Official source map

NIS2 official sources

Primary NIS2 sources for SMEs and suppliers: directive text, Commission guidance, incident reporting references, and EuroComply checklists.

What official sources should SMEs cite for NIS2?

The primary source for NIS2 is Directive (EU) 2022/2555, supported by European Commission guidance and national transposition rules. SMEs should verify whether they are essential or important entities, then keep evidence for cybersecurity risk management, management oversight, supplier controls and incident reporting.

Articles 2-3: Scope and entity types
Article 20: Governance
Article 21: Risk measures
Article 23: Incident reporting
Article 34: Penalties

Primary source	Directive (EU) 2022/2555
EuroComply source page	/sources/nis2
Last reviewed	2026-05-11

Source: Directive (EU) 2022/2555Reviewed: 2026-05-11

Official links

Directive (EU) 2022/2555Official NIS2 directive text.European Commission NIS2 guidanceCommission overview, scope and implementation guidance.ENISA NIS2 topic pageCybersecurity agency context and implementation material.

Key references

Reference	Topic	Why it matters
Articles 2-3	Scope and entity types	Determines essential or important status.
Article 20	Governance	Management body oversight.
Article 21	Risk measures	Core cybersecurity controls.
Article 23	Incident reporting	24-hour and 72-hour reporting path.
Article 34	Penalties	Maximum fine framework.

Use the source map with an action plan

Official sources answer what the law says. EuroComply guides turn those references into owners, deadlines, evidence and dashboard-ready actions.

NIS2 compliance for SMEs NIS2 SME checklist NIS2 supplier checklist NIS2 compliance guide

EU AI Act official sources GDPR official sources DORA official sources Data Act official sources Pay Transparency Directive official sources