NIS2 expanded cybersecurity requirements to thousands of companies. Are you one of them?
From critical infrastructure to manufacturing, food, and digital services. NIS2 covers more sectors, demands more, and holds management personally accountable.
Are you in scope for NIS2?
Answer four questions to get an initial indication — and concrete next steps regardless of the result.
Are you in scope for NIS2?
Answer four questions to get an indication.
Even if you're not directly in scope — your customers are
NIS2 requires organizations to assess cybersecurity risks across their entire supply chain. That means the requirements reach you, regardless of whether you fall under the directive yourself.
The supply chain doesn't stop at your door
NIS2 Article 21 requires in-scope organizations to manage cybersecurity risks in their supplier relationships. That means risk assessments, contractual requirements, and ongoing follow-up — of you.
In practice: your enterprise customers will require you to demonstrate how you manage information security. Not to be difficult — because the law demands it of them.
NIS2 and ISO 27001 overlap — and AmpliFlow supports both
If you already have an ISO 27001 framework, you're well positioned. Here's how NIS2 requirements map to ISO 27001 and where AmpliFlow helps.
| NIS2 requirement | ISO 27001 control | AmpliFlow support |
|---|---|---|
| Risk management measures | A.8 – Information security risk management | Risk matrices with likelihood × consequence, action plans, follow-up |
| Incident handling | A.5.24–A.5.28 – Incident management | Deviation management with categorization, root cause analysis, and timelines |
| Supply chain security | A.5.19–A.5.23 – Supplier relationships | Supplier register for tracking suppliers and contact information |
| Business continuity | A.5.29–A.5.30 – Continuity planning | Pages (wiki) for continuity plans, checklists for exercises |
| Security awareness | A.6.3 – Awareness and training | Competence matrices and training planning |
| Encryption and access control | A.8.24 – Encryption, A.5.15 – Access control | Pages (wiki) for documented policies and procedures |
Four areas NIS2 demands — and AmpliFlow supports
Organizational governance, not technical tools. AmpliFlow handles processes and documentation — not firewalls or intrusion detection.
Risk management
NIS2 requires you to identify, assess, and manage cybersecurity risks. Not as a one-off project — continuously, with documented decisions.
Risk matrices in AmpliFlowIncident handling
Early warning to supervisory authority within 24 hours. Full report within 72 hours. Without a workflow, you will miss the deadlines.
Deviation management in AmpliFlowSupply chain security
You are responsible for ensuring your suppliers are not a weak link. This requires risk assessment, contractual requirements, and ongoing follow-up.
Supplier register in AmpliFlowBusiness continuity
Plans to maintain critical services during cyber incidents. Not just a document — tested, documented, updated.
Pages and checklists in AmpliFlowNIS2 makes cybersecurity a board issue — not an IT issue
Article 20 of NIS2 is clear: management bodies must approve risk management measures, oversee implementation, and can be held personally liable for non-compliance.
What this means in practice
Management can no longer delegate cybersecurity responsibility to the IT department and hope for the best. NIS2 requires management to actively participate in risk management decisions and to have these decisions documented.
In case of non-compliance, individual board members can be held personally liable — with potential fines and temporary bans from exercising management functions.
AmpliFlow gives management oversight and documentation
- Risk assessments that management can review — with traceability on decisions and responsible persons
- Audit plans showing cybersecurity measures are followed up systematically
- Incident history documenting how the organization handled security events
- Complete compliance overview — policies, measures, and responsible persons in one place
Questions about NIS2 and AmpliFlow
What is the NIS2 Directive?
NIS2 (EU Directive 2022/2555) is the EU's updated directive for cybersecurity. It expands the original NIS Directive to more sectors, places higher requirements on risk management and incident reporting, and introduces personal accountability for management bodies.
Who does NIS2 apply to?
NIS2 covers "essential" and "important" entities in sectors including energy, transport, healthcare, water supply, digital infrastructure, banking, manufacturing, food, chemicals, waste management, postal services, digital services, and public administration. Size criteria determine whether you are classified as essential or important.
How does NIS2 relate to ISO 27001?
ISO 27001 provides a structured framework for information security that overlaps with many NIS2 requirements. An ISO 27001 certification covers risk management, policies, and security measures. However, NIS2 places additional requirements on incident reporting to authorities within specific timeframes and on supply chain security.
What are the penalties for non-compliance?
Essential entities face fines of up to €10 million or 2% of global annual turnover. Important entities face up to €7 million or 1.4%. Beyond fines, management bodies can be held personally liable.
How does AmpliFlow support NIS2 compliance?
AmpliFlow handles organizational governance: risk assessment via risk matrices, incident management through the deviation process, pages (wiki) for policies and procedures, supplier register for contact information, audit planning, and competence tracking. AmpliFlow does not replace technical security solutions like firewalls or SIEM systems.
We're not directly in scope — should we care?
Most likely yes. Organizations covered by NIS2 must assess cybersecurity risks in their supply chain. If you are a supplier to a NIS2 organization, they will impose information security requirements on you, regardless of whether you fall under the directive yourself.
Want to see how AmpliFlow supports NIS2 compliance?
Book a demo and we'll show you how risk management, incident reporting, and document control work in practice. We tailor the demonstration to your situation.