EU member states

Now

Active enforcement — audits and sanctions

2025+

Cross-border incident reporting coordination

Enforcement is live. Is your organization compliant?

Core Requirements

What NIS2 Demands
From Your Organization

01

Article 01

Risk Management Obligations

Entities must implement technical and organizational measures proportionate to the risk. This includes business continuity planning, supply chain security, encryption, multi-factor authentication, and access control policies.

  • Business continuity & crisis management
  • Network and IS security policies
  • Encryption & cryptography standards
  • Multi-factor authentication enforcement
02

Article 02

Supply Chain Security

Organizations must assess and manage security risks across their entire supply chain — including vendors, managed service providers, and software suppliers.

  • Vendor security assessments
  • Third-party risk register maintenance
  • Contractual security requirements
  • Continuous supplier monitoring
03

Article 03

Incident Reporting Protocols

Significant incidents must be reported to national authorities within 24 hours (early warning), with a full incident notification within 72 hours and a final report within one month.

  • 24-hour early warning to CSIRT/NCA
  • 72-hour detailed incident notification
  • 30-day final incident report
  • Cross-border incident coordination
04

Article 04

Governance & Accountability

Management bodies bear direct liability for NIS2 compliance failures. Board-level cybersecurity oversight is mandatory — training, approval of risk measures, and personal accountability.

  • Board-level security oversight mandate
  • Personal liability for management
  • Mandatory security training programs
  • Documented risk approval processes
The Kernova Framework

From Vulnerable
to Fully Aligned

Phase 1Weeks 1–2

Scoping & Gap Analysis

Determine your entity classification (Essential vs. Important), map current controls against NIS2 requirements, and quantify the compliance gap.

Phase 2Weeks 3–4

Risk Assessment

Conduct a structured information security risk assessment aligned to ISO 27005, identifying threats, vulnerabilities, and likelihood across all in-scope assets.

Phase 3Weeks 5–10

Control Implementation

Deploy technical and organizational controls: IAM policies, encryption, supply chain contractual requirements, incident response playbooks, and BCDR plans.

Phase 4Weeks 11–12

Reporting Readiness

Establish automated incident detection, escalation workflows, and reporting templates to meet the 24/72-hour reporting obligations with precision.

Risk of Non-Compliance

The Cost of Negligence
is Non-Negotiable

NIS2 penalties are not theoretical. National authorities across the EU have begun active enforcement with sanctioning powers comparable to GDPR.

Essential Entities

€10M or 2% of global turnover

Whichever is higher

Important Entities

€7M or 1.4% of global turnover

Whichever is higher

Management Liability

Personal sanctions

Executives face direct liability

Kernova has helped 200+ organizations achieve full NIS2 alignment before enforcement began. Start your compliance journey today.

Explore Solutions