NIS2 Directive
NIS2 introduces direct accountability for management bodies who fail to oversee cybersecurity risk across 18 critical sectors.
The NIS2 Directive (EU) 2022/2555 establishes the baseline for critical infrastructure cybersecurity across the EU. It designates 'essential' and 'important' entities across sectors like energy, finance, healthcare, and digital infrastructure.
The directive mandates extreme risk management protocols, strict 24-hour incident reporting, deep supply chain security assessments, and explicit management accountability. Board members can face personal legal repercussions for systemic compliance failures.
To meet NIS2 obligations, we deploy a hardened operational layer inside your M365 environment. This includes establishing Zero-Trust identity boundaries, configuring Microsoft Sentinel for rapid threat classification, and generating the structured incident evidence necessary to satisfy competent authorities and protect executive liability.
Why This Matters Now
NIS2 has aggressively expanded EU cybersecurity obligations across 18 critical sectors. With enforcement active since October 2024, entities must report significant incidents within 24 hours and maintain enterprise-grade cybersecurity measures. Crucially, NIS2 introduces direct accountability for management bodies who fail to oversee these risks. For M365-dependent enterprises, NIS2 demands deterministic technical controls for Zero-Trust identity management, advanced encryption, rapid incident detection, and verifiable business continuity.
Framework Metadata
Scope & Applicability
NIS2 applies to two categories: Essential entities (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space) and Important entities (postal services, waste management, chemicals, food, manufacturing of medical devices/computers/electronics/machinery/motor vehicles, digital providers including cloud, search engines, online marketplaces, social networks). Medium-sized enterprises (50+ employees or EUR 10M+ turnover) in these sectors are automatically in scope. Some entities are in scope regardless of size.
Core Obligations
Risk Management Measures
Implement appropriate and proportionate technical, operational, and organisational measures to manage risks to network and information systems. This includes incident handling, business continuity, supply chain security, and vulnerability handling.
Incident Reporting
Submit an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month of a significant incident.
Supply Chain Security
Address cybersecurity risks in the supply chain, including security-related aspects concerning relationships with direct suppliers and service providers.
Management Accountability
Management bodies must approve and oversee cybersecurity risk management measures, undergo training, and can be held personally liable for infringements.
Business Continuity
Ensure business continuity including backup management, disaster recovery, and crisis management procedures.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
Article 23 - 24-Hour Incident Reporting
Sentinel rigorous incident classification with NIS2 significance criteria. Rapid early warning draft generation within 4 hours of detection. Evidence chain preservation in immutable storage.
Verified incident detection-to-classification timeline, early warning generation logs, robust evidence integrity chain.
Article 21 - Risk Management
Microsoft Secure Score as continuous risk metric. Conditional Access enforcing risk-based authentication. Defender Vulnerability Management for continuous asset assessment.
Monthly Secure Score trend reports, risk-based CA evaluation logs, vulnerability management posture reports.
Article 21(2)(d) - Supply Chain Security
Defender for Cloud Apps monitoring all third-party integrations. OAuth app consent workflow requiring admin approval. Service principal permission reviews quarterly.
Third-party app inventory, OAuth consent policy configuration, service principal audit reports.
Article 21(2)(c) - Business Continuity
Microsoft 365 backup via Backup Storage. SharePoint and OneDrive retention policies with point-in-time recovery. Exchange Online archive with litigation hold for critical mailboxes.
Backup configuration report, recovery point objective (RPO) metrics, restore test results.
Implementation Timeline
Related Frameworks
DORA transforms ICT risk management from an IT concern into a board-level legal liability for every EU financial entity and its critical technology providers.
With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.
ISO 27001 certification is increasingly a procurement prerequisite. Without it, organisations face exclusion from enterprise supply chain shortlists and heightened scrutiny from insurers and regulators.
The EU AI Act imposes fines up to 7% of global turnover for non-compliant AI deployment—making ungoverned Copilot rollout a material commercial risk.
Ready to get NIS2-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against NIS2 requirements, close gaps, and produce audit-ready evidence.