Glossary
What Is NIS2?
NIS2 (Network and Information Security Directive 2) is an EU directive expanding cybersecurity obligations to a broader category of "essential" and "important" entities across critical sectors. In force since October 2024, it sets requirements for risk management, incident reporting, supply-chain security, and security testing — including penetration testing evidence under Article 21(2)(d) and (f).
Who NIS2 applies to
Essential entities: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space. Important entities: postal/courier, waste management, chemicals, food, manufacturing of medical devices/computers/electrical/transport equipment, digital providers, research. The size threshold is medium-sized (50+ employees or €10M+ turnover) plus sector-specific exceptions for smaller entities providing critical services.
Key obligations under Article 21
- Risk analysis and information system security policies
- Incident handling and reporting (24h early-warning, 72h notification, 1-month report)
- Business continuity and crisis management
- Supply-chain security including ICT service providers
- Security in network and information systems acquisition, development, and maintenance — this is where pentest evidence sits (Art. 21(2)(d))
- Effectiveness assessment of cybersecurity measures — and here (Art. 21(2)(f))
- Cyber hygiene and training
- Cryptography policies and access control
How SQUR maps to NIS2
SQUR pentest reports map directly to Article 21(2)(d) and (f). Every finding includes the control-evidence mapping (which NIS2 obligation it touches, what the remediation closes). For ambassador and reseller partners, SQUR provides a co-brandable NIS2 Article 21 Evidence Package that section-by-section maps a SQUR scan output to the regulation.
Frequently asked questions
When did NIS2 come into effect?
NIS2 entered into force on 16 January 2023 and Member States had until 17 October 2024 to transpose it into national law. Many countries are still finalising their implementations into 2025-2026, but the obligations are live for in-scope entities now.
What's the difference between essential and important entities?
Both are in scope and have the same baseline security obligations. The difference is in supervision: essential entities face ex-ante supervision (regulators can inspect proactively); important entities face ex-post supervision (regulators act in response to incidents).
Are penalties strict?
Yes. Up to €10M or 2% of global annual turnover for essential entities; €7M or 1.4% for important entities. Plus personal liability for management bodies who fail to comply.
Is NIS2 the same as DORA?
No. DORA is specific to financial services and is considered lex specialis. NIS2 applies more broadly across critical sectors. Financial entities under DORA are generally exempt from NIS2 for the corresponding requirements.