When is the NIS2 deadline?

EU member states must transpose NIS2 into national law by October 17, 2024. However, most countries missed this deadline. Effective enforcement with penalties is expected from October 17, 2026, when national laws take full effect.

Who is affected by NIS2?

NIS2 applies to essential entities (energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, space) and important entities (postal services, waste management, chemicals, food, manufacturing, digital providers, research). Generally: organisations with 50+ employees or €10M+ annual turnover in these sectors.

What are the penalties for NIS2 non-compliance?

Essential entities face fines up to €10 million or 2% of global annual turnover (whichever is higher). Important entities face fines up to €7 million or 1.4% of global annual turnover. Management can be held personally liable.

What does NIS2 require for websites and digital services?

NIS2 Art. 21 requires risk-based security measures including: encryption in transit (HTTPS/TLS), access control, incident detection and reporting (24h early warning, 72h notification), supply chain security, business continuity, and regular security assessments. SiteGuardian monitors these technical requirements continuously.

EU Directive 2022/2555

NIS2 is coming.
Are you ready?

The NIS2 Directive requires organisations across 18 sectors to implement cybersecurity measures — or face fines up to €10M. The clock is ticking.

---

Days

Hours

Minutes

Seconds

until October 17, 2026

Analise o seu website agora Check which rules apply

Does NIS2 apply to you?

NIS2 applies to essential and important entities in 18 sectors. If your organisation has 50+ employees or €10M+ turnover in one of these sectors, you are likely in scope.

Energia

Essential

Transporte

Essential

Banking

Essential

Health

Essential

Digital Infrastructure

Essential

ICT Services

Essential

Chemicals

Importante

Manufacturing

Importante

Postal Services

Importante

Cloud / SaaS

Importante

Food

Importante

Research

Importante

The cost of non-compliance

Essential entities

€10M

or 2% of global annual turnover

whichever is higher

Important entities

€7M

or 1.4% of global annual turnover

whichever is higher

Management can be held personally liable under NIS2 Art. 20.

What NIS2 requires — and what SiteGuardian monitors

NIS2 Art. 21 defines 10 cybersecurity risk management measures. SiteGuardian continuously monitors the technical ones.

Art. 21(2)(a)

Risk analysis and security policies

Monitorizado

Regular security assessments and documented security posture.

Art. 21(2)(b)

Incident handling

Monitorizado

Detection, reporting (24h early warning, 72h notification), and response processes.

Art. 21(2)(c)

Business continuity

Backup management, disaster recovery, and crisis management.

Art. 21(2)(d)

Supply chain security

Monitorizado

Security requirements for suppliers and service providers.

Art. 21(2)(e)

Secure development

Security in network and information systems acquisition and development.

Art. 21(2)(f)

Effectiveness assessment

Monitorizado

Policies and procedures to assess cybersecurity risk management effectiveness.

Art. 21(2)(g)

Cyber hygiene and training

Basic cyber hygiene practices and cybersecurity training.

Art. 21(2)(h)

Cryptography and encryption

Monitorizado

Policies on the use of cryptography and encryption.

Art. 21(2)(i)

Access control and asset management

Human resources security, access control policies, and asset management.

Art. 21(2)(j)

Multi-factor authentication

Monitorizado

Use of MFA, secured communications, and emergency communication systems.

Start preparing today

Scan your website to see where you stand. SiteGuardian maps every finding to NIS2 articles — so you know exactly what to fix.

Free security scan View compliance plans

Free forever for 1 monitor. No credit card required.

Perguntas frequentes

What is the NIS2 Directive?

NIS2 (Directive 2022/2555) is the EU's updated cybersecurity regulation replacing the original NIS Directive. It significantly expands the scope to cover 18 sectors and introduces stricter requirements for incident reporting, risk management, and supply chain security.

When does NIS2 take effect?

Member states had to transpose NIS2 by October 17, 2024. Most missed this deadline. Effective enforcement with penalties is expected from October 17, 2026, when national transposition laws take full effect.

Does NIS2 apply to my company?

If your organisation has 50+ employees or €10M+ annual turnover and operates in one of the 18 listed sectors (energy, transport, banking, health, digital infrastructure, ICT, manufacturing, etc.), you are likely in scope. Use our compliance check tool to find out.

What are the reporting deadlines?

Under NIS2 Art. 23: 24 hours for an early warning, 72 hours for the formal incident notification, and 1 month for the final report. SiteGuardian tracks these deadlines automatically when an incident is opened.

How does SiteGuardian help with NIS2?

SiteGuardian continuously monitors your website's security posture (encryption, headers, DNS, email authentication) and maps findings to NIS2 articles. When an incident occurs, it classifies the regulatory impact and tracks notification deadlines. Compliance reports document your measures for auditors.

NIS2 is coming. Are you ready?

Does NIS2 apply to you?

The cost of non-compliance

What NIS2 requires — and what SiteGuardian monitors

Risk analysis and security policies

Incident handling

Business continuity

Supply chain security

Secure development

Effectiveness assessment

Cyber hygiene and training

Cryptography and encryption

Access control and asset management

Multi-factor authentication

Start preparing today

Perguntas frequentes

Tem certeza?

NIS2 is coming.
Are you ready?