NIS2, mapped and managed
in one operating system.
NIS2 raises the bar for cybersecurity across thousands of European companies. Trust OS turns the directive's ten core measures into a continuously-managed programme — with the governance, evidence and incident reporting built in.
Why this matters: HSE Ireland · 80% of IT down · 2021
On 14 May 2021, the Conti ransomware group breached the Health Service Executive — Ireland's national public health service and one of the largest employers in the country. Within hours, roughly 80% of the HSE's IT estate was encrypted, including the systems clinicians used to coordinate cancer therapy, radiology, maternity care and pharmacy supply. Outpatient appointments were cancelled, treatments were delayed, and hospitals fell back to paper records for weeks. The HSE refused to pay the demanded ransom of around €16 million; the attackers eventually released a decryption key for free, but the recovery took months and an independent review pegged the total cost at over €100 million.
The PwC post-incident review — published in full and now widely cited across EU cyber-policy discussions — reads like a NIS2 readiness checklist. The intrusion started with a single phishing email opened by one user. From there, the attackers moved laterally for roughly eight weeks, undetected, through an estate with no centralised security operations centre, missing multi-factor authentication on privileged accounts, gaps in patching and monitoring, and a security function that simply hadn't kept pace with the organisation. None of the failures were exotic. They were the basic hygiene gaps that NIS2 names by name.
Healthcare is one of NIS2's 'essential entities', and the HSE incident — alongside attacks on French regional hospitals, Düsseldorf University Hospital, several Belgian municipalities and the Vlaamse Universiteit Brussel — is exactly the pattern that drove the directive's expanded scope. NIS2's emphasis on multi-factor authentication, supply-chain due diligence, the 24-hour early-warning rule and management-body liability traces directly back to incidents of this shape — and to the recognition that 'advanced' attackers almost always exploit elementary failures, not novel exploits.
What NIS2 actually requires
The second Network and Information Security Directive replaces the original NIS directive of 2016 and applies, broadly, to medium and large organisations operating in 18 sectors — energy, transport, banking, health, digital infrastructure, ICT services, public administration, postal, waste, food, manufacturing, research and several others. It introduces two tiers — essential entities (the strictest oversight) and important entities — and leaves room for member states to designate additional ones.
The directive imposes ten cybersecurity risk-management measures. Every in-scope organisation has to implement, document and continuously prove all of them:
- Risk analysis and information-system security policies.
- Incident handling — detection, classification, response and recovery procedures.
- Business continuity, including backup management and crisis management.
- Supply chain security, including the security of the relationships with direct suppliers.
- Security in the acquisition, development and maintenance of network and information systems.
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
- Basic cyber hygiene practices and cybersecurity training.
- Use of cryptography and, where appropriate, encryption.
- Human resources security, access control policies and asset management.
- Multi-factor authentication, secured voice/video/text comms and secured emergency comms where appropriate.
Reporting obligations
When a significant incident happens, the timeline is unforgiving:
- Early warning — within 24 hours of becoming aware.
- Incident notification — within 72 hours, with an initial assessment and indicators of compromise.
- Final report — within one month, including the root cause and the mitigation taken.
The management body is personally responsible for approving the cybersecurity measures, supervising their implementation and being trained on cyber risk. Sanctions for essential entities go up to €10 million or 2% of global turnover, with up to €7 million or 1.4% for important entities.
We don't just talk about NIS2 — we run it.
From the directive's text to a click-through workspace.
The NIST CSF pillars (Identify · Protect · Detect · Respond · Recover · Govern) appear as live tabs in Trust OS, each tracking the underlying NIS2 measures with owners, due dates and public/internal flags.
How Trust OS turns NIS2 into operations
Trust OS isn't a checklist tool — it's the operating system in which the ten measures actually run. Each measure has a workspace, owner and continuous evidence flow.
Risk register & governance
A live risk register that links every identified risk to the controls it depends on, the owner accountable for it and the management-body decision that approved its treatment. Quarterly board reviews are pre-built so the management-body obligation is always demonstrable.
Incident response with the 24h / 72h / 1m clock built in
When an incident is logged, Trust OS starts the regulatory clock automatically, prompts the right roles, drafts the early warning and the 72-hour assessment, and stores the final report against the right framework reference.
Supply chain & third-party register
Every sub-processor and supplier is captured with its risk classification, contract security clauses and last-review date. Trust OS reminds you when a vendor's posture changes (cert lapse, breach disclosure, geographic shift).
Cyber hygiene & training
Built-in onboarding modules, phishing simulations and annual refreshers — with the participation evidence ready for inspection.
Already on the path? We map what you have
Most teams already run parts of NIS2 under different labels — ISO 27001, internal audit, business continuity drills. Trust OS detects existing controls (via document upload or integrations) and tells you where you genuinely have gaps versus where you just need a different label on the evidence you already produce.