A CSIRT (Computer Security Incident Response Team) is a specialised team of IT and security specialists responsible for identifying, analysing, and resolving security incidents within an organisation or network.

Is NIS2 certification possible?

No. Specific organisations fall under NIS2 and must meet the associated obligations, but you cannot certify against it. As an organisation you will, however, automatically meet many NIS2 requirements if, for example, you are ISO 27001 certified.

What is the NIS2 Directive? Cybersecurity & IAM

The NIS2 Directive (Directive EU 2022/2555) is the successor to the EU's original cybersecurity framework, NIS1. NIS stands for Network and Information Security. NIS2 substantially expands the sectors in scope, tightens security requirements, and strengthens supervisory and enforcement powers across all EU member states.

The directive came into force in January 2023. Member states were required to transpose it into national law by October 2024, each implementing it through their own legislation while adhering to a shared set of obligations and standards.

Why NIS2 Was Introduced

As digitalisation advances and interdependencies between organisations deepen, exposure to cyber threats increases proportionally. A single successful attack on an energy provider, a financial institution, or critical digital infrastructure can cause disruption far beyond the targeted organisation.

NIS1 had become too limited to address this threat landscape. Different member states operated to different national security standards, creating inconsistencies that hampered cross-border cooperation and left uneven levels of resilience across the EU.

NIS2 addresses both problems. It raises the minimum security baseline and establishes a level playing field, ensuring all member states operate to a consistent set of requirements and can collaborate from a common foundation.

Who Does NIS2 Apply To?

NIS2 targets organisations that are important or essential to the economic and social functioning of EU member states. Two criteria determine whether an organisation falls within scope: the sector it operates in, and its size.

Sector Scope

NIS2 distinguishes between two tiers of sector:

Category	Examples
Highly critical sectors	Energy, transport, banking and financial infrastructure, healthcare, drinking water, wastewater, digital infrastructure, public administration, space
Other critical sectors	Digital service providers, postal and courier services, food production and distribution, manufacturing of critical products, chemicals, waste management

Organisation Size

Within those sectors, NIS2 generally applies to medium-sized and large organisations:

Classification	Employees	Financial thresholds
Large	More than 250	Annual turnover ≥ €50 million and balance sheet ≥ €43 million
Medium	At least 50	Annual turnover and balance sheet both above €10 million
Small and micro	Fewer than 50	Generally excluded from NIS2 scope

Regardless of size, certain categories always fall within scope: public authorities, providers of public electronic communications networks and services, trust service providers, top-level domain name registries, DNS service providers, and domain name registration service providers. Individual member states may also bring smaller organisations within scope where they are considered critical to national functioning.

Essential vs Important Entities

For in-scope organisations, a further classification determines the supervisory regime that applies:

	Essential Entities	Important Entities
Who qualifies	All large organisations in highly critical sectors; certain digital infrastructure providers regardless of size; all public sector bodies	Medium-sized organisations in highly critical sectors; all organisations in other critical sectors
Supervision model	Proactive: compliance is monitored continuously, regardless of whether incidents have occurred	Reactive: regulators initiate investigations following an incident, an external report, or audit findings
Penalties	Higher maximum fines apply	Lower maximum fines apply

NIS2 Obligations

Organisations within NIS2 scope face three core obligations.

Registration. Organisations must register in their member state's entities register. Each EU member state maintains a national register, contributing to a European-wide overview of in-scope entities.
Duty of care. Organisations must conduct a risk analysis and implement appropriate, proportionate security measures across all network and information systems used to deliver their services. This covers cyber risk management, supply chain security, access control, encryption, incident handling, and business continuity.
Incident reporting. Significant incidents must be reported to the relevant national CSIRT (Computer Security Incident Response Team) and supervisory authority within 24 hours of becoming aware of them. A full incident report must follow within 72 hours. An incident is considered significant where it materially disrupts the delivery of the organisation's services.

Supervisory authorities can investigate both the organisation and, where necessary, individual members of management. This personal accountability for senior leadership is one of the more significant features of NIS2.

NIS2 and UK Organisations

NIS2 is an EU directive. Following Brexit, the UK is not required to implement it. The UK's existing cybersecurity framework is built on the NIS Regulations 2018, which implemented the original NIS1 Directive, and those regulations remain in force.

The UK is developing its own updated framework. The Cyber Security and Resilience Bill was introduced to Parliament in November 2025 and is currently progressing through its parliamentary stages, with Royal Assent expected in late 2026 and phased implementation running through to 2028. The government has indicated an intention for the UK framework to align more closely with NIS2, though the two regimes differ in several important respects.

UK organisations with EU operations or customers may still be directly subject to NIS2. A compliance strategy built solely around NIS2 does not automatically satisfy UK requirements, and vice versa. Key differences include:

NIS2 covers a broader range of sectors, including manufacturing and food, which the UK Bill does not currently include
The UK Bill introduces a new category of Designated Critical Suppliers with no direct NIS2 equivalent
Incident reporting thresholds and customer notification requirements differ between the two frameworks
Penalty structures differ, with the UK Bill carrying higher maximum fines in some circumstances

Organisations operating across both the UK and the EU should treat the two frameworks as parallel compliance obligations rather than interchangeable ones.

NIS2, Identity Management, and HelloID

Access control and identity management are central to NIS2 compliance. The directive's duty of care obligation explicitly requires organisations to implement access management policies, authentication controls, and appropriate use of cryptography. For organisations managing large numbers of users across multiple systems, meeting these requirements manually is not feasible.

HelloID supports NIS2 compliance across several key areas:

Automated provisioning ensures users receive precisely the access rights their role requires and no more, directly supporting the Principle of Least Privilege required under NIS2.
Role-based and attribute-based access control (RBAC/ABAC) enforces consistent, auditable access policies across all connected systems.
Multi-Factor Authentication (MFA) strengthens authentication for all users accessing critical systems and applications.
Governance and recertification provide the regular access reviews and audit trails that NIS2 supervisory requirements demand.
Service Automation ensures that individual access changes outside automated provisioning are handled through controlled, documented approval workflows.