NIS2 DirectiveDirective (EU) 2022/2555
The EU's second-generation cyber resilience directive, raising the bar for digital businesses across the Union — including medium-sized suppliers to essential sectors.
NIS2 requires appropriate and proportionate technical, operational and organisational measures covering risk management, incident handling, supply-chain security, and incident reporting. Fortoxa maps those obligations to continuous controls.
How Fortoxa maps to it
Risk-management policies (Art. 21.2.a)
Policy tracking, control inventory and risk-register artefacts so governance is documented and evidenced, not assumed.
Incident handling (Art. 21.2.b)
Detection, triage and response workflows with time-stamped logs ready for the 24-hour early warning and 72-hour notification cycle.
Business continuity (Art. 21.2.c)
Backup monitoring, recovery testing and continuity evidence so your BCM plan is more than a document.
Supply-chain security (Art. 21.2.d)
Third-party identity, access and misconfiguration signals — because NIS2 pushes obligations into your vendors.
Vulnerability & disclosure handling (Art. 21.2.e-f)
Continuous scanning, patch-status visibility and disclosure records aligned with the directive's vulnerability-management clauses.
Cryptography, access control & MFA (Art. 21.2.h-j)
Identity posture, MFA coverage, encryption-in-transit checks and access reviews — all mapped to the directive's technical measures.
The source
Fortoxa's mapping is our own interpretation. For the authoritative framework text, consult the regulator directly.
Read the NIS2 Directive on EUR-LexGet compliant without hiring a security team
Fortoxa handles the monitoring, evidence collection and audit-ready reporting so your team can focus on the business.