In force since 17 Oct 2024·Day 601·

The BulletinUpdated weekly

Field notes on NIS2 in practice.

NIS2 essential and important entities: the 4 scope testsScope & compliance

Featured · 10 June 2026

NIS2 essential and important entities: the 4 scope tests

NIS2 essential and important entities are defined by Articles 2 and 3 of Directive 2022/2555. Four tests settle whether a company is in scope.

Read · 7 min

All articles

The archive.

NIS2 multi-factor authentication: 5 access classes that need itTechnical measures

NIS2 multi-factor authentication: 5 access classes that need it

NIS2 multi-factor authentication is no longer optional. Article 21(2)(j) names it; Implementing Regulation 2024/2690 specifies which factors qualify.

11 May 2026·7 min
NIS2 transposition status: where the four markets stand in 2026National execution

NIS2 transposition status: where the four markets stand in 2026

NIS2 transposition status diverges sharply across France, Germany, Spain and Italy. Italy has transposed; the others run on draft texts. Here is the framework.

May 6, 2026·7 min
NIS2 significant incident threshold: a decision tree for the on-call teamIncidents

NIS2 significant incident threshold: a decision tree for the on-call team

NIS2 incident reporting hinges on one word: significant. Article 23(3) gives the principle, IR 2024/2690 the numbers. Here is the decision tree your duty officer needs at 03:00.

6 May 2026·7 min
NIS2 Article 20: 5 boardroom responsibilities directors cannot delegateGovernance

NIS2 Article 20: 5 boardroom responsibilities directors cannot delegate

Article 20 of Directive 2022/2555 moves cybersecurity formally into the boardroom. Here are the five responsibilities that now fall personally on directors.

Apr 18, 2025·10 min
NIS2 incident notification: the practical 72-hour guideIncident management

NIS2 incident notification: the practical 72-hour guide

A cyber incident strikes. The NIS2 clock starts. Here is exactly what you must do, hour by hour.

Apr 11, 2025·9 min
NIS2 supply chain security: 5 clauses to require from your suppliersSupply chain

NIS2 supply chain security: 5 clauses to require from your suppliers

Article 21(2)(d) of Directive 2022/2555 explicitly mandates supply chain security. Here are 5 concrete contractual clauses to add to every critical supplier contract.

Apr 09, 2025·7 min
A pragmatic risk register template for NIS2 Article 21Risk management

A pragmatic risk register template for NIS2 Article 21

Most organisations already keep a risk register. Here is how to retrofit yours so it actually maps to NIS2 expectations.

Apr 02, 2025·6 min
How national regulators will calculate your NIS2 fineSanctions

How national regulators will calculate your NIS2 fine

Up to €10M or 2% of worldwide turnover. The headline is simple. The arithmetic underneath is not.

Mar 28, 2025·8 min
The cybersecurity training every NIS2 board now owes its shareholdersGovernance

The cybersecurity training every NIS2 board now owes its shareholders

Article 20(2) requires directors to follow training. Here is what good looks like — and what regulators will accept as evidence.

Mar 22, 2025·5 min