Overview
What NIS2 is
Directive (EU) 2022/2555, known as NIS2, replaced NIS1 and raises cybersecurity expectations across the EU through wider scope, clearer rules, supervision, cooperation, risk-management duties, and incident reporting duties.
Coverage
Who it covers
NIS2 generally applies to medium and large entities in listed critical sectors. The European Commission describes 18 critical sectors, including energy, transport, health, finance, water, digital infrastructure, public electronic communications, waste and wastewater, critical manufacturing, postal and courier services, public administration, and space.
Key duties
Common NIS2 obligation themes
Risk-management measures
Covered entities are expected to maintain appropriate cybersecurity risk-management measures. National implementation details may vary.
Incident reporting
For significant incidents, NIS2 frames a staged reporting workflow: early warning within 24 hours, incident notification within 72 hours, and a final report within one month.
Management accountability
The directive brings cybersecurity risk management closer to boardroom oversight and accountability.
Operationalization
How OBLIGO helps
Map duties
See your NIS2, DORA, GDPR, and contract duties in one place.
Run timelines
See what is due, and when, so deadlines are met.
Keep evidence
Keep approvals, files, and decisions organized against each duty.
Keep humans in control
A named, accountable person approves before anything is used outside the workflow — people stay in control.
Informational only, not legal advice. Confirm obligations under the applicable national NIS2 implementation and with qualified counsel.