Focus 1
Covered sectors
Essential and important entities include energy, transport, banking, health, digital infrastructure, managed ICT, public administration, research, and major digital providers.
Framework hub
NIS2
NIS2 applies to essential and important entities in covered EU sectors, including some non-EU digital service providers serving EU customers.
EU baseline
If you are established in the EU, operate in the EU, or place this product or service on the EU market, treat this as a first-order compliance check. Non-EU reach language means outsiders can also be covered, not that EU companies are outside scope.
Review scopeFocus 2
Key obligations
Risk management, incident reporting, supply chain security, encryption, access control, MFA, and business continuity.
Focus 3
Incident reporting
Significant incidents use 24-hour early warning, 72-hour notification, and 1-month final reporting timelines.
Focus 4
National authorities
ENISA coordinates at EU level; Luxembourg implementation is monitored through Legilux, ILNAS, and sectoral authorities.