What are the NIS2 incident reporting requirements?

NIS2 mandates precise reporting timelines: submit an early warning to your national CSIRT or competent authority within 24 hours of becoming aware of the incident, follow up with a formal incident notification within 72 hours including an initial assessment of severity and impact, and submit a final incident report within one month covering root cause, impact, and remediation actions taken.

Which organizations are affected by NIS2?

NIS2 applies to medium and large entities operating within EU member states that provide essential or important services across sectors including energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, manufacturing, food production, and digital providers. Approximately 100,000 organizations are estimated to be in scope.

What are the penalties for NIS2 non-compliance?

Competent national authorities can impose financial penalties of up to €10 million or 2% of global annual turnover for essential entities, or €7 million or 1.4% of global annual turnover for important entities, whichever is higher. Non-monetary remedies include compliance orders, binding instructions, and mandated security audits. Management liability includes public disclosure of violations, personal liability for senior executives, and temporary bans on holding management positions.

How to Achieve NIS2 for Your Cloud Infrastructure

NIS2 is no longer on the horizon; it is in effect, and enforcement is beginning. The Network and Information Systems (NIS2) Directive is the European Union's primary cybersecurity legislation, replacing the original NIS Directive and raising the bar significantly for how organisations must manage risk, respond to incidents, and demonstrate resilience. More than 100,000 organisations across the EU are now in scope. This page explains what NIS2 requires, who is affected, and how Mitigant helps cloud-native organisations achieve and maintain compliance.

NIS2 - A New Frontier in Cybersecurity

NIS2 is in force. The transposition deadline passed in October 2024, enforcement is beginning across EU member states, and the European Commission has already moved to strengthen the framework further. For organisations operating cloud infrastructure, the question is no longer whether NIS2 applies; it is whether your security controls are actually ready to withstand scrutiny.

The original NIS Directive, introduced in 2016, was the EU's first major cybersecurity legislation. Despite its intent, it produced fragmented implementation across member states, with inconsistent requirements, uneven enforcement, and coverage that failed to keep pace with rapid digitalisation and an escalating threat landscape.

The NIS2 Directive (Directive EU 2022/2555) was designed to fix that. Proposed in December 2020 and entering into force on 16 January 2023, NIS2 dramatically expands the scope of affected sectors, introduces mandatory baseline security measures, and gives national authorities significantly stronger supervisory and enforcement powers. Member states were required to transpose NIS2 into national law by 17 October 2024.

In January 2026, the European Commission proposed targeted amendments to NIS2 to increase legal clarity and simplify compliance obligations for smaller organisations — a signal that NIS2 is a living framework that will continue to evolve, not a fixed checkbox exercise.

Deciphering NIS2 Objectives

Mandatory Incident Reporting: Hard Deadlines That Cannot Be Missed

This is where many organisations will feel the most immediate pressure. NIS2 mandates precise reporting timelines that leave no room for ambiguity. When a significant incident occurs, affected organisations must:

Submit an early warning to their national CSIRT or competent authority within 24 hours of becoming aware of the incident
Follow up with a formal incident notification within 72 hours, including an initial assessment of severity and impact
Submit a final incident report within one month covering root cause, impact, and remediation actions taken

Meeting these windows requires that detection is not just theoretically in place; it must work in practice. Gaps in cloud detection coverage directly jeopardise your ability to comply.

Mandatory Security Measures Across Ten Domains

NIS2 does not leave security measures to interpretation. Article 21 specifies ten mandatory areas that all in-scope organisations must address: risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, security in network and information system acquisition, the effectiveness of cybersecurity measures, basic cyber hygiene and training, cryptography and encryption, human resources security and access control, and the use of multi-factor authentication. Organisations must be able to demonstrate that each area is actively addressed, not just documented.

Enhanced European Cybersecurity Standards and Supervisory Powers

NIS2 introduces a size-threshold rule that brings all medium and large entities in covered sectors into automatic scope, ending the previous model where member states individually designated operators of essential services. National authorities now have significantly stronger supervisory tools, including the power to conduct on-site inspections, request evidence, and impose sanctions on both organisations and their senior management. Management liability is explicit: NIS2 Article 20 requires leadership to oversee, approve, and be personally trained on cybersecurity risk management measures.

Cross-Border Coordination and Vulnerability Management

NIS2 establishes the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) to coordinate the management of large-scale cross-border incidents. It strengthens the Computer Security Incident Response Team (CSIRT) network and tasks ENISA with maintaining a vulnerability database for ICT products and services, providing a shared framework for coordinated vulnerability disclosure across the EU.

‍

Which Entities Are Impacted by the NIS2 Directive

NIS2 applies to medium and large entities operating within EU member states that provide essential or important services across a significantly expanded range of sectors. This size-threshold approach replaces the previous model, under which member states individually identified operators of essential services.

Affected Sectors

Grid of green and blue icons representing sectors: transportation, banking, financial markets, health services, public administration, digital providers, chemical industry, research, food industry, digital infrastructure, energy, drinking water, space, waste water, post and courier, manufacturing, and waste management.

Table categorizing entities by size and sectors, detailing medium and large entities by employee count and financials, and listing essential and important sectors including energy, transportation, banking, health, waste management, manufacturing, and research organizations.

NIS2 is estimated to affect more than 100,000 organisations across the EU, a substantial expansion compared to the original NIS Directive. Member states may also identify smaller entities with elevated risk profiles that fall within scope regardless of size.

Note for German organisations: Germany is among the EU member states that had not completed national transposition by the October 2024 deadline. The German implementation law (NIS2UmsuCG) is currently progressing through parliament and is expected to affect approximately 30,000 companies nationwide. German organisations should treat NIS2 requirements as their baseline now, as the national law is expected to come into force and enforcement to follow shortly thereafter.

‍

Timeline for NIS2 Directive Compliance

NIS2 entered into force on 16 January 2023. The transposition deadline for EU member states was 17 October 2024, by which point national laws were required to be in effect. EU member states were also required to establish a list of entities in essential and important sectors by 17 April 2025.

In practice, several member states, including Germany, France, and others, did not complete transposition by the October 2024 deadline. The European Commission has launched infringement proceedings against those member states. However, organisations in those countries should not wait for national enforcement to begin; NIS2 requirements define the applicable standard, and regulatory pressure from partners, customers, and authorities is already materialising.

‍

Timeline showing key NIS directive milestones from August 2016 to October 2027, including NIS2 enforcement, reports, deadlines, and revisions.

In January 2026, the European Commission proposed targeted amendments to NIS2 to simplify compliance and increase legal clarity, particularly for smaller organisations. Mitigant monitors these developments and ensures its platform stays aligned with evolving requirements.

‍

NIS2 Directive Non-Compliance Consequences

The consequences of non-compliance go beyond fines. NIS2 introduces personal liability for senior management, making cybersecurity a board-level issue, not just an IT one. Competent national authorities can impose:

Financial penalties of up to €10 million or 2% of global annual turnover for essential entities, or €7 million or 1.4% of global annual turnover for important entities, whichever is higher.
Non-monetary remedies, including compliance orders, binding instructions, mandated security audit implementation, or orders to notify affected customers of security threats.
Management liability, including public disclosure of compliance violations, personal liability for senior executives, and temporary bans on holding management positions.

For organisations with cloud infrastructure, regulators will increasingly look at whether cloud environments were adequately monitored, tested, and secured; not just whether policies existed on paper.

Act Before an Auditor Does

See Where Your Organisation Stands Against NIS2

Get a clear view of your exposure gaps before an auditor does. Mitigant assesses your environment against all ten NIS2 mandatory security domains.

Start Free Assessment

✓ Free ✓ No agent required ✓ Results in 15 min

€10M

Essential entities

OR 2% GLOBAL REVENUE

€7M

Important entities

‍

What to Prepare for the NIS2 Directive

NIS2 compliance is an ongoing discipline, not a one-time project. For organisations running cloud infrastructure, each step below has a direct cloud dimension, because cloud environments are dynamic, misconfigured resources can appear overnight, and attack paths that didn't exist last month may exist today.

Assessment and Gap Analysis: Evaluate your current cybersecurity posture against NIS2's ten mandatory security domains. For cloud environments specifically, this means understanding which resources are exposed, which are misconfigured, and whether your detection tooling would actually catch a real cloud attack. Misconfigurations and undetected attack paths are among the most common gaps flagged during NIS2 audits.
Prioritising Actions: Address critical gaps first, especially those that create direct exposure to incidents or would prevent you from meeting the 24-hour and 72-hour reporting deadlines. In cloud environments, publicly exposed resources, excessive IAM permissions, and absent detection coverage are typically the highest-priority items.
Resource Allocation: Define the financial, technological, and human resources required. Cloud security tooling that automates continuous assessment significantly reduces the manual overhead of NIS2 compliance, shifting effort from periodic audits to continuous visibility.
Implementation Phase: Deploy the required technical controls, including multi-factor authentication, encryption, access control policies, and network segmentation. For cloud infrastructure, this includes securing cloud-native services, Kubernetes workloads, and the APIs that connect them.
Training and Awareness: NIS2 Article 20 places explicit personal responsibility on senior management. Ensure that leadership understands the organisation's cloud security posture, not just that a programme exists, but what it covers and where the gaps are.
Continuous Monitoring and Improvement: A cloud environment that passed a compliance check six months ago may not pass today. Continuous monitoring for configuration drift, new attack techniques, and emerging vulnerabilities is essential. NIS2 rewards organisations that can demonstrate ongoing vigilance, not just periodic effort.
Documentation and Reporting: Maintain detailed records of compliance activities and establish the processes needed to meet the 24-hour, 72-hour, and one-month incident reporting requirements before an incident occurs, not during one.

‍

How Mitigant Helps Cloud-Native Organizations Achieve NIS2 Compliance

Cloud infrastructure sits at the heart of NIS2 compliance for most organizations. It is where critical services are delivered, sensitive data is stored, and where attackers focus their efforts. Mitigant is purpose-built to help cloud-native organizations meet NIS2's technical and operational requirements, with onboarding in under 15 minutes and continuous coverage across all major cloud platforms and Kubernetes.

Here is how Mitigant maps to the key NIS2 security obligations under Article 21:

1. Risk Analysis and Asset Inventory

NIS2 requirement: Organizations must maintain visibility of all assets and implement policies for risk analysis and information system security.

The Mitigant platform continuously discovers and inventories cloud resources across all major cloud platforms and Kubernetes through Cloud Security Posture Management (CSPM) and Kubernetes Security Posture Management (KSPM). Misconfigurations, compliance deviations, and changes to resources are detected in real time, providing the continuous asset visibility and risk awareness NIS2 requires across your entire cloud and container estate.

2. Incident Handling and Detection Validation

NIS2 requirement: Organizations must have incident handling processes in place and be able to detect, analyse, and respond to significant incidents within defined timeframes.

Mitigant's Detection Validation capability allows organizations to verify that their SIEM, SOC, and detection tooling actually catches cloud attacks, not just in theory, but against real emulated attack scenarios. This directly addresses NIS2's requirement to assess the effectiveness of security measures and supports the ability to meet the 24-hour and 72-hour reporting windows by ensuring detection gaps are closed before an incident occurs.

3. Supply Chain Security and Proactive Exposure Validation

NIS2 requirement: Organizations must address cybersecurity risks in their supply chains and regularly verify the effectiveness of their security measures.

Mitigant's Cloud Attack Emulation runs automated, safe attack emulations across your cloud environment to uncover security blind spots before attackers find them. This is the Adversarial Exposure Validation (AEV) approach, a Gartner-defined category that continuously challenges your defences rather than assuming they work. For organizations running cloud-based services for their customers or partners, this is a critical NIS2 supply chain security control.

See how Mitigant validated cloud security posture 5x faster for a real enterprise deployment.

4. Continuous Compliance with Security Standards

NIS2 requirement: Organizations must implement policies and procedures to evaluate the effectiveness of security measures and align with relevant security standards.

Mitigant's Continuous Compliance feature maps controls across cloud and Kubernetes infrastructure to industry frameworks including ISO 27001, CIS Benchmarks for AWS, Azure, and Kubernetes, PCI-DSS, BSI C5, and NIS2 itself, providing ongoing posture assessment rather than point-in-time snapshots. This supports both internal governance and the evidence requirements of external audits.

5. Business Continuity and Incident Readiness

NIS2 requirement: Organizations must maintain business continuity capabilities and conduct regular incident response exercises to ensure they can respond effectively to cybersecurity incidents.

Mitigant's Incident Readiness solution enables security teams to run cloud-specific incident response exercises, test detection and response playbooks against real attack scenarios, and identify gaps before an actual incident occurs. Practising with realistic emulated attacks is the only reliable way to know that your response processes will hold up under NIS2's strict 24-hour and 72-hour reporting windows.

For a deeper look at how adversary emulation strengthens cloud incident investigation, see our blog: Leveraging Adversary Emulation for Effective Cloud Forensic Analysis, co-authored with Cado Security.

6. Cryptography, Encryption, and Access Control Validation

NIS2 requirement: Organizations must implement and maintain appropriate policies on cryptography, encryption, and access control across all systems, including cloud services and container environments.

Mitigant addresses this requirement across both cloud and Kubernetes layers. On the cloud side, CSPM continuously checks that encryption is correctly configured across storage, databases, and services, flagging unencrypted RDS snapshots, S3 buckets, and EBS volumes. Cloud Attack Emulation goes further by actively validating whether those controls hold under attack, including ransomware scenarios that test backup and encryption resilience, and RDS-targeted attacks that probe database snapshot exposure.

On the Kubernetes side, KSPM detects misconfigured access controls, insecure workloads, and privilege escalation risks across cluster environments. Together, these capabilities provide continuous, evidence-based assurance that cryptography and access controls are not just configured but working.

7. Cloud Penetration Testing

NIS2 requirement: Organizations must regularly test and assess the effectiveness of cybersecurity risk management measures.

Traditional cloud penetration testing is expensive, infrequent, and slow. Waiting months for an external engagement to confirm what your cloud environment looks like today is not a viable NIS2 compliance strategy. Mitigant's Cloud Penetration Testing solution changes this fundamentally.

By combining continuous CSPM findings with on-demand attack emulation, Mitigant delivers structured pentest results in minutes, not months. Security teams can validate exposures as soon as they are detected, with a Mean Time to Validate of under 5 minutes. This means compliance evidence is always current, not six months out of date.

A key area of focus is IAM and privilege escalation. Misconfigured IAM permissions are among the most exploited attack vectors in cloud environments, and among the most commonly flagged issues in NIS2 audits. Mitigant's privilege escalation engine covers 28 IAM-based techniques mapped to real-world attack paths, testing whether an attacker could move from a low-privilege entry point to full cloud account compromise. This gives security teams and auditors concrete, reproducible evidence of whether IAM controls are actually holding.

The result is a cloud pentest capability that is continuous, self-service, and directly tied to compliance reporting, without the planning overhead, scheduling delays, or cost of traditional external engagements.

‍

Related Resources

Webinar: How the Digital Operational Resilience Act (DORA) Affects the Cloud Landscape in Europe - DORA and NIS2 overlap significantly for financial sector organizations; this on-demand session is directly relevant.
Use Cases: Nooxit | KM.ON - real-world examples of organizations using Mitigant to improve cloud security posture.
Threat Catalog: threats.mitigant.io - a public catalog of cloud attack techniques mapped to MITRE ATT&CK, useful for NIS2 risk assessment and threat modelling.

‍