NIS2 for essential & important entities
The competent authority audits your cybersecurity posture; we ship the runtime evidence for the AI-decisioning slice of it. Directive (EU) 2022/2555 (NIS2) places its risk-management and incident-reporting obligations on the essential entity or important entity running the service — not on any audit-layer underneath. Adjudon's role on this page is to make the AI-decisioning component of an Article 21 risk-management posture verifiable, the Article 23 incident-reporting cadence defensible, and the audit-trail of the AI subsystem readable for the BSI / national CSIRT auditor without hand-waving. We document this honestly so a security officer arriving here knows exactly which NIS2 obligations the audit-layer covers and which sit outside the runtime AI scope.
Scope
This page applies to organisations subject to NIS2 in their European jurisdiction:
- Essential entities — the larger operators in 11 sectors (energy, transport, banking, financial-market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT-service management, public administration, space)
- Important entities — mid-sized operators in 7 additional sectors (postal, waste management, chemicals, food, manufacturing of certain critical products, digital providers, research)
- DACH KRITIS sectoral scope: Germany's transposition
(
NIS2UmsuCG, in legislative pipeline as of 2026-05) extends the existing KRITIS regulation significantly — the practical effect is that ~30,000 German companies fall under NIS2 obligations rather than the ~2,000 under prior KRITIS. Operators that previously relied on sub-threshold status now qualify.
NIS2 entered into force on 16 January 2023; transposition deadline was 17 October 2024. Most member states missed it. National implementations vary in scope and penalty surface; the directive itself is the floor.
Adjudon is not itself an essential or important entity in the NIS2 sense for this audit-layer. The infrastructure used by an operator to run AI-driven decisioning under their cybersecurity posture is what this page covers.
Roles
| Role | Party | NIS2 basis |
|---|---|---|
| Essential / important entity | Your organisation | Art. 3 |
| Management body (accountable) | Your executive sponsor | Art. 20 (governance) |
| Audit / policy infrastructure | Adjudon | Out of scope as a regulated entity |
| Competent authority | National (e.g. BSI in Germany) | Art. 8 |
| CSIRT recipient | National CSIRT | Art. 10 |
NIS2 makes the management body personally liable for compliance
failures (Art. 20(1)). This is one of the most material changes
from NIS1 and is why the audit trail of who did what when on the
AI decisioning subsystem is load-bearing for board-level
accountability.
Article 21 — risk-management measures
Article 21(2) lists ten cybersecurity risk-management areas the entity must address. The mapping below is the AI-decisioning slice — what Adjudon evidences for the audit-layer of that subsystem. Other Article 21 areas (network security, supply-chain security, identity management, business-continuity) live with the operator's broader security stack.
| Art. 21(2) measure | What Adjudon evidences |
|---|---|
| (a) Policies on risk analysis & information-system security | Policy Engine + per-policy audit log; explicit verdicts (block / flag / approve) on every trace |
| (b) Incident handling | Multi-Clock Incident Hub with NIS2 24 h / 72 h / 30 d clocks |
| (c) Business continuity (backups, crisis management) | Out of scope — operator's broader infra concern |
| (d) Supply-chain security | The audit-layer is one supplier; operator owns the rest of the SBOM |
| (e) Security in network & information systems acquisition | Adjudon ML-BOM (CycloneDX 1.7) attached per trace |
| (f) Effectiveness assessment | CPI dashboard tracks compliance posture index over time |
| (g) Cyber-hygiene practices & training | Out of scope — operator's HR/training records |
| (h) Cryptography & encryption | Hash-chain anchored audit (SHA-256); encrypted SAML assertions optional |
| (i) Human-resources security | Out of scope — operator's HR controls |
| (j) Multi-factor authentication, identity, secure communications | SSO + MFA-on-top-of-SSO + SCIM (Enterprise+); session JWT blacklist |
The "out of scope" rows are where operators most often get caught in audit prep: assuming the audit-layer covers their broader network-security posture. It does not. Adjudon evidences the AI-decisioning subsystem within the operator's wider Article 21 estate.
Article 23 — incident reporting cadence
Article 23 imposes a staged cadence on every significant incident. The Adjudon Multi-Clock Hub ships the NIS2 template out-of-the-box; the offsets are the regulators' law, not configurable per-org.
| Checkpoint | Offset from clockStartedAt | What the entity submits |
|---|---|---|
| Early warning | 24 hours | Initial assessment to the CSIRT or competent authority — whether the incident is suspected to be malicious or has cross-border impact |
| Incident notification | 72 hours | Updated assessment with severity, impact, and (if known) indicators of compromise |
| Final report | 30 days | Detailed description, root cause, applied and ongoing remediation, cross-border impact |
The 24-hour early-warning clock is the strict gate. An entity that files at 25 hours has a regulator-readable late-notification entry in their Article 23 record — and Article 36 fines (up to €10 million or 2% of worldwide annual turnover for essential entities) attach to systematic late filings.
The Hub stamps every checkpoint completion with the operator's
evidenceTraceId cross-link, so when the auditor asks "show me
the trace artefact for the early-warning filing", the answer is a
single hash-chain anchor away.
DACH operator's typical first six weeks
A German entity newly captured by NIS2UmsuCG typically works
through five concrete deliverables in the six weeks after
in-scope confirmation:
- Register with the BSI (
Meldestelle) and confirm CSIRT contact details. Adjudon does not file the registration; the entity does. - Tabletop the 24-hour early-warning flow. Trigger a synthetic incident, walk through the Multi-Clock Hub, confirm every clock starts and the CSIRT recipient is reachable.
- Map the AI subsystem against Art. 21(2). Use the table above; the auditor wants the four "out of scope" rows explicitly named so the operator's own evidence layer fills them.
- Audit-log retention extension. Default 90-day retention is
below the BSI's typical request; Governance+ customers
configure
dataRetentionDaysto 365 (or up to 3,650 for BaFin-overlapped entities). - Management-body briefing. The Article 20 personal liability is news to many boards; the operator typically produces a board memo citing the audit-layer evidence capability before first audit cycle.
What this is NOT
- Not an Article 21 silver bullet. Adjudon evidences ten of the AI-decisioning rows in the table above. The other six rows live with the operator's wider security stack.
- Not auto-filing. The Multi-Clock Hub computes deadlines and records completions; the entity files the early-warning, notification, and final report directly with the CSIRT in the national-CSIRT-specific format.
- Not a substitute for ISO 27001. ISO 27001 is voluntary; NIS2 is mandatory for in-scope entities. Many operators run both for overlapping reasons; the ISO 27001 ISMS feeds the NIS2 Article 21 documentation but does not replace it.
- Not legal advice on scope. Whether your entity qualifies as essential or important under NIS2 is a legal determination the operator's counsel makes, not the audit-layer.
See also
- Multi-Clock Incidents — the deadline hub that runs the 24 h / 72 h / 30 d clocks
- Incidents API — the integration surface for incident creation and clock management
- DORA Compliance — the financial-sector parallel for ICT incidents (often overlapping scope for DACH banks)
- Sub-Processors — the Frankfurt-only data-residency posture NIS2 auditors expect
- Hash Chain — the tamper-evident anchor for clock checkpoint completions