NIS2

Cyber resilience for the systems your country relies on

NIS2 raises the cybersecurity bar for essential and important entities. Scrydon brings policy-as-code, mTLS, immutable audit and air-gap-capable deployment to the AI and data workloads at the core of critical infrastructure.

Book a DemoCommon Questions
What it is

NIS2 Directive (NIS2)

The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated baseline for a high common level of cybersecurity across the Union. It widens scope to many more sectors, distinguishes essential and important entities, and imposes risk-management measures, governance accountability for management bodies, incident-reporting obligations with strict timelines, supply-chain security duties and significant penalties. As a directive it is transposed into national law by each Member State.

At a glance
Jurisdiction
European Union
Applies to
Essential and important entities across critical sectors — energy, transport, water, health, digital infrastructure, public administration, manufacturing and more — and their supply chains.
Talk to us
How we help

How Scrydon helps you comply

Controls are built into the runtime, so compliance is something you can demonstrate with evidence drawn from the platform itself — not assembled after the fact.

Cybersecurity risk-management measures

Policy-as-code authorisation, fail-closed defaults, three-tier access control and an mTLS service mesh provide the technical risk-management measures NIS2 expects: least privilege, strong access control, encryption in transit and enforced policy across AI and data workloads.

Immutable audit and incident handling

The immutable, queryable audit log records actor, IP and decision detail with retention controls, supporting the detection, analysis and reporting of significant incidents within NIS2's tight notification timelines and providing evidence for after-action review.

Air-gapped and sovereign deployment

For the most sensitive critical-infrastructure environments, the platform supports air-gapped and on-premises deployment, so AI and analytics can run entirely within isolated, sovereign networks with no external dependency — a strong posture for essential-entity resilience.

Supply-chain and vendor control

Opt-in external AI vendors, document clearance and classification, and BYOK/HYOK key strategies give you control over your AI and data supply chain, addressing NIS2's emphasis on supply-chain security and third-party risk.

Framework evidence packs

Evidence packs map platform controls to NIS2 themes alongside ISO 27001 and NIST, giving security and compliance teams a documented basis for the risk-management and governance measures the directive requires the management body to oversee.

Key requirements

What NIS2 asks of you

  • Adopt appropriate technical, operational and organisational cybersecurity risk-management measures.
  • Ensure management-body accountability and oversight of cybersecurity.
  • Report significant incidents within the directive's notification timelines.
  • Secure the supply chain and manage third-party and vendor risk.
  • Implement access control, encryption and business-continuity measures.
  • Maintain incident handling, vulnerability management and security testing.
  • Register with the relevant national competent authority where required.
FAQ

Frequently asked questions

How does Scrydon help with NIS2 compliance?+
Scrydon brings NIS2-aligned technical measures to AI and data workloads: policy-as-code and three-tier access control for access management, an mTLS service mesh and fail-closed defaults for secure-by-design operation, an immutable audit log for incident handling, and air-gapped deployment for the most sensitive environments. Evidence packs map these to NIS2 themes. Scrydon supplies the controls and evidence; your governance, registration and incident reporting to the national authority remain your responsibility.
Can Scrydon run in air-gapped critical-infrastructure environments?+
Yes. The platform supports air-gapped and on-premises deployment, so AI, analytics and agentic workloads can run entirely within isolated sovereign networks with no external connectivity. For essential entities operating critical systems, this removes whole classes of external dependency and supports a strong NIS2 resilience posture.
How does the platform support incident reporting timelines?+
NIS2 requires early warning and follow-up reporting of significant incidents within strict windows. The immutable, queryable audit log gives you the actor, IP and decision detail needed to detect and characterise an incident quickly and to assemble the information for notification. The platform provides the evidence; meeting the timelines and notifying your competent authority remain yours to operate.
Does NIS2 cover supply-chain security, and how does Scrydon help?+
Yes — supply-chain and third-party risk is a core NIS2 theme. Scrydon keeps external AI vendors opt-in, controls what any model can access through document clearance and classification, and lets you hold your own keys with BYOK/HYOK. This gives you a governable, transparent AI and data supply chain rather than opaque external dependencies.
Who does NIS2 apply to?+
NIS2 applies to essential and important entities across a wide range of sectors — including energy, transport, water, health, digital infrastructure, public administration and manufacturing — and is transposed into national law by each EU Member State. If your organisation operates critical services, Scrydon's sovereign, air-gap-capable architecture is well suited to the resilience the directive demands.

Related

Critical InfrastructureAir-Gapped DeploymentAll compliance frameworks
Back to all compliance frameworks