Article 21(2)(j)
Multi-factor authentication
Strong authentication for users, privileged accounts, and remote access.
Due: active
← All regulations
National cybersecurity authorityOctober 2024Directive (EU) 2022/2555
NIS2
NIS2 requires risk management, management accountability, incident reporting, and evidence that security controls are working. Splnit.eu turns those obligations into controls, evidence tasks, and document workflows for EU SMB teams.
Who must comply
Practical impact for EU SMBs.
- Medium and large organisations in sectors listed by NIS2, usually from 50 employees or EUR 10 million turnover.
- Digital infrastructure, cloud, managed IT, online marketplaces, and other digital service providers.
- Manufacturing, energy, healthcare, transport, and suppliers supporting regulated services.
- SMB suppliers that need to prove cybersecurity maturity to enterprise customers.
Key obligations
What needs to be provable.
Article 21(2)(e)
Vulnerability management
Track vulnerabilities, prioritise remediation, and keep evidence of the response.
Due: continuous
Article 23
Incident response
Prepare early-warning and follow-up reporting for significant incidents.
Due: 24 hours
Article 21(2)(d)
Supply-chain risk
Assess ICT suppliers and document risks in contracts, reviews, and evidence packs.
Due: active
Fines and sanctions
Risk is measured in money, contracts, and lost trust.
Violation typeMaximum sanctionEnforcement
Essential entitiesEUR 10 million or 2% of worldwide turnoverNational authority
Important entitiesEUR 7 million or 1.4% of worldwide turnoverNational authority
Late incident reportingDepends on severity and turnoverNational authority
How Splnit.eu helps
Turn obligations into controls, evidence, and deadlines.
Control mapping
Map NIS2 Article 21 measures to concrete controls and evidence requirements.
Automated checks
Collect evidence from Microsoft 365, AWS, and GitHub where automation is available.
Incident evidence
Keep an audit trail for incidents, access, vulnerabilities, and supplier risk.