The term “NIS-2” refers to EU Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the European Union. It is the successor to the original NIS Directive and broadens the scope, strengthens cybersecurity risk-management requirements and significant incident reporting obligations, and reinforces supervision and cooperation at EU level. In a software context, “NIS-2” therefore does not describe a single software module, but a regulatory field of application. It mainly affects medium-sized and large entities in critical and highly important sectors; management bodies must approve and oversee cybersecurity measures, while organisations must implement appropriate technical, operational, and organisational safeguards.
Asset and System Inventory: Recording and maintaining IT assets, systems, applications, interfaces, and critical dependencies as a basis for protection needs and risk assessments.
Risk Analysis and Action Management: Identifying, assessing, and prioritising cyber risks, while tracking planned and implemented mitigation measures.
Policy and ISMS Support: Managing security policies, controls, approvals, versions, and evidence for internal and external audits.
Incident Detection and Reporting Workflows: Detecting, classifying, and handling security incidents, including escalation and reporting processes to support deadlines for early warning, incident notification, and final reporting.
Business Continuity and Backup Management: Supporting contingency planning, backup management, recovery and restoration testing, and crisis management.
Vulnerability and Patch Management: Detecting, assessing, and remediating vulnerabilities, while coordinating updates, patches, and disclosure processes.
Supplier and Third-Party Risk Management: Assessing service providers, cloud vendors, and other suppliers with regard to security requirements, contractual obligations, and supply-chain risks.
Identity and Access Management: Managing roles, permissions, access controls, and multi-factor authentication.
Logging, Traceability, and Reporting: Logging security-relevant events, maintaining audit-ready evidence, and providing dashboards and reports for management, compliance teams, and supervisory authorities.
Training and Awareness Management: Planning, documenting, and evaluating cybersecurity training for employees and management bodies.
These functional areas are typically derived from NIS-2 requirements relating to risk management, incident handling, business continuity, supply-chain security, vulnerability handling, access protection, logging, as well as governance and training.
An energy provider uses GRC or ISMS software to assess cyber risks, document measures, and present implementation status transparently to executive management.
A data centre operator deploys a SIEM or SOC platform to detect incidents early and manage reporting workflows for NIS-2-compliant notifications.
A hospital uses a third-party risk management solution to assess cloud and IT service providers against security criteria and document supply-chain risks.
An industrial company plans and documents backup, recovery, and emergency tests in resilience or BCM software.
An organisation consolidates vulnerability management, action tracking, policy management, and audit evidence in a central compliance platform to prepare for audits and regulatory supervision.