NIS2 Directive · 2026

NIS2 Compliance

The operations layer your Microsoft 365 needs

The NIS2 Directive has been in force across the EU since 17 October 2024. Every member state is transposing it into national law, and organisations in eighteen sectors are expected to show that they have taken appropriate technical and organisational measures. Attic runs the operational work on top of your Microsoft 365 environment and captures the evidence your regulator will ask for.

Book a meeting Start free

What is NIS2?

NIS2 is the EU directive on network and information security, replacing the 2016 NIS directive. The scope expanded from eight sectors to eighteen, and the bar for what counts as appropriate security measures rose significantly. Three things in the directive matter most for your organisation: a general duty of care, a mandatory reporting cascade for significant incidents at 24 hours, 72 hours and one month, and personal liability for management in cases of serious negligence.

NIS2 takes legal effect in each member state through national transposition. In the Netherlands this happens through the Cyberbeveiligingswet, expected to enter into force in 2026. In Germany, Belgium, France, Ireland and every other member state the transposition is local, but the substance is the same: Article 21 measures and the Article 23 reporting cascade apply across the entire Union.

The directive does not grade on effort. An organisation that cannot reconstruct what happened in its systems during an incident cannot demonstrate that the required measures were in place, regardless of how many policies are on the shared drive.

Does NIS2 apply to you?

NIS2 distinguishes between essential entities, which face proactive supervision and higher fines, and important entities, which face reactive supervision. The distinction sets the supervision regime, but the underlying obligations are identical for both categories.

Your organisation falls under NIS2 when all three conditions are met:

1 You operate in one of the eighteen designated sectors.
2 You have fifty or more employees, or annual turnover of ten million euros or more.
3 You provide goods or services in or to the European Union.

A selection from the eighteen designated sectors:

Energyelectricity, oil, gas, district heating, hydrogen

Transportair, rail, maritime, road

Financebanking, financial market infrastructure

Healthcarehospitals, pharmaceuticals

Waterdrinking water, waste water

Digital infrastructureDNS, TLDs, data centres, CDNs, trust services

MSP & MSSPmanaged service and managed security providers

Public administrationgovernment and public sector bodies

Manufacturingelectronics, machinery, motor vehicles, chemicals, food

If NIS2 does not apply to you, it applies to your customers.

The directive requires organisations to manage risk across their supply chain. That obligation is pushing contractual cybersecurity requirements down through thousands of small and medium suppliers that are not themselves in scope. In practice, NIS2 now governs organisations far beyond the letter of the law, because regulated buyers require regulated-level security from everyone they depend on. Whether the pressure comes from law or from a customer contract, the deadline is the same.

The ten measures of Article 21

Article 21 of the directive sets out ten mandatory categories of security measures. Every national transposition inherits these categories unchanged. Each organisation is expected to implement them in a way that is proportionate to its risk profile, and to be able to prove it. Below are the ten measures, mapped to the Microsoft 365 tooling that provides the technical capability, and to the Attic layer that handles the operational work on top.

Risk analysis and information security policy

Microsoft 365 tooling: Microsoft Secure Score, Defender for Cloud
Attic operations: FIXER measures daily deviation from CIS benchmark and reports per control.

Incident handling

Microsoft 365 tooling: Microsoft Sentinel, Defender XDR
Attic operations: MDR receives the alerts, triages them and confirms or escalates within minutes.

Business continuity, backups, crisis management

Microsoft 365 tooling: Microsoft 365 Backup, Azure Backup
Attic operations: Long-term log retention for forensic reconstruction, independent of Microsoft retention.

Supply chain security

Microsoft 365 tooling: Compliance Manager, Entra ID
Attic operations: Monitoring of GDAP relationships, OAuth applications and third-party access.

Security in acquisition, development and maintenance

Microsoft 365 tooling: Defender for Cloud, Conditional Access
Attic operations: FIXER detects configuration drift and remediates automatically where possible.

Assessment of the effectiveness of measures

Microsoft 365 tooling: Compliance Manager, Secure Score
Attic operations: Weekly reports of measurable progress per Article 21 category.

Basic cyber hygiene and training

Microsoft 365 tooling: Attack Simulator, Defender for Office 365
Attic operations: FREE warns users in real time at the moment of an AiTM phishing attempt.

Cryptography and encryption

Microsoft 365 tooling: Microsoft Purview Information Protection
Attic operations: Verification that labels, DLP and encryption are enforced on every mailbox.

Human resources security, access control, asset management

Microsoft 365 tooling: Microsoft Entra ID, Intune
Attic operations: BOUNCER monitors risky sessions, impossible travel and MFA bypass.

Multi-factor authentication and secure communications

Microsoft 365 tooling: Entra MFA, Microsoft Teams
Attic operations: Detection of MFA fatigue, token theft and break-glass misuse.

#	Measure (Article 21)	Microsoft 365 tooling	Attic operations
1	Risk analysis and information security policy	Microsoft Secure Score, Defender for Cloud	FIXER measures daily deviation from CIS benchmark and reports per control.
2	Incident handling	Microsoft Sentinel, Defender XDR	MDR receives the alerts, triages them and confirms or escalates within minutes.
3	Business continuity, backups, crisis management	Microsoft 365 Backup, Azure Backup	Long-term log retention for forensic reconstruction, independent of Microsoft retention.
4	Supply chain security	Compliance Manager, Entra ID	Monitoring of GDAP relationships, OAuth applications and third-party access.
5	Security in acquisition, development and maintenance	Defender for Cloud, Conditional Access	FIXER detects configuration drift and remediates automatically where possible.
6	Assessment of the effectiveness of measures	Compliance Manager, Secure Score	Weekly reports of measurable progress per Article 21 category.
7	Basic cyber hygiene and training	Attack Simulator, Defender for Office 365	FREE warns users in real time at the moment of an AiTM phishing attempt.
8	Cryptography and encryption	Microsoft Purview Information Protection	Verification that labels, DLP and encryption are enforced on every mailbox.
9	Human resources security, access control, asset management	Microsoft Entra ID, Intune	BOUNCER monitors risky sessions, impossible travel and MFA bypass.
10	Multi-factor authentication and secure communications	Entra MFA, Microsoft Teams	Detection of MFA fatigue, token theft and break-glass misuse.

Whether you run Microsoft 365 Business Basic, Business Standard, Business Premium, E3 or E5, your tenant already contains a large share of the technical building blocks for Article 21. What is missing is not more licensing, but the operational layer that actually puts those building blocks to work, monitors them and captures the evidence. Attic plugs into whatever subscription you already have and fills exactly that gap.

Reporting obligations: 24 hours, 72 hours, one month

NIS2 introduces a three-phase reporting regime for significant incidents. An incident is significant when it causes serious disruption, meaningful financial damage, or impact on other organisations or individuals.

Phase 1

Within 24 hours

Early warning to the regulator stating the basic facts. What has been observed, when it started, whether malicious action is suspected, and which sectors or countries may be affected. The notification is deliberately short. The point is speed.

Phase 2

Within 72 hours

Incident notification with an initial assessment of severity, impact and indicators of compromise. By this point the regulator expects a structured view of what happened and how far it spread.

Phase 3

Within one month

Final report: a full reconstruction of root cause, timeline, measures taken and lessons learned. This report becomes the basis for any follow-up action by the regulator.

The directive says nothing about how you gather the information. It only says you must be ready to submit it on time. Organisations without continuous monitoring lose the first hours of an incident trying to reconstruct what happened. Attic delivers that reconstruction as a side effect of normal operation, because every session, every configuration change and every alert has already been captured.

Penalties and management liability

For the first time, NIS2 introduces personal liability for management. The board can no longer delegate cybersecurity accountability entirely to IT. Supervisory authorities gain the power to temporarily suspend management from their functions in cases of serious non-compliance.

Essential entities

€ 10 million

or 2% of global annual turnover, whichever is higher.

Important entities

€ 7 million

or 1.4% of global annual turnover, whichever is higher.

Non-financial sanctions

Temporary suspension of certifications or authorisations
Public disclosure of the breach
Temporary ban on executives holding management positions

For most small and medium organisations, the fine is not the biggest risk. The reputational fallout from a public sanction, and the downstream effect on customer contracts that now require NIS2-level security as a precondition, usually cost far more.

Hypothetical example

Where most SMBs get stuck

Picture a European manufacturer with 180 employees running on Microsoft 365 Business Premium. The board has put NIS2 on the agenda. The IT partner has rolled out MFA, enabled Defender and set up a backup schedule. The policy sits in a PDF. The certification is in the procurement file. On paper, the organisation is compliant.

On a Wednesday morning, an employee logs in to a phishing page that looks exactly like the company's Microsoft sign-in. The page sits between the user and Microsoft, captures the session token after the MFA prompt and hands the attacker full access to the mailbox, OneDrive and Teams within two minutes. The attacker sets an inbox rule that forwards any message containing "IBAN" or "bank details" to an external address, and waits.

Sixteen days later, a €94,000 invoice is paid to the attacker's IBAN. The fraud is discovered by the supplier, not by the manufacturer. The IT partner gets the call at 15:47 on a Friday.

What must happen within 24 hours

Identify which accounts were compromised and when
Identify which data was accessed
Determine whether customer data was involved, triggering onward reporting duties
File an early warning with the national regulator

What the manufacturer can actually do

Microsoft sign-in logs exist but are retained for thirty days by default. Nobody has looked at a sign-in log before. The attacker deleted the inbox rule. There is no baseline for what normal looks like. The IT partner can only answer "what happened" after an external incident response firm performs a forensic investigation, at a cost of fifteen to forty thousand euros over one to three weeks. The 24-hour notification is not going to be met. Not because no one wants to comply, but because no one knows what to report.

What Attic would have delivered in the same situation

BOUNCER would have detected the anomalous session token within minutes, flagged it as high risk and alerted the Attic SOC. The inbox rule creation would have triggered an immediate alert, classified as a business email compromise indicator. The sign-in data, session context and rule change would already be stored in the Attic log store, independent of Microsoft retention. The draft report for the regulator would be assembled by the SOC before the 24-hour deadline expired.

The difference is not in the tooling. Both organisations run on the same Microsoft 365 licence. The difference is whether there is someone reading the signals as they come in, and doing something about them.

Attic as your security operations

NIS2 requires an operational security function. For most European SMBs, hiring a dedicated security team is neither financially nor operationally feasible. An experienced SOC analyst costs between ninety and one hundred and forty thousand euros per year, and you need at least three to provide 24/7 coverage. Attic delivers that function as a service. Each Attic product covers part of Article 21. Together they form a complete operational layer on top of your existing Microsoft 365 environment.

FREE

Anti-phishing for users

Covers: cyber hygiene, incident prevention

Warns users in real time as they are about to enter credentials on an AiTM phishing page. The most common initial access vector is blocked before the session token reaches the attacker.

BOUNCER

Sign-in and session monitoring

Covers: access control, incident detection

Continuous monitoring of who logs in, from which device, from which location, and with what risk profile. Attic detects impossible travel, MFA bypass, token replay and break-glass misuse. Alerts flow 24/7 into the Attic SOC.

FIXER

Configuration hardening against CIS benchmark

Covers: risk management, effectiveness assessment, technical measures

Daily measurement of more than 100 Microsoft 365 security settings against the CIS benchmark. Deviations are detected, classified and where possible remediated automatically. The output is a weekly report you can hand directly to your regulator.

MDR

Fully managed SOC

Covers: incident response, reporting obligation, business continuity

24/7 detection, triage and response by the Attic security team. During a significant incident, Attic produces the reconstruction, the timeline and the draft report needed for the 24-hour, 72-hour and one-month notifications. Logs are retained long term, independent of Microsoft default retention.

You can start with FREE or BOUNCER and grow into MDR at the point where your NIS2 programme, or your customer contracts, require it. There is no multi-month implementation. Most organisations are live within an hour.

Frequently asked questions about NIS2

The European directive has been in force since 17 October 2024. Each member state is transposing it into national law on its own timeline, and in most countries the national law is either already in effect or expected in 2026. Until your country’s law is active, there is no formal enforcement risk from the regulator, but customers, insurers and tenders are already requiring demonstrable NIS2 readiness in contracts.

By showing that you have implemented the ten measures of Article 21, that you monitor them continuously, and that you can reconstruct what happened in your systems during an incident. In practice that means a current risk register, a documented incident process, hardened configurations, logs with extended retention, and reporting that quantifies deviation from the baseline.

The directive does not mandate specific certifications. It does require that your organisation has sufficient expertise to assess risk, recognise incidents and respond in time. For most small and medium organisations, that translates into engaging a managed security service provider, because building in-house SOC capacity of sufficient depth is not financially viable.

Yes. The directive does not prohibit outsourcing, and explicitly recognises the role of managed security service providers. The condition is that accountability remains with your board and that the contract with your provider covers the incident reporting obligations and the long-term retention of evidence.

NIS2 is the European directive. Each member state transposes it into local law, which designates the sectors, the competent authorities and the reporting procedures for that country. The substance of Article 21 and the reporting cascade in Article 23 is uniform across the Union. In the Netherlands the transposition is called the Cyberbeveiligingswet.

Late reporting is a separate offence, independent of the underlying incident. The regulator can impose a separate sanction. In practice the bigger cost is the loss of trust with customers, insurers and procurement partners that now require demonstrable readiness.

No. Microsoft 365 provides the tooling for most of Article 21, but it does not provide an operational layer. The directive expects someone to monitor the signals and act on them, not just that the right features exist. That layer must be staffed internally or outsourced.

An MSP that falls within the directive’s scope, for example as a provider of digital infrastructure or managed services, must be compliant itself before it can serve customers that also fall in scope. Attic works with European MSPs and delivers the operational security layer they cannot build themselves.

Specialists in automated security operations

Attic Security was founded by world-class cyber experts with years of offensive and defensive security experience. Our team advises governments at the strategic level, including on the security of the NATO summit. That same expertise now runs inside an automated platform, making enterprise-grade security operations accessible and affordable for every organisation preparing for NIS2.

Start your NIS2 compliance today

Do not wait for national enforcement to start. Build the operational security layer now, and let the evidence accumulate before your regulator, insurer or largest customer asks for it.

Book a meeting Start free