What the framework requires
Scope: who NIS2 covers
NIS2 broadens the original NIS Directive to cover essential entities (energy, transport, banking, financial-market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space) and important entities (postal and courier services, waste management, manufacture and distribution of chemicals, food, medical devices, motor vehicles, computers, electronics, electrical equipment, machinery, digital providers, research).
The size threshold (typically over 50 employees and EUR 10m turnover) brings far more organisations into scope than the original directive. Member states have transposed NIS2 into national law with national variations.
Article 21: risk-management measures
Article 21 requires entities to take appropriate and proportionate technical, operational, and organisational measures across at least: risk-analysis and information-system security policies; incident handling; business continuity (back-ups, disaster recovery, crisis management); supply-chain security including the security of suppliers and service providers; security in network and information system acquisition, development, and maintenance; policies and procedures to assess effectiveness; basic cyber hygiene and training; cryptography and encryption; human-resources security, access-control, and asset management; and multi-factor authentication or continuous authentication.
Article 23: incident reporting
Significant incidents must be notified to the competent authority or CSIRT in three stages: an early warning within 24 hours; an incident notification within 72 hours; and a final report within one month. The threshold for "significant" is defined by the directive and the national transposition.
How our services map to compliance
- Supply-chain security (Article 21(2)(d)). Mission Support brings documented supplier governance: vetting, screening, contract clauses, and the audit trail that supply-chain security obligations require. Where physical security is part of the operator's supply chain, our work plugs directly into the operator's NIS2 evidence base.
- Incident handling and continuity. Our 24/7 alarm centre, mobile response, and documented incident protocols support an operator's incident-handling and continuity obligations. Logs and after-action reports are produced to a standard that survives regulator review.
- Physical-security controls and assessment. Risk and threat assessment, site hardening, drone counter-measures, and TSCM map directly to the physical-security elements of Article 21. The work is documented in a form that fits an operator's evidence base.