Komplyo
NIS2 Directive (EU) 2022/2555

Assess your NIS2 compliance and plan your corrections

The NIS2 directive extends cybersecurity obligations to thousands of European SMEs and mid-caps. Komplyo assesses your posture against the Article 21 measures, pinpoints the gaps and generates the policies and registers that prove compliance. Built for a part-time security lead.

Does NIS2 apply to you?

Scope no longer depends on being designated by the state. It follows from your sector and size. Three situations put you in scope:

Essential entity

Large companies (250+ employees or €50M turnover) in highly critical sectors: energy, transport, health, water, digital infrastructure, banking, public administration.

Important entity

Medium companies (50+ employees or €10M turnover) in critical sectors: postal services, waste management, chemicals, food, manufacturing, digital providers, research.

Supply chain

Even outside direct scope, your NIS2-regulated customers must secure their suppliers. They will ask you for contractual guarantees and evidence of your security measures.

NIS2 obligations, translated into actions

The directive doesn't require a certification. It requires demonstrable measures. Here is what Articles 20, 21 and 23 concretely expect:

Governance and accountability (Art. 20)

Management bodies approve the risk-management measures, oversee their implementation and receive cybersecurity training. They can be held personally liable.

Risk analysis and security policy (Art. 21)

Formalised policies on risk analysis and information-system security. The security policy and the risk register become documents you must be able to produce.

Incident notification (Art. 23)

Early warning within 24 hours, notification within 72 hours, final report within one month for significant incidents. The procedure must exist and have been tested before the incident.

Business continuity

Backups, disaster recovery, crisis management. Documented arrangements with named owners and regular tests.

Supply-chain security

Assessing the security of your direct suppliers and providers, contractual requirements included. The most commonly forgotten link.

Hygiene, encryption and access control

MFA, encryption, access and asset management, awareness training. Baseline cyber-hygiene practices are explicitly listed by the directive.

The Komplyo method: assessed once, projected everywhere

Komplyo is built on NIST CSF 2.0. You answer plain-language questions once, and your answers are automatically projected onto the NIS2 requirements. Then reused as-is if you later aim for ISO 27001 or SOC 2.

  • Start with the free diagnostic. 23 questions, a NIS2 readiness score in minutes, no account required.
  • Continue with the full assessment. Maturity per function (govern, identify, protect, detect, respond, recover) and a dedicated NIS2 module in your dashboard.
  • Scores are stored at every update. You demonstrate continuous improvement, not a one-off snapshot.
Komplyo dashboard NIS2 module: coverage of the Article 21 measures

The documents that prove your NIS2 compliance

Generated from your answers, ready to present to your board, your customers or the supervisory authority:

  • Information-system security policy
  • Incident management and notification procedure
  • Risk register and treatment plan
  • Supplier security questionnaire
  • Roadmap prioritised by risk, urgency and ease of implementation

NIS2. Frequently asked questions

When does NIS2 actually apply?

The directive was due to be transposed by October 2024; national implementations phase in the obligations and controls progressively. Waiting for the last deadline means compressing the whole compliance effort into a few months.

What are the penalties for non-compliance?

Up to €10M or 2% of worldwide annual turnover for essential entities, €7M or 1.4% for important entities. Plus possible personal liability for management (Article 20).

Does NIS2 require a certification?

No. NIS2 requires measures and evidence, not a certificate. A structured approach like ISO 27001 helps, but what matters is demonstrating the Article 21 measures. Exactly what the Komplyo assessment and generated documents produce.

How does NIS2 differ from ISO 27001?

NIS2 is a legal obligation; ISO 27001 a voluntary certification. Their requirements overlap heavily: with Komplyo, the same assessment feeds both your NIS2 compliance and your ISO 27001 preparation, with no duplicate data entry.

We don't have a full-time CISO. Is that a blocker?

No. Every company needs a security lead, even part-time. Komplyo is built to save that person time. Plain-language questions, automatic gap prioritisation, documents generated from your answers.

NIS2 and GDPR. Do we assess everything twice?

No. Komplyo assesses both in parallel and deduplicates: a security measure already assessed for NIS2 automatically feeds GDPR Article 32.

Gauge your NIS2 readiness in 23 questions

Free, no account, no credit card. Instant score per security function, data hosted in the EU.