nis2listed

EU NIS2 Directive (2022/2555) gap analysis — scope determination (essential vs important entities across 18 sectors), governance obligations (Art 20), 10 baseline risk-management measures (Art 21), incident reporting timelines (Art 23), and Dutch implementation via the Cyberbeveiligingswet.
roodlicht/accans-sec-skills · ★ 4 · Data & Documents · score 65

Install: claude install-skill roodlicht/accans-sec-skills

# NIS2 Gap Analysis > **Disclaimer**: this skill is not legal advice. It helps with scoping and a technical gap analysis against the directive's text. Final legal qualification (entity classification, sanctions risk, contractual consequences) requires advice from a lawyer with NIS2 experience, possibly together with a compliance department or external counsel. ## When to use The NIS2 directive (EU 2022/2555) replaces NIS1 and entered into force on 17 October 2024. The Netherlands implements it through the Cyberbeveiligingswet (`[verify current status — the legislative track has been in motion through 2024 and 2025]`). This skill covers both: the EU directive text as the primary source, the NL implementation as the application. Triggers on: - A question like "is our organization in scope of NIS2", "what do we need to do for NIS2", "NIS2 gap analysis", "do we have an incident-reporting obligation", "what are the 10 measures". - An organization considering whether it is an essential or important entity (sectors in Annex I and II), or whose suppliers have that status (contractual carry-through). - A handoff from `iso27001` or `risk-register`: NIS2 Art 21 maps onto ISO 27001 Annex A and onto NIST CSF. - An incident where the question "must we report this to CSIRT-NL" comes up. ### When NOT (handoff) - Technical implementation of the 10 measures at code/system level → the relevant security skills (`secure-coding`, `sast-orchestrator`, `ir-runbook`, etc.). NIS2 demands that y