FRAMEWORK · NIS2

NIS2 — EU Directive 2022/2555.
Comply in weeks, not months.

Mandatory since October 2024 for essential and important entities. Fines up to €10 million or 2% of annual revenue. Itamite covers the technical requirements of Art. 21 with signed evidence for your competent authority.

See pricing NIS2 demo

Who does NIS2 apply to?

Essential and important entities in critical EU sectors: energy, transport, banking, financial market infrastructures, healthcare, drinking and waste water, digital infrastructure, B2B ICT services management, space, digital public administration, postal services, waste management, chemicals, food, critical manufacturing, digital manufacturing, research.

Typical thresholds: 50+ employees or > €10M annual revenue. In Spain, the official list is published by INCIBE-CERT. If in doubt, INCIBE provides a public self-assessment tool.

Fines: up to €10M or 2% annual revenue (essential entities), up to €7M or 1.4% (important entities). Personal responsibility of the board for non-compliance.

ART. 21 REQUIREMENTS — TECHNICAL MEASURES

NIS2 ↔ Itamite controls mapping

What NIS2 requires vs what Itamite collects automatically.

Art. 21.2.a — Risk analysis and IS policies

Itamite covers: Complete asset inventory as input for risk analysis. Measured security posture feeding the risk matrix. Out of scope: formal risk analysis and written policies are organizational work.

Art. 21.2.b — Incident management

Itamite covers: Immutable hash-chain audit with full traceability. Incident detection via alerts (configuration changes, posture deviations). SIEM communication (Splunk, Sentinel, Elastic).

Art. 21.2.c — Business continuity

Itamite covers: Updated inventory available for BCP/DRP. Itamite Enterprise SLA with RTO 1h, RPO 1h. Out of scope: your organization's actual BCP/DRP.

Art. 21.2.d — Supply chain security

Itamite covers: Public SBOM SPDX 2.3 + CycloneDX. SLSA Level 2 with build provenance. Publicly documented sub-processors. EOL software detection in your fleet.

Art. 21.2.e — System acquisition and maintenance

Itamite covers: Detection of pending patches, EOL software, known vulnerable versions (CVE). Centralized update deployment. Declarative policies that maintain correct configuration continuously.

Art. 21.2.f — Effectiveness of measures (measurable)

Itamite covers: Posture score 0-100 measured objectively, comparable month over month. KPIs per control (what % of assets pass each control). Time trends with evidence. This is exactly what NIS2 demands: "effective and measurable measures".

Art. 21.2.g — Basic hygiene + training

Itamite covers (hygiene part): antivirus, firewall, patches, disk encryption, screen lock, Office macros configuration, USB control. All measured automatically by agent. Out of scope: personnel training.

Art. 21.2.h — Encryption

Itamite covers: Disk encryption detection (BitLocker, FileVault, LUKS) on each asset. TPM version, Secure Boot. Platform's own in-transit and at-rest encryption. Optional BYOK.

Art. 21.2.i — Access control and MFA

Itamite covers: Detection of local administrator accounts, Guest account, auto-login, password policy. SSO/SAML for access to Itamite console itself. MFA mandatory for administrators. Access audit.

Art. 21.2.j — Secure emergency communications

Itamite covers (upcoming): Integration with Syphrax (E2E encrypted voice/video messaging) planned Q4 2026. Meanwhile: notifications via encrypted email, Slack, Teams.

PRACTICAL PROCESS

From zero to NIS2-ready in 4-6 weeks

Week 1: agent deployment + inventory

Itamite agent deployment via GPO/Intune in your fleet. In 24-48h you have complete inventory of hardware, software, configuration, patches.

Week 2: NIS2 activation + baseline measurement

Activate NIS2 framework in Compliance → Frameworks. Itamite automatically maps agent controls to NIS2 articles. You have the current compliance baseline.

Weeks 3-4: remediation

You apply mass corrections via remote commands and declarative policies (BitLocker, antivirus, patches, SMB configuration). Itamite recommends order by greatest impact on compliance percentage.

Week 5: organizational documentation

While Itamite maintains technical measures, your team prepares written policies, personnel training, continuity plan, ICT supplier registry. This is non-automatable organizational work.

Week 6: final report + communication

You generate the SHA-256 signed NIS2 report from Itamite. Combine it with organizational documentation. Communicate your conformity to your competent authority.

FAQ

Common questions about NIS2

Is my company subject to NIS2?

If you operate in sectors: energy, transport, banking, healthcare, water, digital infrastructure, B2B ICT management, digital public administration, food, chemicals, critical manufacturing, space, postal, waste, research. And have 50+ employees or €10M+ revenue. Some micro-enterprises too if critical.

Does NIS2 require using a specific tool like Itamite?

No. NIS2 is vendor-agnostic. But it requires effective and measurable technical measures, which in practice means having some form of asset and posture management platform. Itamite is a European and sovereign option specifically designed to cover NIS2 with signed evidence.

Does the competent authority accept the Itamite report?

Yes. The NIS2 report Itamite generates includes technical evidence with verifiable SHA-256 signature, format compatible with INCIBE-CERT templates. Accepted in audits and conformity verifications conducted to date.

What if I have a NIS2 incident?

NIS2 requires CSIRT notification in 24h (early alert), 72h (full report), and 1 month (final report). Itamite helps you with the immutable audit serving as technical evidence of the incident, but administrative notification you must manage yourself.

Is Itrion Software an ICT provider subject to NIS2?

Yes. Itrion is an important entity in the "managed ICT services provider" category. We comply with NIS2 internally: external audit, incident response plan, 24h CSIRT communication, semi-annual reports to authority. Documentation under NDA available for Enterprise customers.

Do you have a NIS2 audit this year?

45-min demo with real case. We show you the signed NIS2 report and the remediation plan.