Surprisingly, only Chapter IV “Cybersecurity risk-management measures and reporting
obligations” defines what essential and important entities must do to comply with NIS 2.
All the other chapters are not relevant for these companies, because they specify the
obligations of the EU countries (Member States), and what government agencies must do
to enforce NIS 2.
Chapter IV has the following articles:
- Article 20 – Governance
- Article 21 – Cybersecurity risk-management measures
- Article 22 – Union level coordinated security risk assessments of critical supply
chains - Article 23 – Reporting obligations
- Article 24 – Use of European cybersecurity certification schemes
- Article 25 – Standardisation
