Who's affected

Essential and important entities across energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, ICT service management, postal services, waste management, manufacturing of critical products, food, and digital providers (cloud, data centre, online marketplaces).

Key obligations

• Risk-management measures (Art. 21): policies, incident handling, business continuity, supply-chain security, vulnerability disclosure, cryptography, MFA, secure development, training.
• Incident reporting (Art. 23): early warning within 24 hours, incident notification within 72 hours, final report within one month.
• Management body accountability — directors can be personally liable for non-compliance.

What Argitron delivers

Most NIS2 Article 21 measures map cleanly onto ISO 27001 Annex A controls Argitron already covers. The incident-reporting workflow is built in: declared incident → 24-hour early-warning template → 72-hour notification template → 30-day final report, with timestamps and approvals captured.