Background image
Home Sectors Technology Lawyers NIS2 Applicability Self-Assessment

NIS2 APPLICABILITY SELF-ASSESSMENT

NIS2 APPLICABILITY SELF-ASSESSMENT

Does your business fall under the NIS2 Directive?

We have prepared a brief short self-assessment tool to check whether your organisation is likely to be subject to the requirements of Network and Information Systems Directive 2 (Directive (EU) 2022/2025) ("NIS2"): the EU’s strengthened cyber-security framework for essential and important entities.

Why this matters:

If your business is in scope of NIS2, it may soon face obligations around cyber-risk management, reporting, governance accountability and potentially significant penalties for non-compliance.

Status of NIS2 implementation across EU jurisdictions

(Date of publication: March 2026. This map is based on publicly available information. We will continue to review and update it on a regular basis as new information becomes available.)

Share Print
NIS2 – affected sectors

NIS2 introduces a harmonised legal framework to strenghten cybersecurity within 18 critical sectors throughout the EU. Beyond those previously included under the NIS1 Directive - such as energy, transport, healthcare, financial services, water management, and digital infrastructure – NIS2 extends to providers of public electronic communications, a broader range of digital service providers (including social media platforms), waste and wastewater management, manufacturing of critical products (medical devices, computers, electronics, motor vehicles), food production and distribution, chemicals, postal and courier services, public administration, and the space sector.

NIS2 – key changes

Entities falling within the scope of NIS2 are required to comply with a comprehensive set of cybersecurity and governance obligations. These include in particular:

  • cybersecurity risk management and resilience: implementing appropriate and proportionate technical and organisational measures, such as risk assessments, incident prevention and management, supply chain security, and the secure development and maintenance of ICT systems.
  • incident detection, response and reporting: establishing capabilities to detect, manage and respond to incidents, as well as complying with strict and short timelines for reporting significant incidents to competent authorities.
  • governance and accountability: ensuring active oversight by management bodies, including the approval and supervision of cybersecurity measures, integration of cybersecurity into the organisation’s overall risk management framework, and accountability for non-compliance.

These obligations are risk-based and proportionate, requiring organisations to tailor their approach to their size, sector, and level of exposure to cybersecurity risks.

The UK position

Whilst NIS2 is not being implemented in the UK, there are parallel provisions implemented under the Network and Information Systems Directive Directive (EU) 2016/1148 ("NIS") which remain in force and are currently being amended by new UK legislation. Our team is experienced in advising on the differences between NIS2 and the parallel NIS provisions in the UK and can support you if your business may need to comply with both regimes.

PE report

NIS2 Self-Assessment Tool

Please note that the NIS2 Tool is based on the wording of NIS2, which is intended to be reflected in national implementations across EU Member States. The NIS2 Tool is intended as a preliminary risk assessment and is not a substitute for legal advice.

Fill out the form
Terms and conditions

AG's NIS2 Tool is intended as a general overview of NIS2. The information provided was accurate as of the day of the publication of the NIS2 Tool*. However, the law may have changed since that date.

This information is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. AG's NIS2 Tool will provide you with a set of questions for you to answer and self-assess how the scope of NIS2 may apply to you.

Your use of our NIS2 Tool does not create:

(a) a contractual or client-lawyer relationship or

(b) a duty of care,

between any member of the AG Group and any end-user or any other party.

AG takes no responsibility for the contents of the NIS2 Tool or for any actions taken or not taken on the basis of using it. You remain responsible for your own legal and regulatory compliance. Your access to and use of the NIS2 Tool does not grant you any right, title, or interest in the intellectual property of any other party. Copyright in the content and layout of the NIS2 Tool is owned by AG. You are not permitted to modify in any way digital copies of any part of the NIS2 Tool. You are not permitted to distribute or copy any part of the NIS2 Tool for any commercial purposes. For further information regarding how your data will be used, please see Addleshaw Goddard's Global Privacy Notice.

*Date of publication of the NIS2 Tool: March 2026.

© Addleshaw Goddard LLP. This document is for general information only and is correct as at the publication date. It is not legal advice, and Addleshaw Goddard assumes no duty of care or liability to any party in respect of its content. Addleshaw Goddard is an international legal practice carried on by Addleshaw Goddard LLP and its affiliated undertakings – please refer to the Legal Notices section of our website for country-specific regulatory information.

Key contacts

Szymon Sieniewicz
Szymon Sieniewicz
Counsel, Head of TMT/IP (Poland)
Manuela Finger
Manuela Finger
Partner, Intellectual Property, Data Protection & IT, Commercial
Germany
Elisabeth Marrache
Elisabeth Marrache
Partner, IP/IT & Data Protection
France
Samuel Martínez
Samuel Martínez
Counsel, Head of IS and Technology, Data Protection and Intellectual Property
Madrid, Spain
David Hackett
David Hackett
Partner, IP/IT & Data Protection
Dublin, Ireland
James Moss
James Moss
Director of Cyber Investigations
Manchester
Natalie Trainor
Natalie Trainor
Partner, Commercial
London

Related expertise