Who needs to be NIS2 certified? 

NIS2, also without the official certificate, applies to a broad range of organizations that play a critical role in the EU’s economy and society. If your company provides services in sectors like energy, finance, health, transport, or digital infrastructure, there’s a good chance you fall under the scope. 

The directive defines two main categories: 

• Essential entities – organizations in high-impact sectors, depending on their size and industry 

• Important entities – organizations in similar or related sectors, depending on their size and industry 

The exact threshold depends on your industry and size. For example, a cloud provider with more than 50 employees or €10 million turnover could qualify as an important entity. Essential entities may face stricter security and risk management requirements as well as stricter supervision and enforcement. 

National differences matter for NIS2 

NIS2 sets a common EU baseline, but each Member State implements it slightly differently. Some countries may introduce their own certification or audit expectations, especially for essential entities. That’s why it’s critical to monitor your national authority’s guidance and deadlines. 

Not sure if NIS2 applies to you? 

Use our free NIS2 checker to find out if your organization is in scope—and what steps you need to take. 

What are the NIS2 certification requirements? 

To prove compliance with NIS2, your organization needs to implement—and be able to demonstrate—a set of core cybersecurity and risk management measures. These NIS2 requirements apply to both essential and important entities and are designed to improve resilience across the EU. 

Core security requirements under NIS2  

To comply with NIS2, you need to show that your organization has controls in place for: 

• Risk management 
  Establish a structured risk management process with regular assessments, clear mitigation plans, and documentation of risks relevant to your operations. 

• Incident response and reporting 
  Set up processes to detect and respond to cyber incidents—and ensure that significant incidents are reported to national authorities within 24 hours, as required by NIS2. 

• Business continuity and crisis management 
  Maintain tested plans for backups, disaster recovery, and emergency operations to ensure service availability and restore functionality after disruptions. 

• Supply chain security 
  Identify and manage risks posed by third-party vendors. Include cybersecurity obligations in contracts, conduct supplier due diligence, and ensure secure software development practices. 
• Access control and encryption 
  Implement strict access controls, enforce identity and access management policies, and apply encryption to protect sensitive systems and data from unauthorized access. 
• Vulnerability and patch management 
  Monitor for vulnerabilities, apply security patches promptly, and establish procedures for coordinated vulnerability disclosure. 
  
  

What needs to be documented? 

Authorities may not require a formal certificate, but you still need to provide tangible proof of compliance. This includes: 

• Policies and procedures aligned with NIS2 requirements 

• Risk assessments and mitigation plans 

• Security roles and responsibilities, including board-level accountability 
• Records of incidents, audits, and security improvements 
  
  

What controls should be in place? 

At a minimum, your organization should have: 

• A documented information security policy 

• An up-to-date incident response plan 

• Regular third-party risk assessments 

• Defined governance structures 

• Ongoing employee training and awareness 

NIS2 certification and compliance—whether through self-assessment or third-party review—relies on what you can prove, not just what you claim. Solid documentation and a clear structure are your best defence against NIS2 fines, reputational damage, or failed audits. 

How ISO 27001 and other frameworks support NIS2 compliance 

Although not required, frameworks like ISO 27001, the NIST Cybersecurity Framework, or BSI Grundschutz in Germany can help structure your compliance efforts. ISO 27001 certification in particular can support NIS2 readiness—but it doesn’t replace the need to address NIS2-specific requirements such as supply chain risk and governance obligations. 

In short, while there’s no official NIS2 certificate to aim for, your organization still needs to be audit-ready and able to prove compliance—in a way that aligns with your national regulator’s expectations. 

Want to know more about NIS2? 

See how our structured approach maps controls to NIS2 requirements—so you know exactly where you stand. 

How to prepare for NIS2 certification (step-by-step) 

Even without a formal NIS2 certificate, you’ll need to prove compliance through clear documentation, processes, and governance. Here’s how to get your organization audit-ready—step by step. 

1. Start with a gap analysis

Assess your current cybersecurity posture against NIS2 requirements. Identify where your organization already meets the standard—and where critical gaps exist. A structured maturity assessment will help prioritize your next steps based on risk and impact. 

2. Build or update your ISMS

If you don’t already have an Information Security Management System (ISMS), now is the time. If you do, make sure it covers NIS2-specific areas like supply chain risk, business continuity, and incident handling. A well-structured ISMS creates the foundation for ongoing compliance. 

3. Map your controls to NIS2

Translate the directive’s requirements into concrete actions: 

• What technical and organizational controls are already in place? 

• Which ones need to be added or improved? 

• How do they align with frameworks like ISO 27001 or NIST? 

Clear mapping will help you stay organized—and ready for questions from auditors or authorities. 

4. Create audit-ready documentation

NIS2 compliance is only as strong as your ability to prove it. Prepare key documents such as: 

• Information security policies 

• Incident response plans 

• Risk assessment reports 

• Roles and responsibilities 

• Training records and supplier risk logs 

This documentation should be kept up to date and easily accessible. 

5. Involve the right stakeholders

NIS2 compliance isn’t just an IT issue. Involve: 

• IT and security teams to assess and implement controls 

• Legal and compliance to align with regulatory obligations 

• Executive leadership to take ownership and make governance decisions 

Cross-functional buy-in is essential—not just for implementation, but for long-term accountability. 

NIS2 certification audit: What to expect 

Whether a NIS2 audit is already a legal requirement depends on the Member State, as each country is responsible for transposing the directive into national law and defining its own supervisory approach. 

At this stage, there is no official NIS2 audit requirement in Germany. The NIS2 directive has not yet been transposed into national law, and supervisory mechanisms are still being defined. 

At this stage, there is no official NIS2 audit requirement in Germany, as the directive has not yet been fully transposed into national law and supervisory mechanisms are still being defined.

In contrast, Italy has already implemented NIS2 into national legislation, and affected organizations are now subject to clearer compliance expectations, including potential oversight by designated authorities. This variation across Member States makes it essential for organizations to monitor national developments closely. 

However, things are likely to change. In countries like Germany, where national laws are still pending, authorities may introduce compliance audits once legislation is in place—potentially through structured self-assessments, internal audits, or external reviews.  

In Member States like Italy, where NIS2 is already in force, organizations should already be prepared to demonstrate compliance. Either way, early preparation is key to reducing risk and staying ahead of enforcement. 

Why prepare for a NIS2 certification now?  

Even though a NIS2 audit is not yet a legal requirement in many EU countries, including Germany, a structured internal or external audit can help you. It allows your organization to: 

• Assess its current level of readiness against NIS2 requirements 

• Identify and prioritize compliance gaps across technical, organizational, and governance areas 

• Establish or validate documentation and responsibilities before enforcement begins 

• Avoid time pressure and reactive compliance once national laws come into effect 

A voluntary audit is one of the most practical ways to move from theory to implementation— and demonstrates that your organization is proactively addressing NIS2, rather than waiting for enforcement. 

What a NIS2 audit typically covers  

A NIS2 readiness audit takes a close look at how well your organization aligns with the directive’s key requirements. The focus isn’t just on whether the right documents exist—but on whether the necessary measures are actually implemented and working in practice. 

• A risk-based approach to information security: Are you regularly assessing and addressing cyber risks? 

• Incident response: Do you have clear, tested processes in place for detecting, reporting, and managing incidents? 

• Business continuity and crisis management: Can your organization stay operational in the event of a cyber disruption? 

• Supply chain risk management: Are third-party providers assessed and monitored for security risks? 

• Governance and accountability: Is there clarity on who’s responsible—up to and including board level? 

• Security awareness: Do employees understand their role in protecting the organization, and is training in place? 

An audit gives you a clear picture of where your organization stands—and where targeted improvements are needed to meet upcoming regulatory expectations with confidence. 

Internal vs. external audits 

At this stage, both options are valid—and neither is mandatory in Germany and other countries yet. 

• Internal audits help organizations assess themselves and prepare for formal oversight later. They’re often conducted by compliance teams or internal security officers. 

• External audits bring independent assurance and can be useful for building trust with partners, investors, or future regulators. 

Once NIS2 is enforced nationally, external audits may become a legal requirement—especially for essential entities. 

Act on audit findings 

An audit only adds value if it leads to action. Use the results to prioritize gaps based on risk, assign clear responsibilities, and set realistic deadlines. Track progress and update your ISMS and documentation as needed. Taking visible steps to address findings shows that your organization is serious about compliance—and ready for future supervisory checks. 

Learn more about how to prepare for NIS2 certification in our on-demand webinar: 

Tools and frameworks to help you with NIS2 certification 

While NIS2 introduces its own set of requirements, you don’t have to start from scratch. Several well-established frameworks and tools can help you structure your approach and demonstrate compliance more efficiently. 

ISO 27001 as a foundation for NIS2

If your organization is already certified to ISO 27001, you’re in a strong position. Many of the controls required by NIS2—like risk management, access control, and incident response—closely align with ISO 27001. However, NIS2 goes further in areas like governance and supply chain risk, so a gap analysis is still essential. 

ENISA and national guidance 

The European Union Agency for Cybersecurity (ENISA) offers useful guidance, including sectoral risk profiles, baseline security measures, and implementation tools. National authorities—such as the BSI in Germany—are also releasing draft laws, implementation guides, and templates tailored to local requirements, once the NIS2 Directive is enforced. 

Platforms and automation 

Digital compliance platforms help you turn regulatory requirements into day-to-day practice. With features like: 

• Pre-built templates for policies, risk assessments, and audits 

• Centralized document and evidence management 

• Automated workflows to assign tasks, track remediation, and schedule reviews 

• A clear mapping of your existing controls to NIS2 requirements 

…you reduce complexity, eliminate silos, and ensure your compliance work is structured and verifiable. 

Even if audits aren’t yet mandatory in your country, these tools make sure you’re ready when the time comes—with all responsibilities, documentation, and progress clearly traceable.

NIS2 certification vs. ISO 27001: What’s the difference? 

If your organization is already working with ISO 27001, you’re on the right track—but that doesn’t mean you’re automatically NIS2-compliant. While the two frameworks have a lot in common, they serve different purposes and are not interchangeable. 

ISO 27001 is an international standard for building and maintaining an information security management system (ISMS). It’s widely recognized and often used as a best-practice framework for managing risks and protecting data. NIS2, on the other hand, is a legal requirement for certain organizations operating in the EU—and it introduces additional obligations that go beyond the scope of ISO 27001. 

There’s definitely overlap. Both emphasize a risk-based approach, clear roles and responsibilities, incident response, and continuous improvement. But NIS2 adds layers that ISO 27001 doesn’t cover, especially when it comes to regulatory obligations. For example, NIS2 requires you to report major incidents within tight timelines, take responsibility at the management level, and assess supply chain risks in much more detail. 

So, is ISO 27001 enough to prove NIS2 compliance? Not entirely. It’s a strong foundation—and it will make your compliance journey easier—but you’ll still need to address NIS2-specific gaps. That might mean updating your governance structure, expanding your supplier oversight processes, or preparing for regulatory audits. 

In many cases, it makes sense to use both. ISO 27001 gives you the structure and discipline to manage security effectively. NIS2 ensures you meet the legal expectations. Together, they help you build a security program that’s not only effective, but also defensible—internally and externally. 

NIS2 certification FAQs 

Got questions about NIS2 certification? Here are some of the most common ones we hear—along with clear answers to help you move forward with confidence. 

Is NIS2 certification mandatory? 

There’s currently no official EU-wide NIS2 certification. However, if your organization falls under the directive, you’re legally required to implement and demonstrate compliance with its security and governance requirements. Some countries may introduce audit or reporting obligations as part of enforcement. 

Who can certify us for NIS2? 

There’s currently no formal EU-wide certification scheme for NIS2. The directive does not establish a centralized authority to issue NIS2 certificates. However, some EU Member States may introduce their own audit or assessment mechanisms as part of their national implementation—especially for essential entities. 

In the absence of an official certification process, many organizations choose to work with external auditors or consultants to assess their readiness. Others rely on established frameworks like ISO 27001 to structure their security measures and demonstrate compliance. While this doesn’t replace NIS2 obligations, it can serve as a strong foundation and help document efforts in a clear, auditable way. 

How long does it take to become NIS2 compliant? 

It depends on your current security maturity. If you already follow standards like ISO 27001, you may only need to fill a few gaps. If you’re starting from scratch, plan for several months of internal assessments, documentation, and implementation work. 

Achieve NIS2 certification efficiently 

Thousands of organizations across Europe are now required to meet stricter cybersecurity standards under the NIS2 Directive. With enforcement already underway in several EU countries and others close behind, the pressure to act is increasing. Waiting could mean facing regulatory scrutiny, operational risk, or reputational damage. 

The good news? Getting ready doesn’t have to be complex or resource-heavy. 

With DataGuard, you can combine smart automation with expert guidance to streamline your path to NIS2 compliance. Our platform helps you: 

• Assess your current cybersecurity maturity and identify gaps 

• Automate risk management, policy reviews, and incident workflows 

• Map existing controls to NIS2 requirements with built-in guidance 

• Stay audit-ready with centralised documentation and clear accountability 

We don’t just provide tools—we partner with you to ensure your compliance efforts are structured, efficient, and sustainable. 

Take control of your NIS2 compliance—before enforcement catches up.