NIS2 readiness
Nearly every NIS2 page assumes you are caught and quotes you for remediation. The question that decides what you spend is whether you are in scope at all.
Often you are not. That is a real answer, it is defensible, and it takes a day or two to establish. This page is the analysis, not the pitch.
CQI/IRCA ISO/IEC 27001:2022 Lead Auditor trained · IRCA Associate Auditor - ISMS · CQI Practitioner Member - PCQI
The problem
NIS2 marketing has a shape. It opens with the fines, moves to the management liability, and arrives at a gap assessment. What it never does is stop at the top and ask whether the Directive reaches you - because if the answer is no, there is nothing left to sell.
The test at Art 2(1) is narrow and it is checkable. You are in scope if you are an entity of a type listed in Annex I or Annex II, and you are medium-sized or larger, and you provide services in the Union. Three limbs. Fail the first and the rest of the Directive never engages. And the first limb is a list of entity types, not a vibe about whether you feel like critical infrastructure.
So this hub leads with scope. Not because compliance does not matter if you are caught - Art 21 is a serious body of work and Art 34 fines are calculated against your group's turnover - but because the number of companies paying for NIS2 programmes they were never obligated to run is not small, and the advice that got them there was confident, plausible and wrong.
The scope test
Annex I carries 11 sectors of high criticality: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration and space. Annex II carries 7 other critical sectors: postal and courier, waste management, chemicals, food, manufacturing, digital providers and research.
An entity type listed in Annex I or Annex II
Not a sector you feel adjacent to. A type on the list. Art 2(1) is exact about this, and it is where most scope analysis should stop and usually does not. If your entity type is not named, nothing downstream in the Directive reaches you.
Medium-sized or larger
Per Recommendation 2003/361/EC. Art 3(1) makes Annex I types exceeding the medium ceilings essential entities, plus a size-blind list; Art 3(2) picks up the residual as important entities. For most SaaS this gate, not the cloud definition, decides the question.
Providing services in the Union
The third limb of Art 2(1), and the one that is usually uncontroversial once the first two are settled.
Or caught another way entirely
Art 2(2)(a) makes four types size-blind. Art 2(2)(b) to (e) allow individual designation regardless of sector. CER critical entities are in. A negative on the sector list is not automatically a negative overall.
Entity types, told apart
Checked against the Directive text on 17 July 2026. Size is a separate gate and comes after this one.
| Entity type | Listed? | Why |
|---|---|---|
| Cloud computing service provider | In - Annex I | Sector 8, Digital infrastructure, alongside IXPs, DNS providers, TLD registries, data centres, CDNs, trust services and public electronic communications. Not a contested call. |
| MSP / MSSP | In - Annex I | Sector 9, "ICT service management (business-to-business)". Art 6(39) defines the MSP; Art 6(40) the MSSP, which is an MSP carrying out cybersecurity risk-management activities. |
| Credit institution | In - Annex I | One of only three financial entity types NIS2 lists. Defined by reference to CRR Art 4(1). |
| Operator of a trading venue | In - Annex I | The second of the three, under Financial market infrastructures. MiFID II Art 4(24). An investment firm operating an MTF or OTF lands here. |
| Central counterparty | In - Annex I | The third and last. EMIR Art 2(1). That is the complete financial list. There is no fourth. |
| Investment firm (plain FX brokerage) | Out at Art 2(1) | Not a listed entity type. Not a credit institution, not operating an MTF or OTF, so not of a type referred to in Annex I or II. DORA applies to it directly instead. |
| Gambling operator | Not in either Annex | Gambling appears in neither Annex I nor Annex II, and Malta did not add it. But check your entity type separately - a licensee can still be caught as something else. |
| B2B SaaS | Genuinely contested | Depends on whether your service satisfies the operative Art 6(30) test. Germany and Denmark reach different answers on the same words. This is the real work. |
Financial entities
NIS2 Annex I lists exactly three financial entity types. Credit institutions, under CRR Art 4(1). Operators of trading venues, under MiFID II Art 4(24). Central counterparties, under EMIR Art 2(1). That is the complete list. Investment firms are not on it.
So a Cyprus Investment Firm doing FX brokerage, that is not a credit institution and does not operate an MTF or OTF, is outside NIS2 at Art 2(1). It is not an entity of a type referred to in Annex I or II. The Directive stops there.
What you will be told instead is that DORA displaces NIS2 for financial entities under Article 4. That is the right conclusion via the wrong mechanism. Art 4 is never reached. The question is moot.
This is not pedantry, and it is the clearest test we know of whether your adviser read the Directive or read another adviser. The wrong mechanism gives wrong answers the moment your facts move. Acquire an MTF or OTF and you become an Annex I sector 4 entity - and only then does Art 4 genuinely engage and displace NIS2 Chapters IV and VII. Someone who thinks Art 4 was already doing the work will not see that the ground shifted.
What does apply to the broker is DORA, directly, as an investment firm under DORA Art 2(1)(e), since 17 January 2025, supervised by CySEC. And there is a lighter path most firms are not told about: if you qualify as a small and non-interconnected investment firm, DORA Arts 5-15 do not apply to you. You get the Art 16 simplified ICT risk management framework instead. It is materially lighter, and it is easy to miss.
A trap at Art 2(10), while we are here. Entities that a Member State has exempted from DORA under DORA Art 2(4) fall outside both regimes. Worth checking before you assume one of them has you.
If you are a financial entity, DORA is where your obligations actually live. See DORA readiness - it has applied since 17 January 2025.
Art 4, for the entities it does reach
Art 4(1) is worth reading in its own words. Where a sector-specific act imposes at-least-equivalent requirements, "the relevant provisions of this Directive, including the provisions on supervision and enforcement laid down in Chapter VII, shall not apply".
DORA is the only act the Commission has recognised as equivalent. Commission Communication 2023/C 328/02, of 18 September 2023, lists it as the sole entry in its Appendix - anchored in DORA Art 1(2), DORA Recital 16, which calls DORA lex specialis, and NIS2 Recital 28. One act. Not a category.
What gets displaced is Chapter IV (Arts 20-25) and Chapter VII (Arts 31-37). So the Art 20 governance and liability duties go, and the Art 34 fines go with them. What survives is the part usually got wrong: Art 9, on national cyber crisis management frameworks, and Art 16, on EU-CyCLONe, continue to apply to entities in DORA's scope. Displacement is not disappearance.
And the precondition, again, because it is the whole point of this page: Art 4 only does anything for an entity NIS2 reaches in the first place. It is a rule about overlap. Where there is no overlap, there is nothing for it to resolve.
Gambling and iGaming
Nothing in the Directive names gambling, betting, casinos or lotteries as a sector. It is not in Annex I and it is not in Annex II.
Nor did Malta bring it in. That claim is circulating and it is false. L.N. 71 of 2025 runs 148 bilingual pages, and its consolidated Schedules reproduce the EU Annexes with no added sector. The MGA appears exactly once in the whole instrument: art 15A(1)(f), a seat on the National Cyber Security Steering Committee. A committee seat is not a competent-authority designation, and it creates no obligations for licensees. Italy extended its national annexes under D.Lgs. 138/2024, but not to gambling either.
Member States may extend, under the Art 5 minimum harmonisation clause, so this is a question to re-ask per jurisdiction rather than settle once and forget. We have verified Malta and Italy. We are not going to tell you no Member State anywhere has added gambling, because we have not checked all 27 and neither has whoever told you they had.
Now the half that gets skipped. "Not a listed sector" is not "no operator in scope". A Maltese operator is caught if it independently qualifies as a listed entity type - cloud, data centre, MSP or MSSP, online marketplace - or by individual designation under Art 2(2)(b) to (e).
Large operators frequently do run infrastructure that qualifies on its own footing. The gambling licence is not the hook. Your entity type might be, and that self-assessment is still worth doing properly.
Cloud, MSPs and the SaaS question
Start with what is clear. Cloud computing service providers are Annex I, sector 8, digital infrastructure - alongside IXPs, DNS providers, TLD registries, data centres, CDNs, trust services and public electronic communications. MSPs and MSSPs are Annex I, sector 9, ICT service management (business-to-business), defined at Art 6(39) and Art 6(40) respectively, an MSSP being an MSP carrying out cybersecurity risk-management activities. If you are one of these, the entity-type limb is answered and you move on to size.
Now the contested one. It has two halves, and conflating them is what produces most of the bad advice you have read.
Is SaaS a cloud service model?
Yes. Recital 33 is explicit: "The service models of cloud computing include, inter alia, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) and Network as a Service (NaaS)". The terms take their ISO/IEC 17788:2014 meaning. There is no argument here.
Does your SaaS satisfy the operative Art 6(30) test?
Genuinely open. Art 6(30) defines a cloud computing service as "a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations". There is no EU classification test. There is no case law construing Art 6(30) - 217 works cite NIS2 and none of them is a judgment. ENISA's guidance does not address it.
A recital lists service models. It is not a deeming provision. The words that decide your case are the operative ones: "on-demand administration", "scalable and elastic", and "shareable" - that last implying multi-tenancy. Anyone who answers this by quoting Recital 33 at you has answered the first question and skipped the second.
One diagnostic for the advice you are reading. If it cites Implementing Regulation 2024/2690 for cloud or SaaS scope, it is citing a document that is silent on the subject - the instrument does not address it at all. The recital they mean is NIS2 Recital 33.
Where regulators disagree
This is not a gap in our research. It is the actual state of the law: national authorities construing identical text and reaching incompatible conclusions. Germany and Denmark are in direct conflict on the same fact pattern.
Germany (BSI)
BroadGenerally in. SaaS is treated as a cloud computing service, and the fact that you do not operate the underlying resources yourself "steht einer Einordnung nicht entgegen" - it does not preclude the classification. Simple webhosting with fixed capacity is carved out.
Belgium (CCB)
BroadestThe broadest reading of the three. The Belgian cloud definitions are presented as covering SaaS, IaaS and PaaS providers alike.
Denmark
NarrowNot automatic. There is not yet settled practice. A service built on third-party cloud elements cannot automatically be considered a cloud computing service, and a specialised fixed-function service is less likely to qualify.
Netherlands, Ireland, Austria
DeclinesThey decline to resolve it. Ireland's NCSC puts it plainly: "It is not the role of the NCSC to confirm if entities are, or are not, in scope."
Do not over-read this either, because ambiguity sells as easily as certainty does. Most real B2B SaaS is multi-tenant, elastic and self-serve, and satisfies Art 6(30) on its own terms. The arguable cases are the single-tenant, the fixed-capacity and the manually provisioned. If you are one of those, the argument is worth having and worth writing down. If you are not, the honest answer is that you are probably in, and you should hear that from us rather than from a supervisor.
The size gate
Art 2(1) requires you to be medium-sized or larger, per Recommendation 2003/361/EC. Art 3(1) makes Annex I types exceeding the medium ceilings essential entities, plus a size-blind list; Art 3(2) picks up the residual as important entities.
Size-blind status is narrow, and cloud is not on the list. Art 2(2)(a) covers only public electronic communications networks and services, trust service providers, TLD name registries and DNS providers. Add the Art 2(2)(b) to (e) designations and CER critical entities, and that is the whole of it. So if you are a SaaS company worrying about Art 6(30), check your headcount and your accounts first. The definition may never need to be argued.
The financial limb is conjunctive, and this is where people get it wrong in both directions. You exit "small" only if you have 50 or more staff, or if turnover and balance sheet total both exceed EUR 10 million.
Germany codifies it unambiguously, if you want it in black and white. BSIG §28(2) Nr. 3 requires "einen Jahresumsatz und eine Jahresbilanzsumme von jeweils über 10 Millionen Euro" - annual turnover and annual balance sheet total each above EUR 10 million. Both. Not either.
The publishable consequence: a 30-person SaaS with EUR 15 million ARR but a small balance sheet is out. That surprises people, and it is the kind of thing worth establishing before you commission a gap analysis. The counterweight is aggregation - partner and linked enterprise rules still apply, so VC ownership can push a startup over a threshold its own numbers are nowhere near. Run the calculation properly, in both directions.
If you are in scope
Nothing on this page is an argument that NIS2 is soft. If the Directive reaches you, this is what it asks - and the governance and reporting duties are where the exposure actually is.
Art 20 - governance, and personal liability
Management bodies must approve the Art 21 measures, oversee their implementation, and can be held liable. Art 20(2) requires training for the management body. Employee training is only encouraged - the employee-training duty is widely overstated in the market.
Art 21(2) - ten minimum measures, all-hazards
Risk analysis and infosec policies; incident handling; business continuity, backup, disaster recovery and crisis management; supply chain security; security in acquisition, development and maintenance including vulnerability handling; policies to assess effectiveness; cyber hygiene and training; cryptography and encryption; HR security, access control and asset management; MFA or continuous authentication, secured voice, video and text, and secured emergency communications.
Art 23(4) - the reporting clock, running from awareness
Early warning within 24 hours. Incident notification within 72 hours. An intermediate report on request. A final report no later than one month after the 72-hour notification. Art 23(3) makes an incident significant where it causes severe operational disruption or financial loss, or considerable material or non-material damage to others.
Art 23(1) - the sentence worth knowing before you hesitate
"The mere act of notification shall not subject the notifying entity to increased liability." Verbatim. Reporting is not an admission, and the Directive says so on its face.
Art 34 - fines, calculated at group level
Essential entities: a maximum of at least EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities: EUR 7 million or 1.4%, whichever is higher. Turnover is that of the undertaking to which the entity belongs, so a subsidiary is measured against its group.
Art 35 - ne bis in idem, which people forget they have
Where a GDPR supervisory authority has already imposed a fine under Art 58(2)(i) for the same conduct, the NIS2 authority shall not also impose an Art 34 fine. Non-financial measures remain available to it.
Transposition
Cyprus: Law N. 60(I)/2025, in force 25 April 2025. The competent authority and single point of contact is the Digital Security Authority, incorporating CSIRT-CY.
Malta: L.N. 71 of 2025, giving S.L. 460.41, with all provisions commenced on 23 January 2026. The competent authority and SPOC is the CIP Department, with the MCA for digital infrastructure and digital providers, and the national CSIRT sitting in MITA. The MDIA is not a competent authority, whatever you have read elsewhere.
A trap that has misled a lot of people. The European Commission's own NIS2 transposition tracker reads "Last updated: 1 July 2025", and its Malta page still says "Not yet transposed". It is stale, and it is contradicted by primary Maltese law that commenced in January 2026. Do not cite it, and treat an adviser who does with some care.
The wider picture: the transposition deadline was 17 October 2024. As of 8 July 2026, only Spain, France, Ireland and the Netherlands had not notified full transposition, and on that date the Commission referred all four to the CJEU, with a lump sum and daily penalties requested. Keep "notified to the Commission" and "in force nationally" apart in your head. They are different facts, they move at different speeds, and the gap between them is exactly where the Malta error lives.
Does ISO 27001 help?
Start with the Directive itself. NIS2 contains zero occurrences of "27001" and zero of "presumption of conformity". No EU-level instrument grants ISO 27001 any legal presumption at all.
Art 24 does not do what vendors say it does. It is permissive - Member States "may require" - and it concerns ICT products, services and processes certified under European schemes adopted pursuant to Art 49 of Regulation (EU) 2019/881. Not an entity's management system. ISO 27001 is outside its ambit entirely, and the only Art 49 scheme adopted to date is EUCC.
There is genuine mapping work, and it is useful. ENISA's Technical Implementation Guidance v1.0, June 2025, maps NIS2 measures to ISO/IEC 27001:2022, 27002:2022, NIST CSF v2.0, ETSI EN 319 401 and CEN/TS 18026:2024. Three caveats travel with it, and they usually do not survive the retelling. The mapping ships as a separate Excel, v1.2, not in the main PDF. It is non-binding on its own terms: "This document is not legally binding and is only of an advisory character." And it covers only the entities in scope of IR 2024/2690 - DNS, TLD registries, cloud, data centres, CDNs, MSPs, MSSPs, marketplaces, search, social and trust services - not energy, health, transport, banking, water or manufacturing.
The mapping "should not be interpreted as a measure of equivalency".
A real presumption exists in exactly two Member States. Belgium: the Law of 26 April 2024, Art 42, presumes entities undergoing periodic conformity assessment to comply, until proven otherwise, with the obligations referred to in Article 30 - and the Royal Decree of 9 June 2024, Art 5 §1, names "la norme NBN EN ISO/IEC 27001". Read the precision: it covers Article 30 only, the security measures. Not incident notification, not registration, not governance. Portugal: Regulamento n.º 756/2026, in force 23 June 2026, where Art 27(1) creates a presunção de cumprimento and Art 27(3)(b) names ISO/IEC 27001. Art 27(7) requires CNCS to publish an equivalence matrix, and we have not verified that it has been published - so we will not present the Portuguese route as turnkey.
Everywhere else the official position is the opposite, and the authorities are not subtle about it. Germany, France, Finland, Denmark and Ireland all publish official mappings while explicitly denying any presumption. BSI answers the question with a flat "Nein. Eine Zertifizierung nach ISO/IEC 27001 bedeutet nicht automatisch, dass ein Unternehmen NIS-2-konform ist". ANSSI says certification "ne saurait, en tant que telle, lui permettre de bénéficier d'une présomption de conformité".
So the honest position. ISO 27001 is the fastest route to the evidence Art 21 wants, and if you are in scope we would recommend it on those grounds alone. It is not a defence, and outside Belgium and Portugal nobody in authority says it is.
Building the evidence base anyway? See ISO 27001 readiness - it answers Art 21 faster than a bespoke NIS2 programme will.
What Kellwick delivers
The product is the analysis, not the remediation. We would rather tell you that you are out and lose the programme than sell you a year of work the Directive never asked for.
The scope determination itself, in one to two days
Are you an entity type listed in Annex I or Annex II? That is the question, and it is answerable. Most engagements that start here end here, with a documented negative you can hand to a buyer or a board.
The size calculation, done properly
The financial limb is conjunctive, and getting it wrong in your favour is as common as getting it wrong against you. We run the Recommendation 2003/361/EC test including partner and linked aggregation, which is where VC ownership quietly changes the answer.
The Art 6(30) argument for your SaaS, written down
Not a verdict we invent. A reasoned position on whether your service is on-demand, scalable and elastic, and shareable, built against the operative words and against how your supervising Member State actually reads them. Defensible either way, because the honest answer is that this is unsettled.
The financial-entity analysis, with the right mechanism
Whether you are one of the three listed types, whether you operate an MTF or OTF, whether the Art 4 displacement engages at all, and whether you are a small and non-interconnected investment firm entitled to DORA's lighter Art 16 framework.
Your ISO 27001 position against your Member State's law
A presumption of conformity exists in exactly two Member States, and in one of them it covers only the security measures. We tell you which regime you are actually under rather than selling you a mapping as though it were a defence.
If you are in scope, the Art 21 and Art 23 build
The ten measures, the reporting chain that runs on a 24 and 72 hour clock from awareness, and the Art 20 governance duties that put your management body's name on the approval. Sequenced by exposure.
NIS2 scope self-check
Answer honestly. This is an indicative signal, not a formal determination - but it will tell you quickly whether you have a scope question or a compliance programme. Only one of those is expensive, and most companies have the first while paying for the second.
Financial entity? Start with DORA readiness - it is likely the regime you are actually in.
NIS2 questions, answered
No - and almost certainly not for the reason you have been given. The answer you will hear everywhere is "DORA displaces NIS2 for financial entities under Article 4". That reaches the right conclusion through the wrong mechanism, and the difference matters because the wrong mechanism will mislead you the moment your facts change. Here is the actual analysis. Art 2(1) catches you only if you are an entity of a type referred to in Annex I or Annex II. NIS2 lists exactly three financial entity types: credit institutions (CRR Art 4(1)), operators of trading venues (MiFID II Art 4(24)) and central counterparties (EMIR Art 2(1)). Investment firms are not on that list. A Cyprus Investment Firm doing FX brokerage that is not a credit institution and does not operate an MTF or OTF is therefore outside NIS2 at Art 2(1). It is not of a listed type, so Art 4 lex specialis is never reached - the question is moot before it is asked. What does apply is DORA, directly, as an investment firm under DORA Art 2(1)(e), since 17 January 2025, supervised by CySEC. Two things change the answer, so check both. If you do operate an MTF or OTF, you are an Annex I sector 4 entity, and then Art 4 genuinely engages and displaces NIS2 Chapters IV and VII. And if you qualify as a small and non-interconnected investment firm, DORA Arts 5-15 do not apply to you at all - you get the Art 16 simplified ICT risk management framework instead, which is materially lighter and easy to miss.
Not as a gambling operator - but that is not the end of the analysis, and the second half is the part that catches people. Gambling appears in neither Annex I nor Annex II. Nothing in the Directive names gambling, betting, casinos or lotteries as a sector. Nor did Malta add it: the claim "Malta brought gambling into NIS2" is circulating widely and it is false. L.N. 71 of 2025 runs to 148 bilingual pages and its consolidated Schedules reproduce the EU Annexes with no added sector. The MGA appears exactly once in the whole instrument, at art 15A(1)(f), where it is given a seat on the National Cyber Security Steering Committee. A committee seat is not a competent-authority designation and it creates no obligations for licensees. Italy did extend its national annexes under D.Lgs. 138/2024, but not to gambling either. Member States can extend, under the Art 5 minimum harmonisation clause, so this is a question to re-ask per jurisdiction rather than settle once. Now the part that matters to you. "Not a listed sector" is not the same as "no operator in scope". You are caught if you independently qualify as a listed entity type - if you run cloud services, a data centre, or act as an MSP or MSSP - or if you are individually designated under Art 2(2)(b) to (e). Large operators frequently do run infrastructure that qualifies. The gambling licence is not the hook; your entity type might be. That self-assessment is still worth doing.
This is the genuinely contested one, and the honest answer requires splitting the question in two. Conflating the halves is what causes most of the bad advice in circulation. First half: is SaaS a cloud service model? Settled yes. Recital 33 says so directly - "The service models of cloud computing include, inter alia, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) and Network as a Service (NaaS)", with the terms taking their ISO/IEC 17788:2014 meaning. Second half: does your particular SaaS satisfy the operative test in Art 6(30)? Genuinely unsettled. There is no EU classification test, no case law construing Art 6(30) at all, and ENISA's guidance does not address it. Regulators openly contradict each other on identical words. Germany's BSI treats SaaS as generally in, and says not operating the underlying resources yourself does not preclude the classification. Belgium reads the definitions broadest of all. Denmark says it is not automatic, that there is not yet settled practice, and that a service built on third-party cloud elements cannot automatically be considered a cloud computing service. Germany and Denmark are in direct conflict on the same fact pattern. The Netherlands, Ireland and Austria decline to resolve it. Do not over-read the ambiguity either. Most real B2B SaaS is multi-tenant, elastic and self-serve, and satisfies Art 6(30) on its own terms. The arguable cases are single-tenant, fixed-capacity or manually provisioned. And note what a recital is: it lists service models, it does not deem anything. The operative words are "on-demand administration", "scalable and elastic" and "shareable" - that last one implying multi-tenancy. One diagnostic for the advice you are reading: if it cites Implementing Regulation 2024/2690 for cloud or SaaS scope, it is citing a document that is silent on the subject. The recital people mean is NIS2 Recital 33. And before any of this decides anything, check your size - cloud is not on the size-blind list, so for most SaaS the size threshold settles the question before the definition ever gets a turn.
No, and only two Member States give your certificate any legal weight at all. Start with the Directive: NIS2 contains zero occurrences of "27001" and zero of "presumption of conformity". No EU-level instrument grants ISO 27001 any presumption. Art 24 is not the exception people cite it as - it is permissive ("Member States may require"), and it concerns ICT products, services and processes certified under European schemes adopted pursuant to Art 49 of Regulation (EU) 2019/881. Not an entity's ISMS. ISO 27001 is outside its ambit entirely, and the only Art 49 scheme adopted to date is EUCC. There is real, useful mapping work: ENISA's Technical Implementation Guidance v1.0 of June 2025 maps NIS2 measures to ISO/IEC 27001:2022, 27002:2022, NIST CSF v2.0, ETSI EN 319 401 and CEN/TS 18026:2024. Three caveats travel with it. The mapping ships as a separate Excel, v1.2, not in the main PDF. It is non-binding by its own terms: "This document is not legally binding and is only of an advisory character." And it covers only the entities in scope of IR 2024/2690 - DNS, TLD registries, cloud, data centres, CDNs, MSPs, MSSPs, marketplaces, search, social and trust services - not energy, health, transport, banking, water or manufacturing. ENISA's own disclaimer is the most useful sentence available on this: the mapping "should not be interpreted as a measure of equivalency". A real presumption exists in exactly two Member States. Belgium: the Law of 26 April 2024, Art 42, presumes entities undergoing periodic conformity assessment to comply, until proven otherwise, with the obligations in Article 30 - and the Royal Decree of 9 June 2024, Art 5 §1, names ISO/IEC 27001 specifically. Read the precision there: it covers Article 30 only, the security measures. Not incident notification, not registration, not governance. Portugal: Regulamento n.º 756/2026, in force 23 June 2026, Art 27(1) creates a presunção de cumprimento and Art 27(3)(b) names ISO/IEC 27001. Art 27(7) requires CNCS to publish an equivalence matrix, and we have not verified that it has been published, so we will not present the Portuguese route as turnkey. Everywhere else, the official position is the opposite. Germany, France, Finland, Denmark and Ireland all publish mappings while explicitly denying any presumption. BSI: "Nein. Eine Zertifizierung nach ISO/IEC 27001 bedeutet nicht automatisch, dass ein Unternehmen NIS-2-konform ist." ANSSI says certification cannot, as such, allow an entity to benefit from a presumption of conformity. So: ISO 27001 is the fastest route to the evidence Art 21 wants, and we would still recommend it. It is not a defence, and outside Belgium and Portugal nobody in authority says it is.
Both have. Cyprus: Law N. 60(I)/2025, in force 25 April 2025. The competent authority and single point of contact is the Digital Security Authority, which incorporates CSIRT-CY. Malta: L.N. 71 of 2025, giving S.L. 460.41, with all provisions commenced on 23 January 2026. The competent authority and SPOC is the CIP Department, with the MCA for digital infrastructure and digital providers, and the national CSIRT sitting in MITA. The MDIA is not a competent authority, whatever you have read. One trap worth naming, because it has misled a lot of people. The European Commission's own transposition tracker reads "Last updated: 1 July 2025" and its Malta page still says "Not yet transposed". It is stale, and it is contradicted by primary Maltese law. Do not cite it, and be careful with anyone who does. More broadly: the transposition deadline was 17 October 2024. As of 8 July 2026, only Spain, France, Ireland and the Netherlands had not notified full transposition, and on that date the Commission referred all four to the CJEU with lump sum and daily penalties requested. Keep "notified to the Commission" and "in force nationally" apart in your head - they are different facts, they move at different speeds, and the gap between them is exactly where the Malta error lives.
It is right about the outcome for some entities and wrong about the route for most of the ones being told it. The Art 4 mechanism is real. Art 4(1) says that where a sector-specific act imposes at-least-equivalent requirements, "the relevant provisions of this Directive, including the provisions on supervision and enforcement laid down in Chapter VII, shall not apply". DORA is the only act the Commission has recognised as equivalent - Commission Communication 2023/C 328/02 of 18 September 2023 lists it as the sole entry in its Appendix, anchored in DORA Art 1(2), DORA Recital 16 (which calls DORA lex specialis) and NIS2 Recital 28. What that displaces is NIS2 Chapter IV (Arts 20-25) and Chapter VII (Arts 31-37), so the Art 20 governance and liability duties go, and the Art 34 fines go with them. Two things usually get lost. First, the retained provisions: Art 9 on national cyber crisis management frameworks and Art 16 on EU-CyCLONe continue to apply to entities in DORA's scope. Displacement is not disappearance. Second, and more important: Art 4 only does anything for an entity that NIS2 reaches in the first place. If your entity type is not in Annex I or II, Art 2(1) has already answered the question and Art 4 is irrelevant. For a plain investment firm that is exactly the position. Getting this right is not pedantry - it tells you what happens when you acquire an MTF, and it tells you which regime you were actually never in. There is also a genuine trap at Art 2(10): entities that a Member State has exempted from DORA under DORA Art 2(4) fall outside both regimes.
Scoped on a short call. It is a one to two day piece of work in most cases, because the question is narrow even when the answer is not obvious: are you an entity type listed in Annex I or Annex II, do you clear the size threshold, and which Member State's transposition are you actually under. Often the answer is no, and that is a perfectly good outcome to pay for - a documented negative you can hand to a buyer, a board or an insurer is worth considerably more than a remediation programme you never needed.
A scope determination against Art 2(1): your entity type read against Annex I and II, the size calculation run properly including aggregation, and the transposition you are actually under. One to two days. Often the answer is no, and that is worth having in writing.
Certification is issued by accredited certification bodies; DORA supervision is performed by regulators. Kellwick prepares you for these processes; it does not perform them and cannot guarantee their outcome. NIS2 is a directive: obligations arise under national transposing law, which differs by Member State, and supervision is performed by national competent authorities. A scope determination is an advisory opinion, not a ruling by an authority. Kellwick provides advisory and management-system support, not legal advice.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.