NIS2 Directive · Now in force across the EU

Know exactly where your company stands on NIS2.

Konforme scans your cloud infrastructure, assesses your people, and evaluates your governance — then gives you a single, audit-ready compliance score. No consultants. No spreadsheets. Just clarity.

Start free See how it works
EU-hosted  ·  GDPR compliant  ·  No credit card required
NIS2 Compliance Score
82.4 B+
Technical
88%
Assessment
74%
Controls
81%
Article 21 Coverage
  • (a) Risk analysis & ISMS policies
  • (b) Incident handling
  • (h) Cryptography & encryption
F-2401 HIGH
S3 bucket lacks encryption
Default encryption is not enabled on prod-assets bucket. Art. 21(2)(h).
The problem

NIS2 compliance is complex and costly

The NIS2 Directive is now law across every EU member state. It applies to medium and large organisations across eighteen sectors — from energy and healthcare to digital infrastructure and public administration. Companies with fifty or more employees, or ten million euro in turnover, must comply or face penalties reaching €10 million or two per cent of global annual turnover. Board members face personal liability.

Traditional gap assessments cost €15,000–50,000 per engagement, take four to eight weeks of consultant time, and give you a snapshot that’s outdated within months. NIS2 requires continuous compliance — not one-off audits.

NIS2 doesn’t just require infrastructure security. It mandates employee training, incident handling, supply chain management, and board-level governance. Directive 2022/2555, Article 21
The platform

One platform, three compliance pillars

Built from the ground up for EU companies. Not a US compliance tool rebranded. Every feature maps directly to Article 21 requirements.

3 Compliance pillars
27 EU member states covered
15 min To your first compliance score
Technical scanning
AWS & Azure infrastructure checked against NIS2-mapped controls — IAM, encryption, network security, logging, business continuity.
Human factor assessment
Evaluate organisational maturity across all ten Article 21 areas — from security awareness to incident reporting and vendor risk.
Controls & governance
Track security controls mapped to NIS2. Assign owners, set deadlines, upload evidence, and monitor implementation over time.
Article 21(2)

Every measure covered

Every security measure mandated by the Directive is covered. Each control maps directly to Article 21(2).

(a)
Risk analysis & ISMS policies
Policies on risk analysis and information system security, including governance frameworks and regular review cycles.
Art. 21(2)(a)
(b)
Incident handling
Procedures for the prevention, detection, and response to incidents, including escalation and notification.
Art. 21(2)(b)
(c)
Business continuity & crisis management
Business continuity including backup management, disaster recovery, and crisis management.
Art. 21(2)(c)
(d)
Supply chain security
Security-related aspects concerning relationships between each entity and its direct suppliers or service providers.
Art. 21(2)(d)
(e)
Network & information systems security
Security in acquisition, development, and maintenance of network and information systems, including vulnerability handling.
Art. 21(2)(e)
(f)
Effectiveness assessment
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
Art. 21(2)(f)
(g)
Cyber hygiene & training
Basic cyber hygiene practices and cybersecurity training for staff at all levels.
Art. 21(2)(g)
(h)
Cryptography & encryption
Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
Art. 21(2)(h)
(i)
HR security & access control
Human resources security, access control policies, and asset management.
Art. 21(2)(i)
(j)
Multi-factor authentication
The use of multi-factor authentication, secured voice, video and text communications, and secured emergency communication systems.
Art. 21(2)(j)
How it works

Four steps to compliance clarity

1
Scan your cloud
Connect AWS or Azure with read-only credentials. Automated scanning against NIS2-mapped controls.
2
Assess your people
Complete the maturity assessment covering all ten Article 21 areas.
3
Track your controls
Monitor security controls, assign owners, set due dates, upload evidence.
4
Get your score
One unified NIS2 compliance score. Download your audit report and start remediating.
Start your assessment
Coverage

All 27 EU member states

Every EU country has transposed NIS2 into national law differently. Konforme tracks each country's specific transposition law, competent authority, CSIRT, entity classification rules, deadlines, and penalty levels.

27 EU Member States
18 Critical sectors covered
€10M Maximum penalty for essential entities

Supported countries

Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland · France · Germany · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain · Sweden

FAQ

Frequently asked questions

NIS2 (Directive 2022/2555) is the EU's updated cybersecurity legislation that came into force in October 2024. It applies to medium and large organisations across 18 sectors including energy, healthcare, transport, digital infrastructure, financial services, and public administration. Companies with 50+ employees or €10M+ turnover in these sectors must comply or face penalties up to €10 million or 2% of global annual turnover.

Essential entities face fines up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face fines up to €7 million or 1.4%. NIS2 also introduces personal liability for management bodies — board members and senior executives can be held personally responsible for compliance failures.

Article 21 requires organisations to implement cybersecurity risk-management measures across 10 areas: risk analysis and information security policies, incident handling, business continuity, supply chain security, network security, effectiveness assessment, cybersecurity hygiene and training, cryptography, access control and HR security, and multi-factor authentication.

Konforme uses a three-pillar approach: first, it scans your AWS or Azure cloud infrastructure against NIS2-mapped controls. Second, it evaluates organisational maturity across all Article 21 areas. Third, it tracks implementation of security controls with evidence management. These three pillars combine into a single compliance score with audit-ready PDF reports.

Yes. Konforme supports both Amazon Web Services and Microsoft Azure. Both providers are scanned against NIS2-mapped controls covering identity and access management, encryption, network security, logging, and business continuity.

Konforme supports all 27 EU member states with country-specific NIS2 compliance data, including each country's national transposition law, competent authority, CSIRT contact details, entity classification rules, sector-specific requirements, and penalty levels.

With Konforme, you can get your first NIS2 compliance score in under fifteen minutes. Cloud infrastructure scanning runs automatically and takes two to five minutes. The human factor assessment typically takes fifteen to thirty minutes.

Start your NIS2 compliance journey today

Create a free account, connect your AWS or Azure environment, and get your first compliance score in under fifteen minutes.

Create free account

No credit card required  ·  EU-hosted  ·  GDPR compliant