EU NIS2 Directive (2022/2555)

EU mandatory cybersecurity directive for essential and important entities. Effective October 2024. Covers endpoint security, supply chain, incident response, and management accountability.

EU-operating organizations in energy, transport, health, finance, digital infrastructure

14

control domains mapped

32

products applicable

6

other frameworks cross-mapped

Official doc

EU NIS2 Directive (2022/2555)

Art.21(2)(i) Multi-factor or continuous authentication solutions

Phishing-resistant MFA using hardware security keys. Software TOTP and SMS are explicitly excluded from "phishing-resistant" in NIST 800-63B and most modern framework guidance.

Art.21(2)(e) Security in network and information systems acquisition

Hardened mobile OS with per-app sensor controls, verified boot, and no background telemetry. Satisfies mobile device management and bring-your-own-device security requirements.

Art.21(2)(e) Network and information systems security measures

Stateful firewall with IPS at the network perimeter. All inbound/outbound traffic inspected with Suricata rule sets. VPN gateway replaces consumer VPN dependency.

Products that satisfy this control:

Art.21(2)(e) Security in acquisition of network and information systems

Intel Management Engine disabled at the firmware level across every open-firmware machine we carry (NitroPad, NitroPC, PrivacyGuard, SecurityTitan); SecurityTitan models go further — camera and microphone physically removed, anti-tamper seals verified by Heads + Nitrokey attestation. Least functionality, enforced in hardware.

Art.21(2)(i) Physical security measures for network and information systems

Rated safes and vaults protect physical assets, documents, and hardware backups with UL-certified burglary ratings — from UL 1037 RSC (residential) up to UL 687 TL-15/TL-30 vault-grade for insurance-mandated or enterprise specialty storage (the tier insurers and auditors recognize; see the ratings ladder on /safe). SecurityTitan laptops extend physical protection to devices in transit: glitter-sealed tamper-evident screws with photographic verification make case intrusion detectable.

Art.21(2)(c) Business continuity, backup management and disaster recovery

UL 72 fire-rated safes keep interiors under 350°F through 30-minute to 4-hour furnace exposure — plus explosion and 30-foot drop tests — so original records, storage media, seed-phrase plates, and offline backups survive a facility fire. Distinct from burglary protection: enterprises with records-retention or continuity obligations typically need BOTH ratings on one unit (dual-rated Gardall UL line or TL-rated composite safes — see /safe).

Products that satisfy this control:

Art.21(2)(j) Secured emergency communication systems within the entity

Encrypted LoRa mesh radios (Meshtastic / MeshCore / Reticulum) move text and GPS with no cellular, WiFi, internet, or subscription — every node relays for every other, on FCC Part 15 unlicensed 915 MHz spectrum. The out-of-band channel for disaster response, incident communications when primary networks are down or untrusted, remote sites, and executive contingency plans.

Products that satisfy this control:

Art.21(2)(i) Physical and environmental security measures

MIL-STD 188-125 / IEEE 299-tested Faraday shielding (80+ dB) physically severs every radio — cellular/5G, WiFi, Bluetooth, GPS, RFID, NFC — so devices cannot be tracked, remotely wiped, or exfiltrated over RF. Covers executive travel through hostile networks, forensic chain-of-custody transport (a seized phone that must not phone home), and anti-relay protection for keyless-entry fobs.

Products that satisfy this control: