Research NIS2 with trusted AI

Cite the Directive, every Commission regulation, and national transpositions to the article. Scope, incident reporting, management liability, and supply-chain duties in one search.

Essential vs important Incident reporting Management liability
Preparing for NIS2 supervisory review?

Built for NIS2 compliance. Ready for the regulator.

€10M or 2% max fine for essential entities (Article 34)
18 sectors across Annex I and Annex II
24 / 72 / 30 hour / hour / day reporting cascade
Personal liability management accountable (Article 20)
NIS2 coverage
Directive text · Commission implementing acts · ENISA guidance · National transpositions · CER Directive cross-refs · CRA overlap
How it works

From your documents to a full cyber-risk file

Use eulaw.ai alongside your own documentation to build an audit-ready NIS2 file. Not a replacement for your cybersecurity programme, but a research accelerator underneath it.

1

Upload

Your cyber-risk-management policy, incident playbook, supplier register, or management-accountability matrix, directly into the chat. Documents persist across the whole conversation.

2

Ask

Scope NIS2 applicability across subsidiaries, classify essential or important, map Article 21 controls, or compare transposition across Germany, Netherlands, and France. Cross-referenced to the directive, Commission acts, ENISA guidance, and national law.

3

Export

A citation-backed compliance report with paragraph-level gaps, obligation by obligation, ready for your cyber-risk file, incident-reporting playbook, or board-level liability briefing.

NIS2 Art. 23: what must I report within 24 hours of a significant incident?

Under Article 23 of Directive (EU) 2022/2555 (NIS2), essential and important entities must follow a three-stage incident-reporting cascade:

Reporting cascade

  • Early warning (within 24 hours of awareness): indication of whether the incident is suspected to be caused by unlawful or malicious acts, or could have a cross-border impact
  • Incident notification (within 72 hours): update to the early warning plus an initial assessment of the incident, including its severity and impact
  • Final report (within 1 month of the notification): detailed description, root cause, mitigation, and cross-border impact

"Significant" threshold

Article 23(3): an incident is significant where it has caused or is capable of causing severe operational disruption of the services, financial losses, or considerable material or non-material damage.

Service users

Art. 23(2): entities must, without undue delay, communicate to recipients of their services any significant cyber threat that could affect those recipients.

Trusted by CISOs, DPOs, and in-house counsel across Europe

Essential and important entities across 18 sectors rely on eulaw.ai for NIS2 work where management liability turns compliance from a cost into a personal risk.

"

The best AI for any research related to EU law and regulations. It always comes up with the best answer.

"

eulaw.ai is the only tool I trust for EU regulation. It has cut our compliance research time by at least 30%.

"

eulaw.ai enables us to take on clients from industries and jurisdictions we previously would have had to decline.

"

A single fabricated case citation can lead to professional sanctions. eulaw.ai eliminates this risk by anchoring every response in verified legal sources.

Not a generic AI chatbot.
A research tool built for NIS2.

eulaw.ai reads the full NIS2 Directive, every Commission implementing regulation, ENISA guidance, and every member-state transposition in parallel. Every answer traces back to the exact article, in every EU official language, updated as national laws publish. The research assistant CISOs, DPOs, and in-house counsel reach for when management liability makes the answer personal.

Your data never leaves the EU

We built eulaw.ai on sovereign EU infrastructure from day one. Every byte is encrypted in transit and at rest. We run large language models on EU-managed cloud infrastructure. Nothing is sent to public AI APIs, model providers do not receive or store your content, and no customer data is used for training.

Your first NIS2 citation in 30 seconds.

Free trial · no credit card · cancel anytime.