NIS2 compliance, end to end. Operated, not just documented.
The European NIS2 Directive obliges essential and important entities to implement ten cybersecurity measures, report incidents within 24 hours, and hold management personally accountable. CloudSoul delivers the measures, produces the evidence, and files the reports.
Are you in scope?
Essential entities
Large or mid-sized operators in sectors classified as highly critical: energy, transport, banking, healthcare, drinking water, digital infrastructure, public administration, space.
Proactive supervision. Full fine bracket.
Important entities
Medium and large entities in other critical sectors: postal, waste management, chemicals, food, manufacturing of critical products, digital providers, research.
Reactive supervision. Reduced fine bracket.
Most mid-market EU operators with over 50 employees in a covered sector will be in scope, as either essential or important. The specific classification turns on sector, size, turnover, and whether you operate critical infrastructure.
The ten measures you must implement.
Plus Article 20 (management accountability) and Article 23 (incident reporting). We cover all twelve.
| Art. | Measure | What the directive says (plain English) | How CloudSoul delivers it |
|---|---|---|---|
| 21(a) | Risk analysis & security policies | Establish written policies covering risk analysis and information system security. | Compliance Core ships pre-built policy templates mapped to NIS2. Risk register is configured during onboarding and updates as your profile changes. |
| 21(b) | Incident handling | Detect, classify, contain, recover from, and learn from cybersecurity incidents. | Our 24/7 SOC ingests SIEM and EDR signals, triages, and acts. Post-incident report and lessons learned land in the evidence engine. |
| 21(c) | Business continuity & crisis management | Maintain backups, test recovery, and have a crisis-management plan. | Backup monitoring confirms recovery point objectives are met. BCP/DRP plans are version-controlled and exercised on a schedule. |
| 21(d) | Supply chain security | Assess and monitor security risks from suppliers and direct service providers. | Vendor assessments, posture monitoring, and supply-chain incident alerts. Tracks every vendor in your dependency graph. |
| 21(e) | Secure acquisition, development & maintenance | Build security into procurement, development, and ongoing maintenance, including vulnerability handling and disclosure. | Continuous vulnerability scanning, patch monitoring, and CSPM tracking. Findings flow into the action plan automatically. |
| 21(f) | Effectiveness assessment | Have policies and procedures to assess whether your cybersecurity measures actually work. | Recurring control testing, KPI dashboards, and audit-ready evidence reports. Your alignment plan refreshes automatically. |
| 21(g) | Cyber hygiene & training | Train staff in basic cybersecurity practices, including phishing awareness. | Phishing simulation, training tracking, board-level NIS2 training. Completion records auto-attached to the evidence engine. |
| 21(h) | Cryptography & encryption | Use cryptography appropriately, including encryption where applicable. | Encryption posture monitoring (in-transit, at-rest), key rotation tracking, certificate inventory. Findings surface as risks. |
| 21(i) | HR security, access control & asset management | Background checks, role-based access control, and a complete asset inventory. | IAM monitoring, joiner/mover/leaver workflows, asset discovery and inventory tracking against your IT profile. |
| 21(j) | MFA & secured communications | Use multi-factor authentication and secured voice / video / text where appropriate. | MFA coverage scanning across your IT estate, secure-comms inventory, gap reporting. Recommendations surface in the action plan. |
| 20 | Management accountability | Boards approve cybersecurity risk-management measures and oversee their implementation. Members face personal liability for non-compliance. | Board pack auto-generated from the action plan: risk posture, control coverage, residual risk, decisions log. Sign-off captured in the evidence engine. |
| 23 | Incident reporting (24h / 72h / 1 month) | Report significant incidents in three stages: early warning within 24 hours, full notification within 72 hours, final report within 1 month. | Auto-classification of significance. Member-state-specific submission templates pre-built. CSIRT submission trail captured in the evidence engine. |
Three clocks you cannot miss.
CloudSoul handles the clock. Classification is automatic. Regulator templates are pre-built for each member state. Submission trail is captured in the evidence engine.
Incident detected
Classification begins.
Early warning
To CSIRT / competent authority. Initial description only.
Full notification
Impact, indicators, severity, mitigation applied.
Final report
Lessons learned, remediation, residual risk.
The cost of non-compliance.
Maximum fine for essential entities, whichever is higher, applied to global annual turnover.
Maximum fine for important entities.
Management bodies approve and oversee cyber measures.
Built for this regulation specifically.
EU-operated data
Luxembourg HQ, EU-only hosting, no US Cloud Act exposure. For many NIS2 entities, this is a hard constraint.
We meet you where you are
Cloud-native at launch. Hybrid and on-premise deployments available on request for operators with specific constraints.
Operated, not documented
CloudSoul runs the SIEM, the SOC, the scans, the sims, and produces the evidence as a by-product. GRC vendors give you a checklist; CloudSoul runs the controls.
Multi-framework-ready
NIS2 today. Add ISO 27001 or DORA with a single framework toggle, your existing controls map across.
Already ISO 27001 certified? You’re close, not done.
ISO 27001 gives you most of the 10 measures.
Article 21 measures overlap heavily with ISO 27001 Annex A controls. If you already have a live ISO 27001 implementation, you likely satisfy 70–80% of NIS2 technical requirements.
NIS2 adds four gaps ISO 27001 does not close.
Personal management liability (Art. 20). The 24h/72h/1-month reporting workflow (Art. 23). Supply-chain monitoring depth (Art. 21(d)). Jurisdictional reporting, each member state has its own CSIRT and submission format.
Questions.
Is my organisation in scope for NIS2?
If you operate in one of the 18 critical sectors listed in Annexes I and II AND have at least 50 employees or €10M annual turnover, you are likely in scope, either as an essential or important entity. Some digital infrastructure providers are in scope regardless of size.
What is the difference between essential and important entities?
Essential entities (Annex I, e.g. energy, transport, healthcare) face proactive supervision and the higher fine bracket: up to €10M or 2% of global turnover. Important entities (Annex II, e.g. postal, food, manufacturing) face reactive supervision and a reduced bracket: up to €7M or 1.4%.
How quickly do I have to report an incident?
Article 23 imposes three deadlines: an early warning within 24 hours of awareness, a full notification within 72 hours, and a final report within 1 month. CloudSoul auto-classifies significance and pre-builds member-state submission templates so the clock isn’t your problem to manage.
We already have ISO 27001. Are we NIS2 compliant?
ISO 27001 covers about 70-80% of NIS2 Article 21 technical requirements. The four remaining gaps are: personal liability of management (Art. 20), the 24h/72h/1-month reporting workflow (Art. 23), supply-chain monitoring depth (Art. 21(d)), and per-member-state CSIRT reporting formats.
What are the fines for NIS2 non-compliance?
Up to €10 million or 2% of global annual turnover (whichever is higher) for essential entities; up to €7 million or 1.4% for important entities. Member states can also suspend certifications and impose temporary management bans.
Do we need to deploy NIS2 tools on-premise?
No. CloudSoul is cloud-native and runs in EU infrastructure (Luxembourg by default). Hybrid and on-premise options are available on request for operators with specific data-residency or air-gap constraints.
How long does NIS2 implementation take with CloudSoul?
From signed contract to operational compliance is typically 4-8 weeks for cloud-first organisations. Onboarding produces the alignment plan in week 1; module deployment and SOC handover happen across the following weeks. The Compliance Core is live from day one.
When does NIS2 enforcement actually begin?
NIS2 had to be transposed into national law by 17 October 2024, and member-state enforcement is now active across the EU. Specific enforcement dates and competent authorities vary by country, your competent authority is typically the national CSIRT or a sector-specific regulator.
30-minute call · Includes scope classification · No deck.