Skip to content

Are you actually in scope?

Most U.S. teams find out they're in scope by accident — a customer questionnaire, an EU subsidiary, or a regulator's letter.


NIS 2 took effect across EU member states starting October 2024, with active enforcement ramping through 2025 and 2026. The directive expanded the original NIS framework to cover medium and large organizations across 18 sectors — and it applies based on EU operations, not just EU headquarters. That pulls in U.S. parents with European subsidiaries, manufacturing plants, and operating entities that many leadership teams didn't realize were in scope.

Common in-scope triggers:

  • You operate an EU subsidiary, manufacturing plant, or affiliate in one of the 18 covered sectors — energy, transport, banking, healthcare, digital infrastructure, manufacturing of critical products, public administration, and more
  • You're a U.S. parent with European entities that meet the size and sector thresholds
  • You provide ICT or managed services to an Essential or Important entity in the EU
  • A customer has sent you a NIS 2 supplier questionnaire and you're not sure how to answer it
  • You're unclear which member state's transposition applies, or whether you're classified as Essential or Important
Rectangle 61

What regulators actually expect.

Formal registration, 10 mandated risk-management domains, a 24-hour clock, and personal liability for management.

NIS 2 raises the bar on what's expected — and on who's accountable. Risk-management requirements are defined and enforced according to each country's transposition, so what's owed in Germany isn't always what's owed in France or Ireland. The directive also makes management body accountability explicit, with personal liability for executives who fail to oversee cybersecurity risk.



Group 372
Formal entity registration
With the national competent authority in each member state where you operate
Group (6)
Risk-management measures
Across 10 mandated domains, defined and enforced per country transposition
Early warning and incident notification
Early warning and incident notification
24-hour early warning and 72-hour incident notification to national competent authorities, followed by a final report
Management body accountability
Management body accountability
With personal liability for executives
Audit-ready evidence
Audit-ready evidence
Mapped to specific NIS 2 articles for regulator review

Where companies typically need help.

The gaps we see most often when we walk in.


Most U.S. companies have meaningful cybersecurity controls already — often mapped to SOC 2, HIPAA, or NIST CSF. The trouble with NIS 2 isn't that the controls are exotic. It's that the directive demands a different kind of governance, multi-country coordination, and faster reporting than existing programs were designed to produce.

  • Interpreting how NIS 2 applies across multi-country operations
  • Standing up incident notification SOPs that meet 24/72-hour clocks
  • Training local entities on completing compliance audits
  • Ensuring centralized NIS 2 governance that holds across the global footprint
people-in-a-world-connection-technology-meeting
map-once-nis-2-reveal-risk-1

Integrate, don't duplicate.

We embed NIS 2 into the GRC structures you already run — SOC 2, ISO 27001, NIST CSF — rather than building a parallel program.

Schedule a readiness assessment call

How Reveal Risk gets you ready.

Three pillars: management oversight, documented accountability, and regulator-facing evidence.

We organize NIS 2 readiness around three pillars that match how regulators actually evaluate you. Where you already have controls that satisfy a NIS 2 obligation, we reuse them. Where the directive demands something new — like the 24-hour early-warning workflow or country-specific registration — we build it with you and embed it into your existing operations.

Establish Management Oversight
Document Accountability
Regulator-Facing Documentation
Turn NIS 2 obligations into a clear governance structure with accountable owners, decision rights, and executive visibility.
  • Define the NIS 2 governance operating model with clear ownership between global program leadership and local entity-level accountability, codified in a Governance Charter
  • Build the RACI mapping every NIS 2 obligation to a responsible owner across InfoSec, Legal, Privacy, Quality/GxP, Manufacturing, IT/OT, Procurement, and Executive Leadership
  • Design the end-to-end NIS 2 readiness process with clear handoffs
  • Stand up executive dashboards and board reporting that satisfy management body obligations
Create defensible records that show how responsibilities, risk decisions, and role-specific obligations are assigned and managed.
  • Risk Acceptance Framework — formal process and templates for documenting risk acceptance with executive sign-off, rationale, compensating controls, and review triggers
  • Executive Accountability Matrix — maps NIS 2 obligations to named roles, designed to withstand regulatory scrutiny
  • Organizational Change Management — structured training curriculum for key stakeholders and a centralized knowledge base
  • Role-Specific Checklists — tailored action guides for General Counsel, DPO, Site Directors, and SMEs so they know exactly what NIS 2 requires of them

     

Prepare the evidence, notifications, and submissions needed to respond confidently to national authorities.
  • Compliance Evidence Packages aligned to what national competent authorities expect during audits or inquiries
  • Incident Notification SOPs formatted per Member State requirements (24-hour early warning, 72-hour notification, final report)
  • Registration Submission Packages — country-specific documentation for entity registration with national authorities
  • Audit-Ready Control Evidence mapped to specific NIS 2 articles and organized for efficient regulator review
Establish Management Oversight
Vector 22
Turn NIS 2 obligations into a clear governance structure with accountable owners, decision rights, and executive visibility.
  • Define the NIS 2 governance operating model with clear ownership between global program leadership and local entity-level accountability, codified in a Governance Charter
  • Build the RACI mapping every NIS 2 obligation to a responsible owner across InfoSec, Legal, Privacy, Quality/GxP, Manufacturing, IT/OT, Procurement, and Executive Leadership
  • Design the end-to-end NIS 2 readiness process with clear handoffs
  • Stand up executive dashboards and board reporting that satisfy management body obligations
Document Accountability
Vector 22
Regulator-Facing Documentation
Vector 22

Not sure if NIS 2 applies to you?

That's the first thing we'll answer.

Get the latest from our team.

Blog | Reveal Risk
April 20, 2026
Why Your Cyber Workforce Awareness...
Aaron Pritz
Aaron Pritz
Blog | Reveal Risk
April 14, 2026
Cyber Compliance Chutes & Ladders
Aaron Pritz
Aaron Pritz
Blog | Reveal Risk
April 08, 2026
Your Employees Can't Spot Deepfakes....
Aaron Pritz
Aaron Pritz
Blog | Reveal Risk
April 02, 2026
Delving into Compliance and Third-Party...
Aaron Pritz
Aaron Pritz