NIS2 Directive v2022/2555
Network and Information Security Directive 2 - EU cybersecurity legislation
This is a reference tool, not an authoritative source. For official documentation, visit digital-strategy.ec.europa.eu.
473 All
Chapter IV — Risk management & reporting (37 requirements)
Article 21.1Article 21.1
Article 21.2Article 21.2
Article 21.2(a)Article 21.2(a)
Article 21.2(b)Article 21.2(b)
Article 21.2(c)Article 21.2(c)
Article 21.2(d)Article 21.2(d)
Article 21.2(e)Article 21.2(e)
Article 21.2(f)Article 21.2(f)
Article 21.2(g)Article 21.2(g)
Article 21.2(h)Article 21.2(h)
Article 21.2(i)Article 21.2(i)
Article 21.2(j)Article 21.2(j)
Article 21.3Article 21.3
Article 21.4Article 21.4
Article 21.5Article 21.5
Article 23.1Article 23.1
Article 23.2Article 23.2
Article 23.3Article 23.3
Article 23.3(a)Article 23.3(a)
Article 23.3(b)Article 23.3(b)
Article 23.4Article 23.4
Article 23.4(a)Article 23.4(a)
Article 23.4(b)Article 23.4(b)
Article 23.4(c)Article 23.4(c)
Article 23.4(d)Article 23.4(d)
Article 23.4(d)(i)Article 23.4(d)(i)
Article 23.4(d)(ii)Article 23.4(d)(ii)
Article 23.4(d)(iii)Article 23.4(d)(iii)
Article 23.4(d)(iv)Article 23.4(d)(iv)
Article 23.4(e)Article 23.4(e)
Article 23.5Article 23.5
Article 23.6Article 23.6
Article 23.7Article 23.7
Article 23.8Article 23.8
Article 23.9Article 23.9
Article 23.10Article 23.10
Article 23.11Article 23.11
Other — Implementing Regulation technical requirements (436 requirements)
1POLICY ON THE SECURITY OF NETWORK AND INFORMATION SYSTEMS (ARTICLE 21(2), POINT (A) OF DIRECTIVE (EU) 2022/2555)
1.1Policy on the security of network and information systems
1.1.11.1.1
1.1.1(a)1.1.1(a)
1.1.1(b)1.1.1(b)
1.1.1(c)1.1.1(c)
1.1.1(d)1.1.1(d)
1.1.1(e)1.1.1(e)
1.1.1(f)1.1.1(f)
1.1.1(g)1.1.1(g)
1.1.1(h)1.1.1(h)
1.1.1(i)1.1.1(i)
1.1.1(j)1.1.1(j)
1.1.1(k)1.1.1(k)
1.1.21.1.2
1.2Roles, responsibilities and authorities
1.2.11.2.1
1.2.21.2.2
1.2.31.2.3
1.2.41.2.4
1.2.51.2.5
1.2.61.2.6
2RISK MANAGEMENT POLICY (ARTICLE 21(2), POINT (A) OF DIRECTIVE (EU) 2022/2555)
2.1Risk management framework
2.1.12.1.1
2.1.22.1.2
2.1.2(a)2.1.2(a)
2.1.2(b)2.1.2(b)
2.1.2(c)2.1.2(c)
2.1.2(d)2.1.2(d)
2.1.2(e)2.1.2(e)
2.1.2(f)2.1.2(f)
2.1.2(g)2.1.2(g)
2.1.2(h)2.1.2(h)
2.1.2(i)2.1.2(i)
2.1.2(j)2.1.2(j)
2.1.32.1.3
2.1.42.1.4
2.2RISK MANAGEMENT POLICY (ARTICLE 21(2), POINT (A) OF DIRECTIVE (EU) 2022/2555)
2.2.12.2.1
2.2.22.2.2
2.2.32.2.3
2.3RISK MANAGEMENT POLICY (ARTICLE 21(2), POINT (A) OF DIRECTIVE (EU) 2022/2555)
2.3.12.3.1
2.3.22.3.2
2.3.32.3.3
2.3.42.3.4
3INCIDENT HANDLING (ARTICLE 21(2), POINT (B), OF DIRECTIVE (EU) 2022/2555)
3.1Incident handling policy
3.1.13.1.1
3.1.23.1.2
3.1.2(a)3.1.2(a)
3.1.2(b)3.1.2(b)
3.1.2(c)3.1.2(c)
3.1.2(d)3.1.2(d)
3.1.33.1.3
3.2Monitoring and logging
3.2.13.2.1
3.2.23.2.2
3.2.33.2.3
3.2.3(a)3.2.3(a)
3.2.3(b)3.2.3(b)
3.2.3(c)3.2.3(c)
3.2.3(d)3.2.3(d)
3.2.3(e)3.2.3(e)
3.2.3(f)3.2.3(f)
3.2.3(g)3.2.3(g)
3.2.3(h)3.2.3(h)
3.2.3(i)3.2.3(i)
3.2.3(j)3.2.3(j)
3.2.3(k)3.2.3(k)
3.2.3(l)3.2.3(l)
3.2.43.2.4
3.2.53.2.5
3.2.63.2.6
3.2.73.2.7
3.3Event reporting
3.3.13.3.1
3.3.23.3.2
3.4Event assessment and classification
3.4.13.4.1
3.4.23.4.2
3.4.2(a)3.4.2(a)
3.4.2(b)3.4.2(b)
3.4.2(c)3.4.2(c)
3.4.2(d)3.4.2(d)
3.4.2(e)3.4.2(e)
3.5Incident response
3.5.13.5.1
3.5.23.5.2
3.5.2(a)3.5.2(a)
3.5.2(b)3.5.2(b)
3.5.2(c)3.5.2(c)
3.5.33.5.3
3.5.3(a)3.5.3(a)
3.5.3(b)3.5.3(b)
3.5.43.5.4
3.5.53.5.5
3.6Post-incident reviews
3.6.13.6.1
3.6.23.6.2
3.6.33.6.3
4BUSINESS CONTINUITY AND CRISIS MANAGEMENT (ARTICLE 21(2), POINT (C), OF DIRECTIVE (EU) 2022/2555)
4.1Business continuity and disaster recovery plan
4.1.14.1.1
4.1.24.1.2
4.1.2(a)4.1.2(a)
4.1.2(b)4.1.2(b)
4.1.2(c)4.1.2(c)
4.1.2(d)4.1.2(d)
4.1.2(e)4.1.2(e)
4.1.2(f)4.1.2(f)
4.1.2(g)4.1.2(g)
4.1.2(h)4.1.2(h)
4.1.34.1.3
4.1.44.1.4
4.2Backup and redundancy management
4.2.14.2.1
4.2.24.2.2
4.2.2(a)4.2.2(a)
4.2.2(b)4.2.2(b)
4.2.2(c)4.2.2(c)
4.2.2(d)4.2.2(d)
4.2.2(e)4.2.2(e)
4.2.2(f)4.2.2(f)
4.2.34.2.3
4.2.44.2.4
4.2.4(a)4.2.4(a)
4.2.4(b)4.2.4(b)
4.2.4(c)4.2.4(c)
4.2.4(d)4.2.4(d)
4.2.54.2.5
4.2.64.2.6
4.3Crisis management
4.3.14.3.1
4.3.24.3.2
4.3.2(a)4.3.2(a)
4.3.2(b)4.3.2(b)
4.3.2(c)4.3.2(c)
4.3.34.3.3
4.3.44.3.4
5SUPPLY CHAIN SECURITY (ARTICLE 21(2), POINT (D), OF DIRECTIVE (EU) 2022/2555)
5.1Supply chain security policy
5.1.15.1.1
5.1.25.1.2
5.1.2(a)5.1.2(a)
5.1.2(b)5.1.2(b)
5.1.2(c)5.1.2(c)
5.1.2(d)5.1.2(d)
5.1.35.1.3
5.1.45.1.4
5.1.4(a)5.1.4(a)
5.1.4(b)5.1.4(b)
5.1.4(c)5.1.4(c)
5.1.4(d)5.1.4(d)
5.1.4(e)5.1.4(e)
5.1.4(f)5.1.4(f)
5.1.4(g)5.1.4(g)
5.1.4(h)5.1.4(h)
5.1.55.1.5
5.1.65.1.6
5.1.75.1.7
5.1.7(a)5.1.7(a)
5.1.7(b)5.1.7(b)
5.1.7(c)5.1.7(c)
5.1.7(d)5.1.7(d)
5.2Directory of suppliers and service providers
5.2(a)5.2(a)
5.2(b)5.2(b)
6SECURITY IN NETWORK AND INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE (ARTICLE 21(2), POINT (E), OF DIRECTIVE (EU) 2022/2555)
6.1Security in acquisition of ICT services or ICT products
6.1.16.1.1
6.1.26.1.2
6.1.2(a)6.1.2(a)
6.1.2(b)6.1.2(b)
6.1.2(c)6.1.2(c)
6.1.2(d)6.1.2(d)
6.1.2(e)6.1.2(e)
6.1.2(f)6.1.2(f)
6.1.36.1.3
6.2Secure development life cycle
6.2.16.2.1
6.2.26.2.2
6.2.2(a)6.2.2(a)
6.2.2(b)6.2.2(b)
6.2.2(c)6.2.2(c)
6.2.2(d)6.2.2(d)
6.2.2(e)6.2.2(e)
6.2.2(f)6.2.2(f)
6.2.36.2.3
6.2.46.2.4
6.3Configuration management
6.3.16.3.1
6.3.26.3.2
6.3.2(a)6.3.2(a)
6.3.2(b)6.3.2(b)
6.3.36.3.3
6.4Change management, repairs and maintenance
6.4.16.4.1
6.4.26.4.2
6.4.36.4.3
6.4.46.4.4
6.5Security testing
6.5.16.5.1
6.5.26.5.2
6.5.2(a)6.5.2(a)
6.5.2(b)6.5.2(b)
6.5.2(c)6.5.2(c)
6.5.2(d)6.5.2(d)
6.5.36.5.3
6.6Security patch management
6.6.16.6.1
6.6.1(a)6.6.1(a)
6.6.1(b)6.6.1(b)
6.6.1(c)6.6.1(c)
6.6.1(d)6.6.1(d)
6.6.26.6.2
6.7Network security
6.7.16.7.1
6.7.26.7.2
6.7.2(a)6.7.2(a)
6.7.2(b)6.7.2(b)
6.7.2(c)6.7.2(c)
6.7.2(d)6.7.2(d)
6.7.2(e)6.7.2(e)
6.7.2(f)6.7.2(f)
6.7.2(g)6.7.2(g)
6.7.2(h)6.7.2(h)
6.7.2(i)6.7.2(i)
6.7.2(j)6.7.2(j)
6.7.2(k)6.7.2(k)
6.7.2(l)6.7.2(l)
6.7.36.7.3
6.8Network segmentation
6.8.16.8.1
6.8.26.8.2
6.8.2(a)6.8.2(a)
6.8.2(b)6.8.2(b)
6.8.2(c)6.8.2(c)
6.8.2(d)6.8.2(d)
6.8.2(e)6.8.2(e)
6.8.2(f)6.8.2(f)
6.8.2(g)6.8.2(g)
6.8.2(h)6.8.2(h)
6.8.36.8.3
6.9Protection against malicious and unauthorised software
6.9.16.9.1
6.9.26.9.2
6.10Vulnerability handling and disclosure
6.10.16.10.1
6.10.26.10.2
6.10.2(a)6.10.2(a)
6.10.2(b)6.10.2(b)
6.10.2(c)6.10.2(c)
6.10.2(d)6.10.2(d)
6.10.2(e)6.10.2(e)
6.10.36.10.3
6.10.46.10.4
7POLICIES AND PROCEDURES TO ASSESS THE EFFECTIVENESS OF CYBERSECURITY RISK-MANAGEMENT MEASURES (ARTICLE 21(2), POINT (F), OF DIRECTIVE (EU) 2022/2555)
7.17.1
7.27.2
7.2(a)7.2(a)
7.2(b)7.2(b)
7.2(c)7.2(c)
7.2(d)7.2(d)
7.2(e)7.2(e)
7.2(f)7.2(f)
7.37.3
8BASIC CYBER HYGIENE PRACTICES AND SECURITY TRAINING (ARTICLE 21(2), POINT (G), OF DIRECTIVE (EU) 2022/2555)
8.1Awareness raising and basic cyber hygiene practices
8.1.18.1.1
8.1.28.1.2
8.1.2(a)8.1.2(a)
8.1.2(b)8.1.2(b)
8.1.2(c)8.1.2(c)
8.1.38.1.3
8.2Security training
8.2.18.2.1
8.2.28.2.2
8.2.38.2.3
8.2.3(a)8.2.3(a)
8.2.3(b)8.2.3(b)
8.2.3(c)8.2.3(c)
8.2.48.2.4
8.2.58.2.5
9CRYPTOGRAPHY (ARTICLE 21(2), POINT (H), OF DIRECTIVE (EU) 2022/2555)
9.19.1
9.29.2
9.2(a)9.2(a)
9.2(b)9.2(b)
9.2(c)9.2(c)
9.2(c)(i)9.2(c)(i)
9.2(c)(ii)9.2(c)(ii)
9.2(c)(iii)9.2(c)(iii)
9.2(c)(iv)9.2(c)(iv)
9.2(c)(v)9.2(c)(v)
9.2(c)(vi)9.2(c)(vi)
9.2(c)(vii)9.2(c)(vii)
9.2(c)(viii)9.2(c)(viii)
9.2(c)(ix)9.2(c)(ix)
9.2(c)(x)9.2(c)(x)
9.2(c)(xi)9.2(c)(xi)
9.2(c)(xii)9.2(c)(xii)
9.39.3
10HUMAN RESOURCES SECURITY (ARTICLE 21(2), POINT (I), OF DIRECTIVE (EU) 2022/2555)
10.1Human resources security
10.1.110.1.1
10.1.210.1.2
10.1.2(a)10.1.2(a)
10.1.2(b)10.1.2(b)
10.1.2(c)10.1.2(c)
10.1.2(d)10.1.2(d)
10.1.310.1.3
10.2Verification of background
10.2.110.2.1
10.2.210.2.2
10.2.2(a)10.2.2(a)
10.2.2(b)10.2.2(b)
10.2.310.2.3
10.3Termination or change of employment procedures
10.3.110.3.1
10.3.210.3.2
10.4Disciplinary process
10.4.110.4.1
10.4.210.4.2
11ACCESS CONTROL (ARTICLE 21(2), POINTS (I) AND (J), OF DIRECTIVE (EU) 2022/2555)
11.1Access control policy
11.1.111.1.1
11.1.211.1.2
11.1.2(a)11.1.2(a)
11.1.2(b)11.1.2(b)
11.1.2(c)11.1.2(c)
11.1.311.1.3
11.2Management of access rights
11.2.111.2.1
11.2.211.2.2
11.2.2(a)11.2.2(a)
11.2.2(b)11.2.2(b)
11.2.2(c)11.2.2(c)
11.2.2(d)11.2.2(d)
11.2.2(e)11.2.2(e)
11.2.2(f)11.2.2(f)
11.2.311.2.3
11.3Privileged accounts and system administration accounts
11.3.111.3.1
11.3.211.3.2
11.3.2(a)11.3.2(a)
11.3.2(b)11.3.2(b)
11.3.2(c)11.3.2(c)
11.3.2(d)11.3.2(d)
11.3.311.3.3
11.4Administration systems
11.4.111.4.1
11.4.211.4.2
11.4.2(a)11.4.2(a)
11.4.2(b)11.4.2(b)
11.4.2(c)11.4.2(c)
11.5Identification
11.5.111.5.1
11.5.211.5.2
11.5.2(a)11.5.2(a)
11.5.2(b)11.5.2(b)
11.5.2(c)11.5.2(c)
11.5.2(d)11.5.2(d)
11.5.311.5.3
11.5.411.5.4
11.6Authentication
11.6.111.6.1
11.6.211.6.2
11.6.2(a)11.6.2(a)
11.6.2(b)11.6.2(b)
11.6.2(c)11.6.2(c)
11.6.2(d)11.6.2(d)
11.6.2(e)11.6.2(e)
11.6.2(f)11.6.2(f)
11.6.311.6.3
11.6.411.6.4
11.7Multi-factor authentication
11.7.111.7.1
11.7.211.7.2
12ASSET MANAGEMENT (ARTICLE 21(2), POINT (I), OF DIRECTIVE (EU) 2022/2555)
12.1Asset classification
12.1.112.1.1
12.1.212.1.2
12.1.2(a)12.1.2(a)
12.1.2(b)12.1.2(b)
12.1.2(c)12.1.2(c)
12.1.312.1.3
12.2Handling of assets
12.2.112.2.1
12.2.212.2.2
12.2.2(a)12.2.2(a)
12.2.2(b)12.2.2(b)
12.2.2(c)12.2.2(c)
12.2.312.2.3
12.3Removable media policy
12.3.112.3.1
12.3.212.3.2
12.3.2(a)12.3.2(a)
12.3.2(b)12.3.2(b)
12.3.2(c)12.3.2(c)
12.3.2(d)12.3.2(d)
12.3.312.3.3
12.4Asset inventory
12.4.112.4.1
12.4.212.4.2
12.4.2(a)12.4.2(a)
12.4.2(b)12.4.2(b)
12.4.312.4.3
12.5Deposit, return or deletion of assets upon termination of employment
13ENVIRONMENTAL AND PHYSICAL SECURITY (ARTICLE 21(2), POINTS (C), (E) AND (I) OF DIRECTIVE (EU) 2022/2555)
13.1Supporting utilities
13.1.113.1.1
13.1.213.1.2
13.1.2(a)13.1.2(a)
13.1.2(b)13.1.2(b)
13.1.2(c)13.1.2(c)
13.1.2(d)13.1.2(d)
13.1.2(e)13.1.2(e)
13.1.2(f)13.1.2(f)
13.1.313.1.3
13.2Protection against physical and environmental threats
13.2.113.2.1
13.2.213.2.2
13.2.2(a)13.2.2(a)
13.2.2(b)13.2.2(b)
13.2.2(c)13.2.2(c)
13.2.313.2.3
13.3Perimeter and physical access control
13.3.113.3.1
13.3.213.3.2
13.3.2(a)13.3.2(a)
13.3.2(b)13.3.2(b)
13.3.2(c)13.3.2(c)
13.3.2(d)13.3.2(d)
13.3.313.3.3