NIS2 turns cybersecurity into a board-level duty. Rizzqo turns it into running evidence.
NIS2 teams need to show management accountability, the ten Article 21 risk-management measures, and incident readiness across real systems. Rizzqo turns those obligations into running evidence that stays current and audit-ready — so a 24-hour clock never catches you cold.
Essential and important entities
The first need is scope: NIS2 applies to medium-sized and larger organisations in eighteen sectors, split into two classes. Both carry the same risk-management duties; supervision and penalties are heavier for essential entities. Select a class to see what it means for you.
Essential entities
Proactive supervision
Larger operators in the most critical sectors. Regulators may inspect, audit and act before any incident, not only after one.
- Energy, transport, banking, health, water and digital infrastructure
- Generally large enterprises, plus designated critical operators of any size
- Subject to proactive supervision: audits, inspections and scans
- Fines up to 10 million euro or 2 percent of global annual turnover
Important entities
Supervised after the fact
Medium-sized and large operators in the remaining covered sectors. The same measures apply; supervision is triggered when there is evidence of non-compliance.
- Postal services, waste, chemicals, food, manufacturing and digital providers
- Medium-sized enterprises and above within a covered sector
- Reactive supervision: regulators act on evidence of a breach of duty
- Fines up to 7 million euro or 1.4 percent of global annual turnover
Sectors covered
NIS2 scope is easier to read in two buckets. Essential sectors face proactive supervision; important sectors follow the same risk-management measures, with supervision usually triggered by evidence of non-compliance.
Essential sectors
Critical services where disruption can hit society quickly.
Important sectors
Other covered services and supply chains with the same Article 21 baseline.
The ten minimum risk-management measures
Article 21 sets a baseline that every entity in scope must implement on an all-hazards basis. Rizzqo makes that baseline something you can see and prove, not something you assert.
Risk analysis & infosec policies
Policies on risk analysis and the security of information systems that set the rules everything else is measured against.
Incident handling
A defined process to detect, respond to and recover from incidents, with reporting wired in from the start.
Business continuity
Backups, disaster recovery and crisis management so essential services keep running through disruption.
Supply-chain security
Security in relationships with direct suppliers and service providers, including their handling of your data.
Secure acquisition & development
Security in the acquisition, development and maintenance of systems, including vulnerability handling.
Effectiveness assessment
Policies and procedures to assess whether the risk-management measures actually work.
Cyber hygiene & training
Basic cyber-hygiene practices and regular security awareness training across the workforce.
Cryptography & encryption
Policies and procedures on the use of cryptography and, where appropriate, encryption.
Access control & assets
Human-resources security, access-control policies and asset management across the estate.
MFA & secure comms
Multi-factor authentication, secured voice, video and text, and secured emergency communications.
A significant incident starts a staged clock
For any significant incident, NIS2 sets a staged reporting timeline to the national CSIRT or competent authority. Rizzqo keeps you ready to meet each stage on time, with the proof already in hand.
Early warning
Within 24 hours of becoming aware, an early warning flagging whether the incident may be unlawful or cross-border.
Incident notification
Within 72 hours, a fuller notification with an initial assessment of severity, impact and any indicators of compromise.
Progress report
On request from the authority, an intermediate status update on how handling and recovery are progressing.
Final report
Within one month of the notification, a final report with root cause, mitigation taken and cross-border impact.
The baseline, live on the systems it governs
The ten measures stop being a policy document and become live work on the systems they govern — owned, kept on track, and backed by real evidence rather than asserted on paper.
Measures linked to real assets
Your NIS2 program is grounded in the systems you actually depend on, not a generic checklist. Each of the ten measures is tied to the real thing it protects, so scope reflects how you truly run.
- Grounded in the systems you actually run
- Each measure tied to what it protects
- Risk priced in real money, not a heat-map colour
Clear ownership, evidence that stays current
Every measure has a clear owner, and the proof builds up as your teams do the work — so you stay audit-ready instead of scrambling to reconstruct it before an inspection.
- A clear owner on every measure
- Proof that stays current, not rebuilt in a rush
- Audit-ready for proactive supervision at any time
Ready the moment the clock starts
When an incident is significant, you are ready for the 24-hour, 72-hour and one-month deadlines — the context you need is already in hand, so each report is assembled, not improvised.
- Ready for the 24h, 72h and one-month deadlines
- The context you need already in hand
- Early warning, notification and final report on tap
NIS2 rides on the ISMS you already run
Most of the Article 21 measures already live in an ISO 27001 ISMS — risk analysis, incident handling, access control, cryptography, supplier security. Run both on one set of assets in Rizzqo and a control proven for ISO 27001 counts for NIS2 the moment you add it, with no parallel project.
Be audit-ready before the 24-hour clock starts.
See where you stand against the Article 21 measures, and be ready for every Article 23 deadline before the clock starts.
NIS2 questions, answered
NIS2 covers medium-sized and larger organisations across eighteen sectors, including energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, ICT service management, public administration, manufacturing of critical products and digital providers. The larger and most critical operators are classed as essential entities; the rest within a covered sector are important entities. Some critical operators are in scope regardless of size. Rizzqo helps you settle the question with evidence rather than guesswork.
Both classes must implement the same Article 21 risk-management measures and meet the same Article 23 reporting deadlines. The difference is supervision and penalties. Essential entities face proactive oversight, meaning audits, inspections and scans even without an incident, with fines up to 10 million euro or 2 percent of global annual turnover. Important entities face reactive oversight that is triggered by evidence of non-compliance, with fines up to 7 million euro or 1.4 percent of global annual turnover.
For a significant incident, Article 23 sets a staged timeline to the national CSIRT or competent authority: an early warning within 24 hours of becoming aware, a fuller incident notification within 72 hours, an intermediate update on request, and a final report within one month of the notification. Rizzqo keeps you ready to meet each stage on time, with the proof already in hand.
Yes. NIS2 overlaps heavily with ISO 27001, and an information-security management system already covers most of the Article 21 measures, from risk analysis and incident handling to access control, cryptography and supplier security. In Rizzqo both frameworks run on the same assets, so a control you proved for ISO 27001 counts for NIS2 immediately, leaving only the genuine NIS2-specific gaps to close.
Article 20 makes management bodies accountable: they must approve the risk-management measures, oversee their implementation and undergo training, and personal liability is possible for failures. Because Rizzqo keeps ownership clear and evidence current on your real systems, leadership gets a defensible, up-to-date view of where the organisation stands rather than a point-in-time snapshot.