The NIS2 Directive (EU 2022/2555) defines in Art. 21 ten mandatory minimum cybersecurity measures that all essential and important entities must implement. Violations can be sanctioned with fines of up to €10M or 2% of global annual turnover.
The 10 minimum measures under NIS2 Art. 21
NIS2 Art. 21 requires: (1) risk analysis and information security policies, (2) business continuity and crisis management, (3) supply chain security — security at suppliers and service providers, (4) security in IT system procurement and development, (5) assessment of security measure effectiveness, (6) cybersecurity training, (7) cryptography and encryption, (8) personnel security and access control, (9) multi-factor authentication, (10) communication security.
360TPRM ist die technische Plattform für NIS2 Art. 21 (d) — Lieferkettensicherheit. Kontinuierliches Monitoring, automatisierte Risikobewertungen und auditfähige Dokumentation.
Essential vs. important entities
NIS2 distinguishes two categories: Essential Entities are large organisations in critical sectors (energy, health, transport, finance, water, digital infrastructure) — with the highest requirements and fines up to €10M / 2% turnover. Important Entities are medium-sized organisations in these sectors and additional areas — fines up to €7M / 1.4% turnover.
NIS2 hat die Bußgeldrahmen gegenüber NIS1 erheblich verschärft — auf DSGVO-Niveau. Die persönliche Haftung der Geschäftsführung kommt hinzu.
FAQ
NIS2 compliance with 360TPRM
See in a 45-minute demo how 360TPRM specifically meets your requirements.
Request free demo →