Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
GRC Fundamentals

Network and Information Security 2 (NIS2) Directive

NIS2 raises the EU-wide cybersecurity bar substantially — broadening scope, tightening enforcement and embedding governance-based accountability at the executive level across essential and important sectors throughout the Union.

Go to the SCF Download Page
Included Laws, Regulations & Frameworks
Common Controls Framework™

The SCF is the Common Controls Framework™ (CCF™) — a Living Control Set (LCS) with 1,400+ controls across 33 domains, mapped to 200+ laws, regulations, and frameworks including NIS2. Free under Creative Commons. Importable into GRC platforms via .csv or NIST OSCAL JSON. Validated using NIST IR 8477 STRM set theory.

Law Overview

Network and Information Security 2 (NIS2) Directive

The NIS2 Directive is a European Union cybersecurity law that establishes minimum cybersecurity requirements and incident reporting obligations for organizations operating in critical and important sectors across the EU.

As the successor to the original NIS Directive (2016), NIS2 is designed to strengthen the cyber resilience of essential services across the EU. It expands the scope of regulated sectors, sets minimum cybersecurity requirements for both public and private entities, and enforces supply chain security, board-level accountability, and continuous risk management.

Name

Network and Information Security 2 (NIS2) Directive

Type

Statutory (Law)

Authoritative Source

EU Directive 2022/2555

Adopted

December 2022

Member State Deadline

October 17, 2024

Enforced By

National competent authorities & CSIRTs per member state

Applies To

Essential and important entities in regulated sectors

Certification Available

No official certification. SCF CAP can demonstrate conformity.

TL / DR — Too Long / Didn’t Read

NIS2 raises the EU-wide cybersecurity bar substantially. It broadens scope, tightens enforcement and embeds governance-based accountability at the executive level. It is converging with other regulatory frameworks like GDPR, DORA, and the EU Cyber Resilience Act — making a unified, framework-driven approach to compliance essential.

Organizations that invest in integrated security frameworks, mature governance models and robust documentation will be better positioned — not only to comply — but also to deliver reliable, secure services in an increasingly regulated digital economy.

GRC-Focused Overview

NIS2 — Origins and Expanded Scope

NIS2 dramatically broadens both reach and accountability compared to its predecessor — expanding to more sectors, strengthening penalties, and introducing direct personal liability for senior executives who fail to govern cybersecurity adequately.

The original NIS Directive (2016) introduced the EU’s first binding cybersecurity rules for critical infrastructure. However, inconsistent transposition, limited scope and insufficient enforcement left significant gaps. NIS2 was designed to close those gaps.

NIS2 dramatically broadens both reach and accountability: it now governs entities in transport, energy, finance, healthcare, digital infrastructure, ICT service management, public administration and more. It also mandates board-level engagement in cybersecurity governance and introduces personal liability for executives.

Essential Entities (High-Impact Sectors)

Energy, transport, banking and financial services, healthcare, drinking water, and digital infrastructure. Essential entities face the highest level of regulatory scrutiny, supervisory oversight and enforcement.

Important Entities (Moderate-Impact Sectors)

Manufacturing of critical products (e.g., medical, defense, ICT), postal and courier services, waste management, public administration, and food production and distribution. Important entities are subject to lighter but still meaningful compliance requirements.

Enforcement

Ramifications of Non-Compliance With NIS2

NIS2 enforces stringent sanctions at both organizational and leadership levels:

Essential Entity Fines

Fines up to €10 million or 2% of global turnover, whichever is greater.

Important Entity Fines

Fines up to €7 million or 1.4% of turnover.

Non-Monetary Actions

Regulatory powers include ordering audits, issuing binding instructions and suspending service operations.

Leadership Liability

Senior executives may face personal liability or temporary bans from holding leadership roles in cases of gross negligence — a direct accountability mechanism with no equivalent under the original NIS Directive.

Compliance Requirements

Core NIS2 Requirements and Compliance Measures

NIS2 compels organizations to implement a robust, structured cybersecurity program encompassing:

Governance and Risk Management

Mandatory board-level approval of cybersecurity strategies and oversight of risk measures; senior management must actively oversee implementation steps and changes.

Proportionate Security Controls

Organizations must apply technical, organizational and operational controls, scaled to their risk profile and business context.

Incident Response and Reporting

Requires documented incident handling procedures, early warning, intermediate and final reporting timelines to national CSIRTs and affected users.

Business Continuity and Resilience

Plans must address business continuity, backup and recovery and crisis management.

Supply Chain and Third-Party Security

Entities must establish supplier security policies, assess dependencies and integrate security into procurement and vendor management.

Workforce Training and Awareness

Cybersecurity awareness programs and regular training are mandatory for all employees.

Compliance Strategy

Common Methods to Achieve and Maintain NIS2 Compliance

To meet NIS2 Directive obligations, organizations typically follow these strategic steps:

Scoping and Entity Classification

Determine if your organization is essential or important and falls within its sector definitions.

Assessment and Asset Inventory

Maintain an up-to-date inventory of systems, networks, services and critical functions to define your compliance boundary.

Risk Assessment and Control Design

Employ a risk-based approach, aligning responses to NIS2’s proportionality principle.

Implementation of Controls

Align with internal standards (e.g., Secure Controls Framework (SCF), ISO 27001, NIST CSF, CIS Controls) and ENISA guidelines to establish required organizational, technical and operational measures.

Testing and Monitoring

Regularly validate control effectiveness through audits, pen testing and tabletop exercises.

Incident Management

Establish workflows for incident classification, reporting to authorities and communication with stakeholders.

Supply Chain Governance

Embed security clauses in contracts, vet suppliers and monitor third-party cyber hygiene.

Governance Structure and Roles

Define executive accountability, reporting mechanisms and oversight bodies — supported by ENISA’s ECSF role mappings.

Documentation Value

Understanding The Value of Quality Cybersecurity Documentation in NIS2 Success

NIS2’s accountability framework requires that organizations not only comply, but prove they comply. Auditors and regulators will expect structured, current and accessible documentation as evidence of your cybersecurity program’s maturity.

Risk Assessment Files

Methodologies, findings, and risk treatment plans that demonstrate a systematic, repeatable approach to identifying and addressing cyber risks proportionate to the organization’s profile.

Governance Records and Policies & Procedures

Board minutes, approval memos, and management reviews demonstrating executive engagement; along with current, version-controlled incident response, business continuity, access control and supply chain security policies.

Training, Awareness Logs and Incident Records

Evidence of staff competence programs; incident classifications, notifications, response actions and remediation tracking — all of which must be retained and producible on request.

Third-Party Documentation

Supplier assessments and contractual security clauses demonstrating that supply chain obligations are being actively managed and enforced throughout the vendor lifecycle.

Get Started

See NIS2 Mapped in the SCF

NIS2 — and 200+ more laws, regulations, and frameworks — is mapped to the SCF’s 1,400+ controls across 33 domains. Download the Common Controls Framework™ free.

Go to the SCF Download Page
Included Laws, Regulations & Frameworks
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap