NIS2 Directive interview questions for compliance, GRC, and CISO roles — scope, obligations, incident reporting, board accountability.
What is NIS2 and how does it differ from NIS1?
NIS2 expanded sectoral scope (now 18 sectors split into 'Essential' and 'Important'), removed the operator-of-essential-services / digital-service-provider distinction, introduced 24-hour early warning + 72-hour update + 1-month final report, made management bodies personally accountable, added supply chain risk obligations, harmonised fines up to €10M or 2% global turnover.
How do you determine if an entity is in NIS2 scope?
Two-step: (1) sectoral test — does the entity operate in an Annex I (Essential) or Annex II (Important) sector? (2) size test — generally medium/large (≥50 employees AND ≥€10M turnover). Carve-outs exist (e.g. DNS, TLD registries, trust services in scope regardless of size).
Walk me through NIS2 incident reporting timelines.
Early warning to CSIRT/competent authority within 24h. Intermediate notification with assessment within 72h. Final report within 1 month. Also: customer notification 'without undue delay' if affected.
What are NIS2's cybersecurity risk-management measures (Article 21)?
10 minimum measures: risk analysis + IS policies, incident handling, BCM + backups + crisis mgmt, supply chain security, network + IS acquisition/development/maintenance, policies on effectiveness assessment, basic cyber hygiene + training, cryptography policy, HR security + access control + asset mgmt, MFA + secure comms + secure emergency comms.
Who is the 'management body' under NIS2 and what is their personal liability?
Senior management / board. They must approve risk-mgmt measures, oversee implementation, follow training. Member State law determines personal liability (can include fines + temporary management bans for natural persons in some MS implementations).
Compare NIS2 to UK NIS Regulations 2018 (post-Brexit).
UK NIS Regulations 2018 (NIS1-derived) remain in force. UK government consulted on equivalent expansion ('NIS 2.0 UK') with similar sectoral expansion + incident reporting tightening, expected ~2025–26. Not yet enacted in UK at parity with EU NIS2.
How does NIS2 interact with DORA?
DORA (Regulation (EU) 2022/2554) is sector-specific to financial services; takes precedence over NIS2 for FS entities (lex specialis). Other sectors continue under NIS2.
What is NIS2's supply chain security obligation?
Article 21(2)(d) + (3): entities must address security of supply chain incl. cybersecurity-related aspects of relationships with direct suppliers + service providers. Includes attention to specific vulnerabilities of each supplier and overall quality of products + cybersecurity practices.
How would you map an existing ISO 27001 ISMS to NIS2 obligations?
ISO 27001 + Annex A covers ~70–80% of NIS2 Article 21 requirements. Gap analysis: incident reporting workflow (24/72/1-month), supply chain (extends A.5.19–22), board training (extends A.6.3), incident notification to customers + competent authority. Map controls to NIS2 clauses, identify gaps, treat.
What are typical NIS2 enforcement actions?
Administrative fines (Essential: max €10M or 2% global turnover; Important: max €7M or 1.4%), management body temporary bans (Essential), supervisory measures (audits, ad-hoc audits, security scans), compliance orders, public disclosure of non-compliance.
How is the Member State 'competent authority' structured?
Each Member State designates competent authorities + national CSIRTs. Coordination via NIS Cooperation Group + CSIRTs Network + EU-CyCLONe for large-scale crises. ENISA provides EU-level support.
Tell me about a time you implemented a regulatory change at short notice.
Behavioural. Scope, stakeholder coordination, evidence trail, lessons learned.
Not directly post-Brexit, but UK companies with EU subsidiaries / EU service delivery may fall in scope via the EU establishment. UK is preparing its own NIS2-equivalent.
Member States had to transpose by 17 October 2024. Some MS missed the deadline; implementation is still bedding in across the EU.
Implicitly — Article 21 obligations require ownership and the management body must be trained. Many organisations interpret this as a de facto CISO requirement at Essential entities.
Map Article 21's 10 measures to your current controls; gap-analyse incident reporting workflow; document management body governance; review top-10 suppliers; document training cadence.
Run AI-graded mock interviews with panel personas and structured feedback.