NIS2 monitoring
in a single inbox.
NIS2 (Directive (EU) 2022/2555) had to be transposed by 17 October 2024 — but a substantial number of Member States missed the deadline and the Commission opened infringement proceedings in 2025. The directive applies to a much wider universe than NIS1: essential and important entities now include banks, insurers (some), payment institutions, and other critical-services providers. For financial entities the picture is layered: DORA acts as lex specialis for ICT risk and incident reporting; NIS2 covers what DORA does not. Horizon Scanner watches the Commission, ENISA, every Member-State transposition and the national cybersecurity authorities — and clearly tags where the DORA-NIS2 boundary sits for your entity.
Scope
What NIS2 covers — and what we crawl for it.
Directive (EU) 2022/2555 and Commission Implementing Regulation
The directive itself plus Commission Implementing Regulation (EU) 2024/2690 on cybersecurity risk-management measures for specified entity categories. Amendments and national-court referrals tracked at source.
Essential vs. Important entity classification
Annex I (essential) and Annex II (important) entity categories. The classification drives the supervisory regime (ex-ante for essential, ex-post for important) and the size of administrative fines. National transpositions occasionally tighten the criteria.
DORA-NIS2 lex-specialis boundary
Article 4 of NIS2 makes DORA the lex specialis for financial entities on ICT-risk management and incident reporting. For entities outside DORA scope (or for the non-ICT obligations of NIS2), NIS2 applies directly. The boundary is non-trivial — we tag findings on the right side of it.
Management-body responsibility (Art. 20)
Article 20 personal accountability for management bodies: approval of risk-management measures, oversight, training. National implementations often add specific board-training cycles. We track BSI (DE), BfC (AT), ANSSI (FR) and others.
Supply-chain security (Art. 21)
Article 21(2)(d) supply-chain risk management, contractual cascading of cybersecurity requirements, and the Article 22 "coordinated risk assessments of critical supply chains" at EU level. ENISA outputs and the EU Cooperation Group's targeted risk assessments.
Incident reporting (Art. 23)
24h early-warning / 72h notification / one-month final report cadence. National CSIRT contact points. For DORA-scope entities the DORA reporting regime applies; for others (utilities, healthcare, manufacturing) NIS2 reporting is direct.
How Horizon Scanner helps
Specifically for NIS2 teams.
- 01
Filtered by entity classification
Configure your NIS2 classification (essential / important) and sector (Annex I / II). The inbox filters to obligations that actually apply; essential-only items don't reach important-entity-only teams.
- 02
DORA-NIS2 deduplication
For financial entities we tag findings as "DORA-only", "NIS2-only" or "both". A regulatory item already covered by DORA's lex-specialis status doesn't generate a parallel NIS2 finding — but the non-ICT NIS2 obligations (e.g. management-body training under Art. 20) reach you correctly.
- 03
Routes to CISO, governance, legal
Default routing: technical risk-management measures to the CISO, management-body training items to corporate governance, supply-chain-security clauses to legal/procurement, fines/enforcement to compliance.
- 04
National transposition tracker
Each Member State's transposition act (and any infringement-proceedings updates) are tracked. Multi-jurisdictional groups see deltas across their footprint at a glance — useful for harmonising internal policies across borders.
Sources monitored
The regulators we crawl for NIS2.
- EUR-LexDirective (EU) 2022/2555, Commission Implementing Regulation (EU) 2024/2690, amending acts, infringement-proceedings notices.
- ENISATechnical guidelines and good-practice reports on NIS2 risk-management measures, supply-chain-risk advisories, threat landscapes.
- CommissionEU-level coordinated risk assessments, NIS Cooperation Group outputs, infringement-proceedings letters.
- BSI (DE)Bundesamt für Sicherheit in der Informationstechnik — German national cybersecurity authority. Technical advisories, sectoral guidance, KRITIS coordination.
- ANSSI (FR)Agence nationale de la sécurité des systèmes d'information — French national cybersecurity authority. Technical guides, OIV/OSE designations.
- BfC / FMA (AT)Bundesamt für Cybersicherheit (BfC) — Austria's central NIS2 authority under the Interior Ministry (NISG 2026, in force from 1 October 2026) — plus FMA where the entity also sits under financial supervision.
- BaFin / ECBWhere NIS2 applies to financial entities outside DORA lex specialis — BaFin and ECB-SSM expectations on the non-ICT NIS2 obligations.
- National CSIRTsComputer Security Incident Response Teams in each Member State — incident-reporting endpoints, sectoral advisories.
Custom sources can be added in minutes — supervisory blog feeds, association circulars, internal counsel memos all route through the same engine.
FAQ
What NIS2 buyers ask first.
We are an insurer. Does NIS2 apply to us, or is DORA enough?
Both — but they don't overlap. DORA is lex specialis for ICT risk management, incident reporting, third-party register, TLPT and resilience testing. For non-ICT NIS2 obligations — most importantly Article 20 management-body accountability and the corporate-governance training cycle — NIS2 applies directly. Plus Article 21(2)(d) supply-chain measures may bite where DORA's Chapter V third-party regime does not reach. We tag every finding so you see which regime it sits under.
How do you track national transpositions where the deadline was missed?
Each Member State has a transposition status (transposed / partial / pending / infringement). When a Commission infringement-proceedings letter is issued, the affected Member State's findings change severity — operating in a jurisdiction without proper transposition increases supervisory uncertainty. Groups operating across many Member States see the status grid by jurisdiction.
Are CSIRT incident-reporting endpoints integrated?
We track the endpoint addresses, reporting-form changes and any sectoral CSIRT advisories — but we do not submit incident reports on your behalf. Horizon Scanner is a regulatory-intelligence and routing tool, not a notification gateway. The audit trail of who you reported to, when, and which CSIRT acknowledged is held only as a placeholder in the audit log for now.
Can the management-body training cycle be scoped per board member?
On Enterprise the routing engine supports per-individual subscriptions — your CISO sees technical advisories, your CEO sees only the management-body / Article 20 findings, your Chief Risk Officer sees the supply-chain Article 21 items. Subscriptions are configured per role rather than per individual to keep churn manageable when personnel change.