NIS2 Directive - Network and Information Security
cloud-audit maps 88 checks to 43 NIS2 Directive measures derived from Article 21(2)(a)-(j), Article 23 (incident reporting), and Article 20 (governance). 26 measures are automated, 17 require manual review (governance, incident reporting, and supply chain controls).
Regulatory compliance, not certification
NIS2 is an EU directive transposed into national law by each member state. Compliance requirements vary by jurisdiction and entity classification (essential vs important). This tool automates assessment of technical security measures and generates evidence to support your compliance program.
Coverage Summary
Automated includes both fully automated and partially automated measures - partial measures have some aspects verified by cloud-audit checks and some requiring manual review.
| Article | Scope | Measures | Automated* | Manual |
|---|---|---|---|---|
| Art. 21(2)(a) | Risk analysis and IS policies | 5 | 2 | 3 |
| Art. 21(2)(b) | Incident handling | 5 | 3 | 2 |
| Art. 21(2)(c) | Business continuity and crisis management | 5 | 4 | 1 |
| Art. 21(2)(d) | Supply chain security | 4 | 0 | 4 |
| Art. 21(2)(e) | Network and IS acquisition, development, maintenance | 5 | 4 | 1 |
| Art. 21(2)(f) | Vulnerability handling and disclosure | 3 | 3 | 0 |
| Art. 21(2)(g) | Policies for assessing effectiveness | 3 | 2 | 1 |
| Art. 21(2)(h) | Cybersecurity hygiene and training | 3 | 1 | 2 |
| Art. 21(2)(i) | Cryptography and encryption | 3 | 3 | 0 |
| Art. 21(2)(j) | HR security, access control, asset management | 4 | 3 | 1 |
| Art. 23 | Incident reporting obligations | 2 | 0 | 2 |
| Art. 20 | Governance and accountability | 1 | 1 | 0 |
| Total | 43 | 26 (60%) | 17 (40%) |
Usage
# Terminal output with readiness score
cloud-audit scan --compliance nis2_directive
# HTML report for auditors
cloud-audit scan --compliance nis2_directive --format html --output nis2-report.html
# Markdown for documentation
cloud-audit scan --compliance nis2_directive --format markdown --output nis2-report.md
# List all frameworks
cloud-audit list-frameworks
# Preview controls without scanning
cloud-audit show-framework nis2_directive
Article 21(2)(a) - Risk Analysis and Information Security Policies
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| 21.2a-01 | Information security risk assessment | Manual | - |
| 21.2a-02 | Security policies and procedures | Manual | - |
| 21.2a-03 | Asset inventory and classification | Partial | aws-cfg-001, aws-cfg-002 |
| 21.2a-04 | Risk treatment and controls | Partial | aws-sh-001, aws-gd-001, aws-gd-002 |
| 21.2a-05 | Risk management governance | Manual | - |
Article 21(2)(b) - Incident Handling
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| 21.2b-01 | Incident detection capabilities | Auto | aws-gd-001, aws-gd-002, aws-sh-001, aws-cw-001 through aws-cw-016 |
| 21.2b-02 | Incident logging and evidence | Auto | aws-ct-001, aws-ct-002, aws-ct-004, aws-ct-005, aws-ct-006, aws-ct-007, aws-ct-008 |
| 21.2b-03 | Incident response procedures | Manual | - |
| 21.2b-04 | Incident classification and escalation | Partial | aws-gd-001, aws-gd-002 |
| 21.2b-05 | Post-incident analysis | Manual | - |
Article 21(2)(c) - Business Continuity and Crisis Management
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| 21.2c-01 | Backup management | Auto | aws-rds-003, aws-s3-003, aws-ec2-005, aws-backup-001 |
| 21.2c-02 | Disaster recovery | Partial | aws-rds-003, aws-rds-004 |
| 21.2c-03 | High availability | Auto | aws-rds-003, aws-rds-004 |
| 21.2c-04 | Continuity planning | Manual | - |
| 21.2c-05 | Data retention and integrity | Auto | aws-ct-004, aws-ct-005, aws-s3-004, aws-s3-005 |
Article 21(2)(d) - Supply Chain Security
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| 21.2d-01 | Supplier security assessment | Manual | - |
| 21.2d-02 | ICT supply chain risk management | Manual | - |
| 21.2d-03 | Third-party access controls | Manual | - |
| 21.2d-04 | Supplier contractual obligations | Manual | - |
Article 21(2)(e) - Network and IS Acquisition, Development, Maintenance
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| 21.2e-01 | Secure configuration management | Auto | aws-cfg-001, aws-cfg-002, aws-ec2-004, aws-ecs-001 |
| 21.2e-02 | Network security architecture | Auto | aws-vpc-001, aws-vpc-002, aws-vpc-003, aws-vpc-004, aws-vpc-005, aws-vpc-006 |
| 21.2e-03 | Secure development practices | Partial | aws-iam-007, aws-lambda-002 |
| 21.2e-04 | Change management | Auto | aws-cfg-001, aws-cfg-002, aws-cw-005, aws-cw-009 |
| 21.2e-05 | Security testing | Manual | - |
Article 21(2)(f) - Vulnerability Handling and Disclosure
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| 21.2f-01 | Vulnerability scanning and assessment | Auto | aws-ssm-001, aws-ssm-003, aws-inspector-001 |
| 21.2f-02 | Patch management | Auto | aws-ssm-001, aws-ssm-003 |
| 21.2f-03 | Vulnerability disclosure coordination | Partial | aws-sh-001 |
Article 21(2)(g) - Policies for Assessing Effectiveness
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| 21.2g-01 | Security monitoring and metrics | Auto | aws-cfg-001, aws-cfg-002, aws-sh-001, aws-gd-001 |
| 21.2g-02 | Compliance monitoring | Partial | aws-cfg-001, aws-cfg-002 |
| 21.2g-03 | Internal audits | Manual | - |
Article 21(2)(h) - Cybersecurity Hygiene and Training
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| 21.2h-01 | Multi-factor authentication | Auto | aws-iam-001, aws-iam-002, aws-iam-015 |
| 21.2h-02 | Security awareness training | Manual | - |
| 21.2h-03 | Secure communication | Manual | - |
Article 21(2)(i) - Cryptography and Encryption
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| 21.2i-01 | Encryption at rest | Auto | aws-s3-002, aws-rds-002, aws-ec2-002, aws-ec2-006, aws-efs-001, aws-kms-001, aws-kms-002 |
| 21.2i-02 | Encryption in transit | Auto | aws-s3-006, aws-s3-007, aws-lambda-003, aws-ssm-002 |
| 21.2i-03 | Key management | Auto | aws-kms-001, aws-kms-002 |
Article 21(2)(j) - HR Security, Access Control, Asset Management
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| 21.2j-01 | Access control policies | Auto | aws-iam-005, aws-iam-006, aws-iam-010, aws-iam-014, aws-iam-017 |
| 21.2j-02 | Privileged access management | Auto | aws-iam-005, aws-iam-007, aws-iam-008 |
| 21.2j-03 | User lifecycle management | Auto | aws-iam-003, aws-iam-004, aws-iam-009, aws-iam-013 |
| 21.2j-04 | HR security procedures | Manual | - |
Article 23 - Incident Reporting
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| 23-01 | Early warning (24h) and incident notification (72h) | Manual | - |
| 23-02 | Final report (1 month) | Manual | - |
Strict reporting timelines
NIS2 requires a 24-hour early warning to the CSIRT/competent authority after becoming aware of a significant incident, followed by a 72-hour incident notification with initial assessment, and a final report within one month. Establish incident classification and reporting procedures before an incident occurs.
Article 20 - Governance
| ID | Title | Type | cloud-audit Checks |
|---|---|---|---|
| 20-01 | Management body accountability and oversight | Partial | aws-ct-001, aws-ct-002, aws-cfg-001 |
Why 17 Measures Are Manual
NIS2 covers governance accountability, supply chain risk management, incident reporting procedures, and cybersecurity training that cannot be verified by scanning AWS infrastructure.
Examples:
- 21.2d-01 through 21.2d-04 (supply chain) - supplier assessments, contractual obligations, ICT supply chain risk
- 23-01, 23-02 (incident reporting) - CSIRT notification procedures, early warning capability, final reports
- 21.2h-02 (training) - management body training requirements, staff awareness programs
cloud-audit marks these as NOT_ASSESSED with actionable manual steps for each.
EU Transposition Status
Member state implementation varies
The NIS2 Directive (EU 2022/2555) had a transposition deadline of October 17, 2024. Member states are at varying stages of transposing the directive into national law. Check your national implementation for specific requirements, entity classification thresholds, and supervisory authority details.
NIS2 applies to:
- Essential entities: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space
- Important entities: postal services, waste management, chemicals, food, manufacturing, digital providers, research
Penalties for non-compliance: up to EUR 10 million or 2% of global turnover for essential entities.
Attack Chain Integration
All 25 attack chain rules are mapped to NIS2 measures. When a chain is detected, the compliance report shows which measures it violates:
| Chain | NIS2 Measures Violated |
|---|---|
| AC-01 Internet-Exposed Admin Instance | 21.2e-02, 21.2j-01, 21.2j-02 |
| AC-02 SSRF to Credential Theft | 21.2e-02, 21.2f-01 |
| AC-11 Zero Security Visibility | 21.2b-01, 21.2b-02, 21.2g-01 |
| AC-17 Exposed Database Without Audit Trail | 21.2e-02, 21.2i-01, 21.2b-02 |
| AC-31 Internet-Exposed Without WAF or Flow Logs | 21.2e-02, 21.2b-01 |