NIS2 Readiness Guide for Essential & Important Entities
A comprehensive implementation roadmap for organisations subject to EU Directive 2022/2555. From entity classification through operational compliance, providing the structured methodology to achieve and demonstrate NIS2 readiness across complex organisational structures.
Overview
NIS2 represents the most significant expansion of EU cybersecurity regulation since GDPR. Organisations across 18 sectors face mandatory security requirements, incident reporting obligations, and management body accountability carrying penalties of up to €10 million or 2% of global turnover. For PE portfolio companies and Family Office holdings, compliance carries direct financial and personal liability consequences.
This guide distils the directive's 46 articles into a practical implementation roadmap with decision frameworks, assessment templates, and procedural checklists deployable immediately. The methodology reflects Intarmour's direct experience implementing NIS2 programmes across regulated entities in multiple EU jurisdictions.
Designed for organisations at any preparation stage: entity classification determines scope and tier, gap analysis quantifies the delta to compliance, and implementation checklists provide operational detail to close gaps within defined timelines.
What's Included
Five interconnected modules forming a complete NIS2 implementation pathway from classification through operational compliance.
Entity Classification Flowchart
Decision-tree methodology for determining essential entity, important entity, or out-of-scope status. Covers size thresholds, Annex I and II sector mapping, cross-border criteria, and member-state-specific designations with worked examples for financial services, technology, and manufacturing.
Gap Analysis Template
Structured assessment mapping current controls against NIS2 Article 21 requirements. Includes maturity indicators, evidence requirements, and priority classification, producing a quantified readiness score identifying critical gaps versus areas needing only documentation enhancement.
Governance Framework Checklist
Implementation checklist for Article 20 management body obligations: board-level cybersecurity training, risk management approval processes, oversight responsibilities, personal liability provisions, role definitions, meeting cadence, and documentation templates for demonstrating governance compliance.
Incident Reporting Procedures
Step-by-step notification procedures aligned with Article 23: early warning within 24 hours, incident notification within 72 hours, final report within one month. Includes templates, competent authority contact registers by member state, and decision criteria for triggering reporting obligations.
Supply Chain Security Requirements
Framework for implementing Article 21(2)(d) supply chain measures: vendor risk assessment methodology, contractual security templates, critical supplier identification, and monitoring protocols. Addresses managing supply chain obligations across multi-entity portfolios.
Why It's Valuable
NIS2 introduces concepts unfamiliar to many operational teams: entity classification varying by member state, management body personal liability, multi-stage incident notification with specific time thresholds, and supply chain obligations extending beyond organisational boundaries. This guide provides the structured methodology to navigate each requirement systematically.
For PE firms managing portfolios of regulated entities, the guide enables consistent compliance assessment across holdings using the same classification, gap analysis, and implementation framework — producing comparable readiness metrics that aggregate into fund-level compliance reporting for LPs and advisory boards.
For board directors, the guide translates Article 20 personal liability provisions into concrete governance actions — clarifying what “approval and oversight of cybersecurity risk-management measures” means operationally and documenting compliance to protect individual directors from NIS2 sanctions.
Download the Guide
Provide your professional email to receive the complete NIS2 Readiness Guide, including all five implementation modules and supporting templates.
Ready for institutional-grade
cybersecurity?
Confidential assessments for qualified Private Equity and Family Office entities requiring sovereign defense infrastructure.