EU Cybersecurity Directive 2022/2555

Is Your Organization
NIS2 Compliant?

BALTUM Bureau helps EU organizations achieve NIS2 compliance through audits, consulting, and training. Stay ahead of regulatory requirements — protect your business, avoid fines.

Try our AI-powered NIS2 Assessment →
160K+
Companies Affected
€10M
Max Fine
Oct 2024
EU Deadline
15+
Sectors Covered

What is NIS2?

NIS2 (Directive EU 2022/2555) is Europe's most comprehensive cybersecurity directive. It replaces NIS1 and introduces stricter requirements for risk management, incident reporting, and supply chain security across critical sectors.

Essential Entities

Energy, transport, banking, financial markets, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space

Fines up to €10M or 2% of global annual turnover

Important Entities

Postal services, waste management, chemicals, food production, manufacturing, digital providers, research organizations

Fines up to €7M or 1.4% of global annual turnover

Our Services

Practical NIS2 compliance support from certified auditors. We take your organization from gap analysis through to full compliance readiness — no buzzwords, just results.

01

NIS2 Audit

  • Gap analysis against NIS2 requirements
  • Assessment of current cybersecurity posture
  • Detailed findings report with recommendations
  • Risk prioritization roadmap
Request Audit
03

NIS2 Training

  • Management awareness training
  • Technical team workshops
  • Incident response drills
  • Certification preparation
Book Training

Key NIS2 Requirements

NIS2 Article 21 requires organizations to implement proportionate technical, operational, and organizational measures to manage cybersecurity risk. Here's what that means in practice.

Risk Management
Systematic identification and treatment of cybersecurity risks
Incident Handling
24h initial alert, 72h full notification to authorities
Business Continuity
BCP, disaster recovery, and backup management plans
Supply Chain Security
Vendor risk management and third-party security assessments
Network Security
Securing network and information systems infrastructure
Access Control & MFA
Zero-trust access policies and multi-factor authentication
Vulnerability Management
Regular scanning, patching, and disclosure procedures
Encryption
Data encryption in transit and at rest, cryptographic controls
HR Security & Awareness
Staff training, background checks, security culture programs
Asset Management
Complete inventory of IT/OT assets with risk classification

Who Does NIS2 Apply To?

NIS2 covers organizations in critical sectors with 50+ employees OR €10M+ annual turnover. Member states may extend the scope further — if you're unsure, ask us.

Energy
🚂
Transport
🏦
Banking
📈
Financial Markets
🏥
Health
💧
Drinking Water
🌊
Wastewater
🌐
Digital Infrastructure
☁️
ICT Service Mgmt
🏛️
Public Administration
🚀
Space
📦
Postal Services
♻️
Waste Management
🧪
Chemicals
🍎
Food
🏭
Manufacturing
💻
Digital Providers
Size Thresholds: Medium and large organizations — 50+ employees OR €10M+ annual turnover operating in the sectors above must comply with NIS2.

Why Choose BALTUM Bureau?

International certification and compliance group with a worldwide network of auditors.

BALTUM is an international certification and compliance group delivering ISO management system certification, cybersecurity frameworks, and regulatory compliance programmes globally. We provide an integrated path from readiness assessment through to formal certification — in cooperation with accredited international certification bodies.

15+ Frameworks Covered

ISO 27001, ISO 27701, ISO 42001, ISO 9001, ISO 22301, ISO 20000-1, SOC 2, PCI DSS, GDPR, DORA, NIS2, ENS, NIST CSF, Cyber Essentials and more — all under one roof.

End-to-End Service

From initial gap assessment and documentation through internal audit, management review, and final certification audit — we manage the entire process.

Worldwide Auditor Network

Our certified auditors operate across Europe, UK, USA, Middle East, and Asia. Remote-first delivery means no travel costs and faster turnaround.

Integrated Implementation

Implement multiple standards simultaneously. Shared documentation and controls mean up to 40% cost savings vs. separate engagements.

EU Regulatory Expertise

Deep knowledge of EU cybersecurity regulations: NIS2, DORA, GDPR, ENS (Spain), and sector-specific requirements across 15 industries.

Proven Track Record

Clients across IT, finance, healthcare, manufacturing, and professional services. Typical ISO 27001 engagement: 3–6 months from kick-off to certificate.

15+ Standards
50+ Countries
3–6 months typical timeline
100% Remote-first delivery

NIS2 & Other Standards

Already certified against ISO 27001 or SOC 2? A significant portion of NIS2 work is already done. Here's a straightforward breakdown of how much overlaps.

ISO 27001
75–80% overlap
✓ Covered Risk management Access control Incident response Encryption Asset management Vulnerability management Supplier security HR security
⚠ NIS2 Gaps Personal liability of management 24/72h incident reporting timelines Sector-specific requirements
ISO 9001
25–30% overlap
✓ Covered Risk-based thinking Document control Internal audit Management review Continual improvement
⚠ NIS2 Gaps Most cybersecurity controls Incident handling Network security Technical measures
SOC 2
55–65% overlap
✓ Covered Security controls Access management Incident response Availability Encryption Monitoring
⚠ NIS2 Gaps EU regulatory requirements Supply chain specifics Management liability Incident reporting timelines
ISO 27701
40–50% overlap (with ISO 27001)
✓ Covered Privacy-related controls Data processing records Third-party management
⚠ NIS2 Gaps NIS2-specific technical measures Sector requirements Incident notification to authorities
GDPR
35–40% overlap
✓ Covered Incident notification Data protection measures Third-party processors Privacy by design DPO role
⚠ NIS2 Gaps Network security Vulnerability management Business continuity specifics Sector requirements
ISO 22301
30–35% overlap
✓ Covered Business continuity planning Recovery objectives Incident response Testing and exercises
⚠ NIS2 Gaps Cybersecurity-specific controls Incident reporting timelines Access control Technical security measures

Find out your exact NIS2 gap — request a free assessment

Request Free Gap Assessment

Why Implement NIS2 Together with ISO Standards?

One project. Multiple certifications. Less cost.

Save Time & Money

When NIS2 is implemented alongside ISO 27001, ISO 27701, or ISO 9001, overlapping work is done once — not twice. Shared documentation, risk assessments, and control frameworks reduce project time by up to 40%.

Single Audit Cycle

Combine audit preparation, internal audits, and management reviews across multiple standards in one coordinated cycle. Our auditors cover all frameworks simultaneously, reducing disruption to your team.

Future-Ready Compliance

Starting with an integrated approach means adding new standards later (ISO 42001 for AI, DORA for finance) requires minimal additional effort — your compliance foundation is already in place.

Separate Implementation Integrated with BALTUM
Documentation effort High (duplicated) Low (shared)
Time to compliance 12–18 months 6–10 months
Cost Higher Up to 40% less
Audit coordination Complex Streamlined
Team disruption High Minimal
Request an integrated NIS2 + ISO implementation proposal →

Latest from Our Blog

Expert articles on NIS2 implementation, compliance strategies, and EU cybersecurity regulations — written by certified auditors at BALTUM Bureau.

Incident Management May 2026

NIS2 Incident Reporting: The 24-Hour and 72-Hour Rules Explained

NIS2 introduces strict incident notification timelines. Learn what counts as a significant incident, the three-stage reporting process, and how to prepare your organization.

By BALTUM Bureau Read more →
Supply Chain May 2026

NIS2 Supply Chain Security: What You Need to Know About Vendor Risk

NIS2 Article 21(2)(d) makes vendor security a legal obligation. Learn how to assess supplier risk, build a vendor program, and protect your supply chain under NIS2.

By BALTUM Bureau Read more →
Scope & Categories May 2026

Essential vs Important Entities Under NIS2: Which Category Are You?

NIS2 divides organizations into Essential and Important Entities with different oversight levels and fines. Find out which category applies and what it means for your compliance program.

By BALTUM Bureau Read more →
View All Articles →

Get Your Free
NIS2 Assessment

Not sure if NIS2 applies to your organization? Send us a message — we'll review your situation and give you a straight answer, free of charge.

For a quick automated assessment, try our AI NIS2 tool at baltum.ai

We respond within 1 business day. No spam, ever.