NIS2 — Network and Information Security Directive · vDirective (EU) 2022/2555
NIS2 — Network and Information Security Directive
NIS2 — Network and Information Security Directive — 92% covered.
46 requirements · 41 enforced · 1 designed · 4 advisory · 0 deferred.
Source: Directive (EU) 2022/2555 — Article 20 (Governance / management-body accountability + liability + training), Article 21 (Risk-management measures: 10 categories with sub-clauses + 21(3) supplier-vulnerability + 21(4) corrective measures), Article 23 (Reporting obligations: 4-stage timeline + voluntary disclosure + recipient notification + CSIRT response), Article 32 (Supervision and enforcement of essential entities). Deep-mapping expanded 2026-05-29 (Wave-Ralph-B) from 15 to 46 with full Article 21 sub-clause decomposition and Article 32 supervisory powers. · License: EU directives are published in the Official Journal and reproducible for non-commercial reference purposes.
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Article 21 — Risk-management measures (detailed) | 12 | 12 | 0 | 0 | 0 | 100% |
| Article 21 — Risk-management measures | 10 | 9 | 0 | 1 | 0 | 93% |
| Article 23 — Reporting obligations (detailed) | 8 | 7 | 0 | 1 | 0 | 91% |
| Article 23 — Reporting obligations | 4 | 4 | 0 | 0 | 0 | 100% |
| Article 20 — Governance (detailed) | 3 | 3 | 0 | 0 | 0 | 100% |
| Article 24 — Governance | 1 | 1 | 0 | 0 | 0 | 100% |
| Article 32 — Supervision and enforcement (essential entities) | 8 | 5 | 1 | 2 | 0 | 75% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
nis2.A21.2.a |
Article 21(2)(a) — Policies on risk analysis and information system security, encompassing technical, operational and organisational measures based on an all-hazards approach. | enforced | audit_events: kye.risk.score.v1, kye.risk_assessment.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nis2.A21.2.b |
Article 21(2)(b) — Incident handling, including procedures for detection, analysis, containment, eradication, recovery and post-incident review. | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1, kye.signal.revocation.cascaded.v1, kye.assurance.audit_replay_report.v1engines: internal, internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nis2.A21.2.c |
Article 21(2)(c) — Business continuity, including backup management and disaster recovery, and crisis management. | enforced | audit_events: kye.spof.path_to_full.v1, kye.audit_retention_policy.v1engines: internal, internal, internalworkers: kye-d1-backup-worker, kye-dr-orchestratorregistries: internalconstitution_refs: constitution/51-NO-SPOF.md, constitution/30-AUDIT-WORM-RETENTION.md |
nis2.A21.2.d |
Article 21(2)(d) — Supply-chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. | enforced | audit_events: kye.subprocessor.v1, kye.federation.cross_org_delegation.v1, kye.agent.mcp_allow_list.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md, constitution/52-DELEGATED-AGENT-BINDING.md |
nis2.A21.2.e |
Article 21(2)(e) — Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure. | enforced | audit_events: kye.signal.drift.detected.v1, kye.evidence.tool_call_pin.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/34-RECONCILIATION-ENGINE.md, constitution/52-DELEGATED-AGENT-BINDING.md |
nis2.A21.2.f |
Article 21(2)(f) — Policies and procedures to assess the effectiveness of cybersecurity risk-management measures. | enforced | audit_events: kye.assurance.audit_pilot.v1, kye.assurance.audit_replay_report.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nis2.A21.2.g |
Article 21(2)(g) — Basic cyber-hygiene practices and cybersecurity training. | enforced | audit_events: kye.training.completion.v1, kye.comms.dispatch.v1engines: internal, internal, internalconstitution_refs: constitution/10-PARTNER.md, constitution/39-LEARN-RAIL.md |
nis2.A21.2.h |
Article 21(2)(h) — Policies and procedures regarding the use of cryptography and, where appropriate, encryption. | enforced | audit_events: kye.audit.event.v1, kye.compliance.attestation.v1engines: internal, internal, internalregistries: internalconstitution_refs: constitution/51-NO-SPOF.md |
nis2.A21.2.i |
Article 21(2)(i) — Human-resources security, access-control policies and asset management. | enforced | audit_events: kye.authority.grant.v1, kye.purpose.permission.v1, kye.signal.revocation.cascaded.v1, kye.relationship.member_of.v1engines: internal, internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nis2.A21.2.j |
Article 21(2)(j) — Use of multi-factor authentication or continuous authentication solutions, secured voice / video / text communications and secured emergency communication systems where appropriate. | enforced | audit_events: kye.authority.grant.v1, kye.purpose.permission.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nis2.A21.3 |
Article 21(3) — When considering which appropriate measures to take under paragraph 2(d), entities shall take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures. | enforced | audit_events: kye.subprocessor.v1, kye.compliance.attestation.v1, kye.risk.score.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nis2.A21.4 |
Article 21(4) — Where an entity finds it does not comply with the measures provided for in paragraph 2, it shall, without undue delay, take all necessary, appropriate and proportionate corrective measures. | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.incident.opened.v1, kye.signal.revocation.cascaded.v1engines: internal, internal, internalconstitution_refs: constitution/34-RECONCILIATION-ENGINE.md, constitution/41-ERROR-HORIZONS.md |
nis2.A21.1 |
Policies on risk analysis and information system security. | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.mdrule_packs: kye:rule-pack:public-sector-governance |
nis2.A21.2 |
Incident handling. | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1, kye.signal.revocation.cascaded.v1engines: internal, internalworkers: kye-incident-detector, kye-authority-revocation-orchestratorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nis2.A21.3 |
Business continuity, such as backup management and disaster recovery, and crisis management. | enforced | audit_events: kye.spof.path_to_full.v1, kye.compliance.attestation.v1engines: internal, internalworkers: kye-d1-backup-worker, kye-audit-archiverregistries: internalconstitution_refs: constitution/51-NO-SPOF.md, constitution/30-AUDIT-WORM-RETENTION.md |
nis2.A21.4 |
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nis2.A21.5 |
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure. | enforced | audit_events: kye.signal.drift.detected.v1, kye.ci.failure.classified.v1engines: internalworkers: kye-drift-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/41-ERROR-HORIZONS.md |
nis2.A21.6 |
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures. | enforced | audit_events: kye.compliance.attestation.v1, kye.assurance.audit_pilot.v1, kye.assurance.audit_replay_report.v1engines: internal, internalworkers: kye-audit-replay-orchestratorconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nis2.A21.7 |
Basic cyber hygiene practices and cybersecurity training. | advisory | audit_events: kye.training.completion.v1constitution_refs: constitution/10-PARTNER.md |
nis2.A21.8 |
Policies and procedures regarding the use of cryptography and, where appropriate, encryption. | enforced | audit_events: kye.signing.multisig_envelope.v1engines: internal, internal, internalconstitution_refs: constitution/51-NO-SPOF.md |
nis2.A21.9 |
Human resources security, access control policies and asset management. | enforced | audit_events: kye.authority.grant.v1, kye.purpose.permission.v1, kye.revocation.event.v1engines: internal, internal, internalworkers: kye-pdp, kye-authority-revocation-orchestratorconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nis2.A21.10 |
The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate. | enforced | audit_events: kye.signing.multisig_envelope.v1, kye.purpose.permission.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/51-NO-SPOF.md |
nis2.A23.1.early |
Article 23(4)(a) — Early-warning notification within 24 hours of becoming aware of a significant incident, indicating whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact. | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1, kye.cross_border.transfer.v1engines: internal, internalworkers: kye-incident-detector, kye-comms-engine-workerconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/38-COMMS-RAIL.md |
nis2.A23.1.update |
Article 23(4)(b) — Incident notification (within 72 hours) updating the early warning and providing an initial assessment of the significant incident, including its severity, impact, and where available the indicators of compromise. | enforced | audit_events: kye.signal.incident.opened.v1, kye.evidence.pack.v1, kye.risk.score.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nis2.A23.1.intermediate |
Article 23(4)(c) — Intermediate report (upon request of the CSIRT or, where applicable, the competent authority) on relevant status updates. | enforced | audit_events: kye.comms.dispatch.v1, kye.evidence.pack.v1engines: internal, internalconstitution_refs: constitution/38-COMMS-RAIL.md |
nis2.A23.1.final |
Article 23(4)(d) — Final report no later than one month after submission of the incident notification, with detailed description of the incident, threat type, root cause, mitigation measures, and cross-border impact. | enforced | audit_events: kye.signal.incident.closed.v1, kye.evidence.pack.v1, kye.assurance.audit_replay_report.v1, kye.cross_border.transfer.v1engines: internal, internalworkers: kye-audit-replay-orchestratorconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/21-DELEGATED-AUDITABILITY.md |
nis2.A23.2 |
Article 23(2) — Where appropriate, communicate to the recipients of their services that are potentially affected by a significant cyber threat any measures or remedies that those recipients can take in response. | enforced | audit_events: kye.comms.dispatch.v1, kye.transparency.statement.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
nis2.A23.3 |
Article 23(3) — Where appropriate, and in particular where the significant cyber threat is likely to materialise, the entity shall inform the recipients of those services of the threat itself. | enforced | audit_events: kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
nis2.A23.5 |
Article 23(5) — Member-state CSIRT shall provide the notifying entity, without undue delay and where possible within 24 hours, a response including initial feedback on the significant incident and, upon request, guidance on possible mitigation measures. | advisory | audit_events: kye.comms.dispatch.v1, kye.signal.incident.opened.v1constitution_refs: constitution/38-COMMS-RAIL.md |
nis2.A23.6 |
Article 23(6) — Where applicable, voluntarily notify significant incidents, significant cyber threats and near-misses to the CSIRT or, where applicable, the competent authority. | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/38-COMMS-RAIL.md |
nis2.A23.1 |
Early warning to the CSIRT or competent authority within 24 hours of becoming aware of a significant incident. | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1engines: internal, internalworkers: kye-incident-detector, kye-comms-engine-workerconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/38-COMMS-RAIL.md |
nis2.A23.2 |
Incident notification with an initial assessment within 72 hours of awareness, including severity, impact and indicators of compromise. | enforced | audit_events: kye.signal.incident.opened.v1, kye.evidence.pack.v1engines: internal, internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nis2.A23.3 |
Final report no later than one month after the incident notification, with detailed description, threat type, mitigation, and cross-border impact. | enforced | audit_events: kye.signal.incident.closed.v1, kye.evidence.pack.v1, kye.assurance.audit_replay_report.v1engines: internal, internalworkers: kye-audit-replay-orchestratorconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/21-DELEGATED-AUDITABILITY.md |
nis2.A23.4 |
Notification of recipients of services affected by a significant cybersecurity threat that may impact them. | enforced | audit_events: kye.comms.dispatch.v1, kye.transparency.statement.v1engines: internalworkers: kye-comms-engine-workerconstitution_refs: constitution/38-COMMS-RAIL.md |
nis2.A24.1.approve |
Article 20(1) — Management bodies of essential and important entities shall approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation, and can be held liable for infringements by the entities. | enforced | audit_events: kye.governedui.approval.v1, kye.governedui.action_proposal.v1, kye.compliance.attestation.v1engines: internal, internalgovernedui_modules: kye.governedui.module.action_approval.v1, kye.governedui.module.approval_queue.v1constitution_refs: constitution/36-GOVERNEDUI.md |
nis2.A24.1.training |
Article 20(2) — Member states shall ensure that members of management bodies are required to follow training and shall encourage essential and important entities to offer similar training to their employees on a regular basis. | enforced | audit_events: kye.training.completion.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/10-PARTNER.md, constitution/39-LEARN-RAIL.md, constitution/49-UNIVERSAL-ENGAGEMENT-RAIL.md |
nis2.A24.1.liability |
Article 20(1) — Liability of management bodies for infringements: management bodies can be held liable when they fail to comply with the obligations under this Directive. | enforced | audit_events: kye.governedui.approval.v1, kye.audit.event.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/36-GOVERNEDUI.md |
nis2.A24.1 |
Management bodies of essential and important entities approve the cybersecurity risk-management measures taken to comply with Article 21, oversee implementation, and can be held liable for infringements; members of management bodies must follow training and offer similar training to staff. | enforced | audit_events: kye.governedui.approval.v1, kye.compliance.attestation.v1, kye.training.completion.v1, kye.authority.grant.v1engines: internal, internal, internal, internalgovernedui_modules: kye.governedui.module.action_approval.v1, kye.governedui.module.approval_queue.v1constitution_refs: constitution/36-GOVERNEDUI.md, constitution/21-DELEGATED-AUDITABILITY.md |
nis2.A32.1 |
Article 32(1) — Member states shall ensure that the supervisory measures imposed on essential entities are effective, proportionate and dissuasive, taking into account the circumstances of each individual case. | advisory | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nis2.A32.2.a |
Article 32(2)(a) — Power to require on-site inspections and off-site supervision, including random checks, conducted by trained professionals. | enforced | audit_events: kye.assurance.audit_pilot.v1, kye.assurance.audit_replay_report.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nis2.A32.2.b |
Article 32(2)(b) — Power to require regular and targeted security audits carried out by an independent body or a competent authority. | enforced | audit_events: kye.assurance.audit_pilot.v1, kye.evidence.pack.v1, kye.subprocessor.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md, constitution/49-UNIVERSAL-ENGAGEMENT-RAIL.md |
nis2.A32.2.c |
Article 32(2)(c) — Power to require ad hoc audits, including where justified by a significant incident or an infringement of the Directive. | enforced | audit_events: kye.signal.incident.opened.v1, kye.assurance.audit_replay_report.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nis2.A32.2.d |
Article 32(2)(d) — Power to require security scans based on objective, non-discriminatory, fair and transparent risk-assessment criteria. | enforced | audit_events: kye.risk.score.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nis2.A32.2.e |
Article 32(2)(e) — Power to request information necessary to assess the cybersecurity risk-management measures adopted by the entity. | enforced | audit_events: kye.compliance.attestation.v1, kye.evidence.pack.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nis2.A32.4.binding |
Article 32(4)(b)-(c) — Power to issue binding instructions and orders, including ordering implementation of recommendations from a security audit within a reasonable deadline. | designed | audit_events: kye.governedui.action_proposal.v1, kye.governedui.approval.v1, kye.compliance.attestation.v1governedui_modules: kye.governedui.module.action_approval.v1constitution_refs: constitution/36-GOVERNEDUI.md |
nis2.A32.4.disclosure |
Article 32(4)(g) — Power to make public, where appropriate, the names of the natural and legal persons responsible for the breach of obligations. | advisory | audit_events: kye.transparency.statement.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |