NIS2 Compliance with Gover
The NIS2 Directive strengthens cybersecurity requirements across the EU.
Overview
| Attribute | Value |
|---|---|
| Full Name | Network and Information Security Directive 2 |
| Jurisdiction | European Union |
| Effective Date | October 2024 (transition period ended) |
| Applies To | Essential and important entities |
Scope
Essential Entities
- Energy
- Transport
- Banking
- Health
- Digital infrastructure
- Public administration
Important Entities
- Postal services
- Waste management
- Manufacturing
- Digital providers
- Research
Key Requirements
Risk Management (Article 21)
- Risk analysis and security policies
- Incident handling
- Business continuity
- Supply chain security
- Security in acquisition
- Vulnerability handling
- Cybersecurity assessment
- Cryptography and encryption
- Human resources security
- Access control
Incident Reporting (Article 23)
- Early warning within 24 hours
- Incident notification within 72 hours
- Final report within one month
Governance
- Management approval
- Cybersecurity training
- Personal accountability
Using Gover for NIS2
1. Add the NIS2 Framework
- Go to Frameworks → Add Framework
- Select NIS2 from templates
- Add to your workspace
2. Assess Your Scope
Determine if you're an essential or important entity based on:
- Sector
- Size
- Criticality
3. Map Controls to Requirements
Map your security controls to NIS2 Article 21 requirements:
- Risk management policies
- Incident management processes
- Business continuity plans
- Supply chain security measures
4. Implement Reporting
Ensure you can meet reporting timelines:
- 24h early warning capability
- 72h notification process
- Final reporting procedures
Recommended Controls
| NIS2 Area | Recommended Controls |
|---|---|
| Risk Management | Risk assessment process, Information security policy |
| Incident Handling | Incident response plan, SIEM |
| Business Continuity | BCP, Disaster Recovery plan |
| Supply Chain | Vendor assessment, Third-party risk |
| Access Control | IAM, MFA, Privileged Access |
| Cryptography | Encryption policy, Key management |
Penalties
NIS2 introduces significant penalties:
- Essential entities: Up to €10M or 2% of global turnover
- Important entities: Up to €7M or 1.4% of global turnover
Resources
Next Steps
- ISO 27001 — Complementary security standard
- Risk Management — Implement risk processes