BlueStone Cyber logo

BLUESTONE CYBER

Back to Compliance Hub

NIS2 Readiness

Critical Infrastructure Directive

The Network and Information Security (NIS2) Directive vastly expands the scope of critical entities. Board members face personal liability for non-compliance starting in 2026.

Are you in scope?

If you are a medium or large enterprise (starting at 50 employees or €10M turnover) operating in sectors like Energy, Transport, Banking, Healthcare, Digital Infrastructure, IT Management (MSPs), or Manufacturing within or servicing the EU marketplace, **NIS2 applies to you directly.**

Key Requirements

1. Management Accountability

Management bodies must approve cybersecurity measures, oversee implementation, and can be held personally liable for breaches.

2. Incident Reporting

Strict timelines: Early warning within 24 hours, incident notification within 72 hours, and a final report within 1 month.

3. Supply Chain Security

Mandatory risk assessments of all direct suppliers and service providers.

How We Help

  • NIS2 Gap Analysis vs Current State
  • Incident Response Plan Development
  • Board-Level Security Training
  • Third-Party Risk Management Setup

Because NIS2 requires an "all-hazards" approach, ad-hoc security is no longer legally defensible.

Discuss NIS2 Readiness