Skip to content
secruna
Get a Demo
NIS2 transposed nationally — in force across EU since 2025-Q1
NIS2 Directive (EU) 2022/2555

EU cyber gateway for essential + important entities — automated.

Secruna ships the NIS2 Directive as a live rule book: Articles 20, 21 (the ten cybersecurity risk-management measure groups), 23 (incident notification — 24h early warning, 72h notification, 1-month final report), 24 (certification schemes), 28 (DNS data), 29 (information sharing). 22 IGPs with per-row evidence, gap surface, and a 90-day audit trail. The output is a one-PDF / one-CSV bundle structured exactly the way a national competent authority assessor reads the supervisory file. Penalties under NIS2 reach EUR 10M or 2% of annual worldwide turnover for essential entities — and management bodies can be held personally liable.

Book a 30-min NIS2 scope call
Why NIS2 is the framework you start with

Three pressures push NIS2 up the EU cyber agenda — in this order.

NIS2 transposed nationally across Member States with national acts (Germany’s NIS2UmsuCG, Poland’s national act implementing the Directive, France’s LPM extension, etc.). The cost of turning up to a national CSIRT or competent authority assessment without an evidence pack is measured in audit findings, remediation deadlines and the personal liability of the management body — not retainers.

Cross-sector EU coverage

NIS2 applies across the regulated sectors named in Annex I (essential entities — banking, energy, transport, drinking water, digital infrastructure, public administration, etc.) and Annex II (important entities — postal, waste management, manufacture of medical devices, food production, etc.). If your tenant operates in one of those sectors and meets the size threshold, NIS2 applies — period.

Penalties + personal liability bite

Article 34 allows administrative fines up to EUR 10M or 2% of annual worldwide turnover (whichever is higher) for essential entities; up to EUR 7M or 1.4% for important entities. Article 20 makes the management body personally accountable. A national competent authority that surfaces a missing management-body approval of the Art. 21 measures is a finding with personal-liability consequences.

Signal reuse — NIS2 + DORA + NCSC CAF

NIS2 Article 21 overlaps heavily with DORA Pillar 1 (for EU financial entities) and NCSC CAF Objective B (for UK gov + CNI operators). One tenant cyber-posture artefact powers verdicts across all three. The marginal cost of adding NIS2 on top of an existing DORA or NCSC CAF subscription is the rule-book matcher plus the NIS2-shaped evidence pack — the cyber signals are already collected.

The five-step path

What you have to do at competent-authority assessment time, in order.

The same five gates apply to every framework Secruna covers, including NIS2. Start at step one — the rest only make sense once the organisation knows which essential / important function is in scope and which systems support it.

  1. 1

    Classify

    Confirm the entity’s NIS2 classification — essential (Annex I) or important (Annex II) — and the registering Member State. The supervisory regime differs: proactive supervision for essential, reactive for important, and cross-border presence triggers the cooperation mechanism between national authorities.

  2. 2

    Discover

    Connect cloud accounts, the identity provider and GitHub. Secruna’s discovery worker collects the cyber-posture signal once and reuses it across every cyber framework you subscribe to (NIS2, DORA, NCSC CAF). The first scan typically surfaces MFA gaps on privileged accounts, retention windows under 12 months, and encryption posture drift on a small fraction of endpoints.

  3. 3

    Map to NIS2

    The rule-book matcher evaluates each of the 22 NIS2 IGPs against the latest posture artefact and assigns a verdict — fully compliant, applicable (pending evidence), partially compliant or not applicable. Verdicts cite the connector signal that drove them so an assessor can trace the evidence from the IGP row back to the source control state.

  4. 4

    Close the gaps

    The §3 Gaps surface lists every partially-compliant / applicable-unevidenced IGP with the connector field that drove the verdict. Remediate at your own cadence; verdicts re-evaluate on every discovery run. The gap list is the same list the national competent authority expects to see in the supervisory file.

  5. 5

    Generate + submit

    One click produces the evidence pack PDF and CSV. The audit trail captures the last 90 days of platform activity. Filename: secruna-nis2-evidence-{tenant}-{date}.pdf. Hand to the national competent authority alongside the standard supervisory file. Submission flows through national channels — Secruna ships the evidence; the entity files it.

Article 20 — Governance

Management-body accountability + training — the personal-liability seam.

What NIS2 asks. Article 20(1) — the management body of an essential or important entity must approve the cybersecurity risk-management measures taken under Article 21, oversee implementation and can be held liable for infringement. Article 20(2) — members of the management body must follow cybersecurity training, and the entity must offer similar training to employees.

What counts as compliant. A documented management-body approval of the Art. 21 measures (formal resolution, signed policy, minuted decision); a named accountable executive (CISO / CRO equivalent); an auditable cadence of board-level oversight; and evidence of annual cybersecurity training for both management and workforce.

What Secruna ships for Art. 20. Rules under Art20-01-board-accountability and Art20-02-management-training surface the governance approval state and the training-completion rate from the tenant cyber posture artefact. The evidence pack cites the approval decision + the latest training cycle, so the supervisor verifies on demand.

See this in your dashboard at: /inventory?framework=nis2&article=Art20 with the management-body approval state + training cycle surfaced per tenant.

Article 21 — Risk-management measures

The ten measure groups — the technical heart of NIS2.

What NIS2 asks. Article 21(2) names ten measure groups every essential / important entity must implement: (a) risk-analysis + system security policies, (b) incident handling, (c) business continuity + crisis management, (d) supply-chain security, (e) vulnerability handling + disclosure, (f) effectiveness assessment, (g) cyber hygiene + training, (h) cryptography, (i) HR security, (j) MFA + secure communications + emergency channels.

What counts as compliant. A documented policy per measure group, evidence of operation on the cyber posture artefact, and the Art. 21(2)(f) effectiveness assessment closing the loop on whether the measure actually works in this entity’s context.

What Secruna ships for Art. 21. Twelve rules across the ten measure groups: risk analysis policy, incident handling capability, business continuity with tested backups, supply-chain register (v1 reuses the AI inventory — full ICT third-party coverage is scaffolded under Plan 134), vulnerability management with patching SLA, effectiveness review cycle, awareness training completion rate, cryptography policy with at-rest + in-transit coverage, HR-security joiner/mover/leaver, MFA enforcement on privileged + remote access, secure communications stack, and a cross-cutting network-security baseline.

See this in your dashboard at: /inventory?framework=nis2&article=Art21 with per-measure-group verdict and connector-signal citation surfaced.

Article 23 — Incident notification

24h early warning, 72h notification, 1-month final report — the regulatory clock.

What NIS2 asks. Article 23 sets the significant-incident notification timeline: (a) early warning within 24 hours, (b) incident notification within 72 hours, (d) final report no later than one month after the notification. Article 23(2) adds the obligation to notify affected service recipients of significant cyber threats without undue delay.

What counts as compliant. A documented process per timeline step with a named owner, channel to the national CSIRT, and a tested template covering the required data points (suspected unlawful or malicious cause, cross-border impact, indicators of compromise, root-cause analysis). Evidence of an actual exercise of the 24h/72h/1-month path within the last cycle.

What Secruna ships for Art. 23. Four rules across the timeline: 24h early warning, 72h notification, 1-month final report, recipients-of-services comms. Incident classification against the “substantial vs significant” threshold is scaffolded under Plan 133 — v1 lets the tenant tag incidents manually and surfaces the Art. 23 process state for the supervisor.

See this in your dashboard at: /incidents with the Art. 23 timeline tracker + the recipient-notification playbook state per tenant.

Art. 24 + 28 + 29

Certification, DNS data, information sharing — the supplemental obligations.

What NIS2 asks. Article 24 — Member States may require essential / important entities to use ICT products / services certified under European cybersecurity certification schemes. Article 28 — TLD registries and entities providing domain name registration services must maintain accurate registration data. Article 29 — voluntary sectoral information sharing (ISACs, sector CSIRTs).

What Secruna ships. Three rules covering the certification posture, the DNS registration data accuracy for entities in scope, and ISAC membership. The information-sharing IGP feeds back into the Art. 21(2)(f) effectiveness assessment so the supervisor sees a closed loop between the entity’s threat intel and the measure-review cycle.

See this in your dashboard at: /inventory?framework=nis2 filtered to Art. 24 / 28 / 29 IGPs.

EU Cyber Pack

Three frameworks. One platform.

NIS2 is the gateway across every essential / important sector. DORA tightens it for EU financial entities; NCSC CAF is the UK equivalent for gov + CNI operators. Because every cyber signal Secruna collects is shared across all three, the marginal cost of adding another framework to a tenant subscription is close to zero.

NIS2 (this page)

Gateway for EU essential + important entities in regulated sectors. 22 IGPs. Penalties up to EUR 10M or 2% of annual worldwide turnover; management bodies personally liable.

DORA

EU financial entities only, in force since 17 January 2025. 33 IGPs across five pillars. Pillar 4 register reuses our AI inventory as a partial Art. 28 register. See DORA detail →

NCSC CAF + GovAssure

UK equivalent for gov departments + Critical National Infrastructure operators. 31 IGPs. GovAssure-mandated since 2023. See NCSC CAF detail →

See where your NIS2 posture stands.
In 30 minutes.

A 30-minute scope call confirms your tenant’s NIS2 classification (essential / important / out of scope), maps the entity estate to the 22 NIS2 IGPs, and identifies which measures you can evidence from existing signals today and which need a tenant-supplied attestation. You leave the call with a concrete gap list and a path to a competent-authority-ready evidence pack.

Book a 30-min NIS2 scope callSee the DORA page

Or call our EU lead — we’re on +48 22 000 0000. (Placeholder — see TODO at the top of this file; the real number lands once the founder confirms it.)