Key obligations
Duty of care: appropriate security measures
Art. 21 NIS2 requires appropriate and proportionate risk management measures: risk analysis and security policy, incident handling, business continuity (back-ups/recovery), security in development/maintenance, effectiveness measurement, basic cyber hygiene and encryption.
Access management and multi-factor authentication
Art. 21 NIS2 lists access management, including multi-factor authentication and account management, as part of the minimum measures.
Phased reporting duty (24/72 hours)
NIS2 sets a phased reporting duty for significant incidents: an early warning within 24 hours, an incident notification within 72 hours and a final report within one month to the authority/CSIRT.
Supply-chain security
Art. 21 NIS2 explicitly covers supply-chain security, including relationships with direct suppliers; customers may pass this duty down by contract.
Management accountability and training
Art. 20 NIS2 places responsibility with the management body: approving measures, overseeing implementation, mandatory training and potential liability for failure to comply.
Registration with the competent authority
NIS2 requires a registration mechanism; certain digital providers have a direct registration duty. The Cybersecurity Act determines the point of contact and procedure.