IN FORCEDeadline: 31 March 2026

NIS2 Directive

Cybersecurity with personal board liability

The NIS2 Directive requires essential and important entities to implement comprehensive cybersecurity measures, including supply chain risk management and 24-hour incident reporting. Management bears personal liability for non-compliance.

Maximum penalty

€10M or 2% global annual turnover (essential entities). Personal liability for management.

Check Your Readiness →Talk to an Expert

What It Requires

Cyber risk management measures (Art. 21)

Incident reporting within 24 hours

Supply chain security due diligence

Regular and targeted security audits

Access control and encryption

Who It Affects (7 Verticals)

Energy Grid UPS & Datacenter Charging Infrastructure Battery Storage (BESS)Emergency Services Heavy Transport Cold Chain

What Happens If Not Compliant

Fines up to €10M or 2% of global turnover. Personal liability for management. Mandatory security audits and compliance orders from national authorities.

How Arctura Solves It

L5 Governance Add-On: dedicated MCP endpoint, policy controls, audit trail, SIEM export, EU-only deployment. Provides board-level evidence of compliance.

L5 Enterprise Governance Add-OnL4 Digital Health CertificateL6 TAS Data Index & Licensing

Related Regulations

EU Battery Passport (DPP)

323d

AFIR (Alt Fuels Infra)

13d

CSRD (Sustainability Reporting)

90d

This page provides general information about NIS2 Directive (EU 2022/2555) requirements. It does not constitute legal advice. Consult a qualified cybersecurity compliance specialist for guidance specific to your organization.

Ready to Get Compliant?

50 assets. 2 weeks. Proof of regulatory readiness.

Start Assessment