EuroComply
Zarejestruj się

For IT Directors and Security Leads

See every vendor, every NIS2 measure, every incident clock on one screen.

NIS2 compliance across 50+ EU essential entities

EuroComply gives IT Directors one screen combining active incidents (with the GDPR 72h and NIS2 24h clocks), open NIS2 Article 21 measures, and vendor sovereignty risk — all colour-coded by urgency, all exportable as CSV.

What EU compliance tools do IT Directors need?

EuroComply gives IT Directors one screen combining active incidents (with the GDPR 72h and NIS2 24h clocks), open NIS2 Article 21 measures, and vendor sovereignty risk — all colour-coded by urgency, all exportable as CSV.

  • NIS2 Article 21 gap analysis mapping current technical measures against all 10 requirements
  • Incident log with live 72h GDPR and 24h NIS2 countdown clocks — structured fields match Article 33(3)
  • Vendor sovereignty dashboard: EU data residency, Cloud Act exposure, sub-processor chain, DPA status
  • AI Act deployer obligation tracker covering Article 16, 26, and 27 alongside security controls
Source: NIS2 Directive — EUR-LexReviewed:

Why IT Directors use EuroComply

  • NIS2 Article 21 gap analysis mapping current technical measures against all 10 requirements
  • Incident log with live 72h GDPR and 24h NIS2 countdown clocks — structured fields match Article 33(3)
  • Vendor sovereignty dashboard: EU data residency, Cloud Act exposure, sub-processor chain, DPA status
  • AI Act deployer obligation tracker covering Article 16, 26, and 27 alongside security controls

Get the weekly EU compliance briefing — 2 minutes, every Thursday.

Next step — classify

Run NIS2 gap analysis →

No card required. EU-hosted. Built for IT teams managing multiple regulations.

Run NIS2 gap analysis →

Frequently asked questions

What does NIS2 Article 21 require from IT Directors?

NIS2 Article 21 mandates 10 categories of cybersecurity measures for essential and important entities: risk analysis and security policies; incident handling; business continuity, backup management, and disaster recovery; supply chain security including ICT service providers; security in acquisition, development, and maintenance of network and information systems; policies to assess cybersecurity effectiveness; basic cyber hygiene and training; cryptography and encryption; human resources security, access control, and asset management; and multi-factor authentication or continuous authentication solutions.

What are the NIS2 incident reporting deadlines?

NIS2 Article 23 establishes a three-stage reporting obligation: within 24 hours — an early warning to the national CSIRT or competent authority indicating suspected unlawful or malicious acts; within 72 hours — an incident notification with initial assessment of severity, impact, and indicators of compromise; and within one month — a final report with a detailed description, type of threat or root cause, mitigation measures taken, cross-border impact, and whether law enforcement was notified.

How does the GDPR 72-hour breach notification work?

GDPR Article 33 requires notification to the supervisory authority within 72 hours of the controller becoming aware of a personal data breach, unless it is unlikely to result in risk to individuals. Notification must include: the nature of the breach; categories and approximate number of data subjects and records; DPO contact details; likely consequences; and measures taken. If full information is not available within 72 hours, notification can be phased — but the initial submission must be made on time with the available information, noting the delay reason.

What is CLOUD Act exposure and why does it matter for vendor selection?

The US CLOUD Act (2018) obligates US-based cloud providers to disclose data to US law enforcement when requested, regardless of where the data is physically stored. A vendor has CLOUD Act exposure if it is a US person, incorporated in the US, or controlled by a US entity (including through ownership structures). For IT directors, this is relevant for GDPR transfer restrictions (Chapter V), NIS2 Article 21(d) supply chain security requirements, and client contractual obligations for EU data residency. EU sovereignty-first procurement avoids US-dominant vendors for critical personal data and sensitive infrastructure.

What are DORA's ICT risk management requirements?

DORA (Regulation (EU) 2022/2554), applicable from January 17, 2025, requires financial entities' ICT risk management frameworks to include: ICT strategy and governance; risk identification and classification; ICT-related incident management, classification, and reporting; digital operational resilience testing including threat-led penetration testing for significant entities; third-party ICT risk management with a register of ICT service providers; and information sharing arrangements. IT directors in financial entities must align controls with the RTS/ITS technical standards published by EBA, ESMA, and EIOPA.

What are the EU AI Act deployer obligations for IT teams?

Organisations that deploy (not build) high-risk AI systems under EU AI Act Article 26 must: use the AI system in accordance with the provider's instructions for use; designate a human oversight function; ensure relevant staff have AI literacy and competence to understand AI outputs; conduct a fundamental rights impact assessment if operating as a public authority (Article 27); monitor the system for risks during its operational lifetime; and suspend use if the system presents an unacceptable risk. Deployers must maintain logs of system operation to the extent technically possible.

What is the difference between NIS2 essential and important entities?

NIS2 Annex I lists essential entity sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Annex II lists important entity sectors: postal and courier services, waste management, chemicals, food production, manufacturing (medical devices, computers, electronics, machinery, motor vehicles), digital providers, and research. Essential entities face proactive ex ante supervision; important entities face reactive ex post supervision. Size thresholds: medium enterprises (50+ employees or €10M+ turnover) and large enterprises are covered.

How does NIS2 affect supply chain security practices?

NIS2 Article 21(d) requires essential and important entities to address supply chain security as part of their risk management. Practically: maintain an ICT service provider register; assess the security posture of critical suppliers; include security requirements and audit rights in ICT contracts; monitor sub-processors and vendor chains; and be able to demonstrate supplier security practices to supervisory authorities. ENISA's supply chain guidelines provide the detailed methodology that authorities use when evaluating compliance with Article 21(d).

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last reviewed: · Editorial policy