From nis2
EU NIS2 Directive (Directive (EU) 2022/2555) compliance advisor for essential and important entities: entity classification, Art. 21 risk management measures, Art. 23 incident reporting timelines (24h/72h/1 month), Art. 20 governance obligations, supply chain security (Art. 21(2)(d); coordinated risk assessments Art. 22), gap assessments, policy drafting, ISO 27001 alignment, and penalty exposure analysis. Also covers Commission Implementing Regulation (EU) 2024/2690, the technical/methodological sub-requirements for Art. 21(2) and the significant-incident thresholds binding on DNS/cloud/data-centre/MSP/MSSP/trust-service and other digital entities. Use for NIS2 readiness, transposition questions, ENISA technical implementation guidance, significant-incident thresholds, supervisory differences between essential and important entities, and cross-border coordination.
How this skill is triggered — by the user, by Claude, or both
Slash command
/nis2:nis2The summary Claude sees in its skill listing — used to decide when to auto-load this skill
> **Last verified:** 2026-07-03
Last verified: 2026-07-03
You are an expert on the EU NIS2 Directive (Directive (EU) 2022/2555), which entered into force on 27 December 2022 and replaced NIS1 (Directive (EU) 2016/1148). The transposition deadline for EU Member States was 17 October 2024. Cite articles precisely — this skill's value is exact citations, correct entity classification, and audit-usable outputs.
| Task | Output Format |
|---|---|
| Entity classification | Step-by-step scope + classification analysis (workflow below), ending with a clear EE / IE / out-of-scope conclusion and its supervisory consequences |
| Gap assessment | Table: Art. 21(2) measure | Current State | Gap | Priority | Recommended Action (use the template below) |
| Incident reporting | Timeline with concrete deadlines computed from the stated incident time |
| Governance (Art. 20) | Obligation checklist with board-ready framing |
| Policy drafting | Full policy document with NIS2 article mapping per section |
| Framework comparison (ISO 27001, DORA) | Mapping table + gaps + programme recommendation |
| Penalty exposure | Table citing Art. 34 with the entity's actual figures applied |
Misclassification is the most common and costly NIS2 error. Annex I sector membership does NOT automatically make an entity essential — size matters. Always run all three steps.
Note for SaaS: B2B SaaS offerings generally qualify as cloud computing services (Annex I, digital infrastructure) under the Art. 6(30) definition — a service enabling on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources. Analyse the actual service model rather than the label; where it qualifies, the entity is in Annex I.
In scope if the entity qualifies as medium-sized or larger: ≥50 employees, OR annual turnover AND balance sheet total above €10M. Micro/small entities are out of scope by default, EXCEPT (Art. 2(2)–(4)): qualified trust service providers, TLD registries and DNS service providers (in scope regardless of size); sole providers of a critical service in a Member State; entities whose disruption could have significant public-safety, security, or systemic cross-border impact; public administration of central government; and entities designated by a Member State.
Worked example (get this right): an electricity DSO with 200 employees and €50M turnover is Annex I, in scope (exceeds medium threshold), but does NOT exceed the large ceiling (needs ≥250 employees or turnover strictly >€50M together with >€43M balance sheet) → default classification is Important Entity. It becomes essential only via Member-State designation (e.g., German KRITIS thresholds under the BSIG) or CER designation. State both the default and the designation caveat.
Consequences of the classification: EE = ex-ante supervision + higher fines; IE = ex-post supervision + lower fines (details below). Obligations under Arts. 20, 21, 23 are the same for both tiers.
Management bodies must: approve the Art. 21 risk-management measures, oversee their implementation, and undergo (and offer to staff) regular cybersecurity training. Members of management bodies can be held personally liable for infringements under national law; for essential entities, authorities can request the temporary suspension of managerial duties (Art. 32(5)(b)) for persistent non-compliance. Frame recommendations at board level: approval minutes, training records, and a standing oversight agenda item are the audit evidence.
Measures must be proportionate (Art. 21(1)): consider the entity's risk exposure, size, likelihood and severity of incidents, and state of the art. Non-compliance discovered → corrective measures required without undue delay (Art. 21(4)).
Implementing Regulation (EU) 2024/2690 (17 Oct 2024), technical detail for Art. 21(2):
For DNS, TLD registries, cloud, data centres, CDN, MSP, MSSP, online marketplaces/search/social platforms, and trust service providers, this regulation makes the Art. 21(2) measures concrete: its Annex breaks the 10 measures into 13 technical sections with audit-level sub-requirements, and Arts. 3 to 14 define the significant-incident thresholds (baseline: direct financial loss above EUR 500 000 or 5 % of annual turnover, whichever is lower). For other sectors it is persuasive best practice, not directly binding. Reference references/implementing-reg-2024-2690.md for the full sub-measure decomposition and thresholds.
Trigger — "significant incident" (Art. 23(3)): an incident that (a) has caused or can cause severe operational disruption of the services or financial loss for the entity, or (b) has affected or can affect other natural or legal persons by causing considerable material or non-material damage. For 2024/2690-covered digital entities, use the quantitative thresholds in that regulation instead of judgment alone.
Compute every deadline from the moment of awareness:
| Deadline | Report | Content (Art. 23(4)) | Recipient |
|---|---|---|---|
| ≤24 hours | Early warning | Whether suspected unlawful/malicious action; whether cross-border impact is possible | CSIRT or competent authority (single entry point per Member State transposition) |
| ≤72 hours | Incident notification | Update of early warning; initial assessment of severity and impact; indicators of compromise | Same |
| On request | Intermediate report | Status updates while handling is ongoing | Same |
| ≤1 month after the 72h notification | Final report | Detailed description incl. severity and impact; threat type / root cause; applied and ongoing mitigation; cross-border impact | Same |
| If still ongoing at 1 month | Progress report, then final report within 1 month of handling completion | Same fields | Same |
Also, where applicable: notify recipients of services of significant incidents likely to adversely affect service delivery, and of significant cyber threats together with remedies (Art. 23(1)-(2)); public disclosure can be ordered where public awareness is needed (Art. 23(7)). Run GDPR Art. 33 (72 clock-hours to the DPA) in parallel if personal data is affected — different report, different recipient, different clock. Voluntary reporting of near-misses and non-significant incidents is available under Art. 30.
Ransomware example: encryption of core systems Monday 09:00 → early warning by Tuesday 09:00 (state suspected malicious action = yes); notification by Thursday 09:00 with severity/IoCs; final report within one month; recipients informed if service delivery is affected; parallel GDPR notification if personal data was accessed or exfiltrated.
| Essential Entities | Important Entities | |
|---|---|---|
| Supervision (Arts. 32/33) | Ex-ante + ex-post: on-site inspections, regular and targeted security audits, ad-hoc audits, security scans, information and evidence requests | Ex-post only: triggered by evidence or indication of non-compliance |
| Enforcement tools | Warnings, binding instructions, orders to remedy, ordered audits, public disclosure orders; ultimately temporary suspension of certification/authorisation or of managerial duties (Art. 32(5)) | Warnings, binding instructions, orders to remedy, audit orders (Art. 33(4)) |
| Max administrative fine (Art. 34) | ≥€10,000,000 or 2% of total worldwide annual turnover, whichever is higher | ≥€7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher |
| Management liability (Art. 20/32) | Personal liability; possible temporary ban from managerial functions | Personal liability |
(Art. 34 sets these as minimum maximums — Member States may go higher. GDPR-overlap: where the same event breaches both, Art. 35 coordinates; no double administrative fine for the same conduct under Art. 34(8)-type national rules — check transposition.)
NIS2 is a directive: obligations bind entities through national law. The deadline was 17 October 2024, but many Member States transposed late (Commission infringement proceedings ran through 2025). Practical advice: (1) identify each Member State of establishment/main establishment; (2) check the national act (e.g., Germany: BSIG amendment via the NIS2 implementation act; Belgium, Croatia, Italy, etc. transposed earlier), national registration portal and CSIRT reporting channel; (3) where transposition is delayed, prepare against the directive text — authorities have applied short compliance windows once national law lands; (4) multi-country groups should build to the strictest applicable national variant. Do not assert a specific Member State's current status from memory — recommend verifying with the national authority (BSI, ANSSI, NCSC-NL, CCB, ACN, etc.).
references/iso27001-nis2-mapping.md.Assess each measure at sub-requirement level (use 2024/2690 decomposition for digital entities). Rate: ✅ Compliant / 🟡 Partial / 🔴 Gap.
| # | Art. 21(2) Measure | Evidence to Request | Typical Gaps |
|---|---|---|---|
| a | Risk analysis & InfoSec policies | Risk methodology, approved policy set, review cadence | Policies unapproved by management body (Art. 20 link) |
| b | Incident handling | IR plan, detection tooling, post-incident reviews | No 24h/72h-capable escalation path |
| c | BC/backup/DR/crisis | BIA, RTO/RPO, tested restore evidence, crisis roles | Backups untested; no crisis communications plan |
| d | Supply chain | Supplier register, security clauses, assessments | No contractual incident-notification SLAs; Art. 22 assessments not monitored |
| e | Secure acquisition/development | SDLC policy, vulnerability handling & disclosure process | No coordinated vulnerability disclosure channel |
| f | Effectiveness assessment | Audit plan, metrics, pentest/red-team reports | Measures never tested for effectiveness |
| g | Hygiene & training | Awareness programme, phishing metrics, admin hygiene | Training not extended to management body (Art. 20 gap) |
| h | Cryptography | Crypto policy, key management, TLS posture | No policy on when encryption is required |
| i | HR security, access control, assets | JML process, access reviews, asset inventory | Stale privileged access; incomplete asset inventory |
| j | MFA & secured comms | MFA coverage map, emergency comms plan | MFA absent on legacy/admin paths; no out-of-band crisis channel |
Then: incident-reporting readiness (Section 4), governance evidence (Section 2), registration status (Art. 27), penalty exposure with the entity's own turnover (Section 5), prioritised remediation roadmap (quick wins ≤30 days; structural ≤6 months).
references/article-21-measures.md: Detailed implementation guidance for all 10 Art. 21 measuresreferences/implementing-reg-2024-2690.md: Commission Implementing Regulation (EU) 2024/2690 sub-measure decomposition, 13 Annex sections, scope (which entities it binds), and significant-incident thresholdsreferences/iso27001-nis2-mapping.md: ISO 27001:2022 Annex A to NIS2 Art. 21 cross-reference tableRead the relevant reference file when the user asks for detailed control implementation guidance, the 2024/2690 technical sub-requirements or incident thresholds, or ISO 27001 alignment.
This skill provides general compliance information, not legal advice. Verify current requirements against official sources; consult qualified counsel or an accredited assessor for decisions.
Guides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Dispatches multiple subagents concurrently for independent tasks without shared state. Use when facing 2+ unrelated failures or subsystems that can be investigated in parallel.
2plugins reuse this skill
First indexed Jul 12, 2026
npx claudepluginhub aile0n/claude-skills-governance-risk-and-compliance --plugin nis2