obligo

NIS2 brief

Read the NIS2 brief.

NIS2 expands EU cybersecurity duties for essential and important entities. This brief summarizes the directive at a high level and how a human-approved approach can help teams stay on top of these duties.

Indicative incident timeline

24 hoursEarly warning after becoming aware of a significant incident.
72 hoursIncident notification with initial assessment where available.
One monthFinal report after the incident notification.

Overview

What NIS2 is

Directive (EU) 2022/2555, known as NIS2, replaced NIS1 and raises cybersecurity expectations across the EU through wider scope, clearer rules, supervision, cooperation, risk-management duties, and incident reporting duties.

Coverage

Who it covers

NIS2 generally applies to medium and large entities in listed critical sectors. The European Commission describes 18 critical sectors, including energy, transport, health, finance, water, digital infrastructure, public electronic communications, waste and wastewater, critical manufacturing, postal and courier services, public administration, and space.

Key duties

Common NIS2 obligation themes

Risk-management measures

Covered entities are expected to maintain appropriate cybersecurity risk-management measures. National implementation details may vary.

Incident reporting

For significant incidents, NIS2 frames a staged reporting workflow: early warning within 24 hours, incident notification within 72 hours, and a final report within one month.

Management accountability

The directive brings cybersecurity risk management closer to boardroom oversight and accountability.

Operationalization

How OBLIGO helps

Map duties

See your NIS2, DORA, GDPR, and contract duties in one place.

Run timelines

See what is due, and when, so deadlines are met.

Keep evidence

Keep approvals, files, and decisions organized against each duty.

Keep humans in control

A named, accountable person approves before anything is used outside the workflow — people stay in control.

NIS2 brief

Informational only, not legal advice. Confirm obligations under the applicable national NIS2 implementation and with qualified counsel.