NIS2 Directive & Threat Intelligence
The EU's NIS2 Directive (EU 2022/2555) dramatically expanded the scope of EU cybersecurity regulation. Eighteen sectors, two entity classes (Essential and Important), and penalties that can reach €10 million or 2% of global annual turnover. Underpinning it all is Article 21, which expects cybersecurity risk management to be informed by the threat context relevant to the entity.
That single phrase — relevant to the entity — is the bridge between NIS2 and threat intelligence. Generic risk templates no longer count. The directive expects you to demonstrate that your risk picture, your incident handling, and your supply-chain monitoring all reflect the threats your organisation actually faces.
What Article 21 Actually Asks For
Article 21 is the operational core of NIS2. It lists ten sub-controls covering risk analysis, incident handling, business continuity, supply-chain security, vulnerability handling, cryptography, access control, and training. Across nearly all of them, the implicit requirement is the same: use current, relevant threat intelligence to inform your decisions.
In practice, that means three things. First, your risk policies are populated with current threat activity, not last year's catalogue. Second, your incident handling is informed by the actual TTPs of actors targeting your sector. Third, your supply-chain monitoring surfaces vendor compromise early, before the vendor is forced to disclose it.
Key Insight
NIS2 is enforced at the national level, so the supervisory authority and CSIRT differ from country to country. But the requirements are harmonised. If your intelligence evidence is structured, portable, and source-linked, you can submit the same pack to any national authority. STIX-formatted outputs give you that portability for free.
The Article 21 Sub-Controls That Lean on Intelligence
Risk Analysis and Information System Security (21(2)(a))
Risk policies must be informed by realistic, sector-specific threat scenarios. With a live, sector-aware feed, your CISO and GRC team can produce board-level briefings that name the actors and campaigns targeting your industry — turning the risk policy from a compliance artefact into an evidence-based document.
Incident Handling (21(2)(b))
Detection, analysis, containment, and recovery need to be informed by threat context. During an active incident, the difference between an opportunistic attack and a sophisticated APT directly affects your response posture, your communications, and your reporting obligations. A live intelligence feed gives your SOC the actor attribution and TTP mapping it needs to make that call quickly.
Supply Chain Security (21(2)(e))
Annual vendor questionnaires are not enough. The directive expects continuous monitoring of threats to suppliers and third parties. The most cost-effective way to do this is to query darknet and ransomware-leak intelligence against your supplier list — surfacing vendor compromise before the vendor itself is forced to disclose it.
Cyber Hygiene and Training (21(2)(g))
Awareness content should reflect what staff will actually see, not generic phishing examples. Current, sector-specific threat briefings feed directly into training material that staff recognise as relevant to their day-to-day work.
Reporting Obligations (Article 23)
Significant incidents must be reported to the national CSIRT within 24 hours (early warning) and 72 hours (full notification). The hardest part is usually the classification: do you have a real incident, and how significant is it? Threat-actor attribution and TTP correlation are exactly the inputs a SOC needs to make that call fast and confidently.
Common Mistakes
- Treating the 24-hour CSIRT notification as a paperwork task rather than a classification challenge
- Vendor questionnaires that are point-in-time and never revisited, leaving long blind spots between reviews
- Generic threat catalogues that fail to name the actors and campaigns actually relevant to your sector
- Training material that is identical year after year, with no reflection of current threats
Next Steps
For sector-specific framing, see our guide to DORA threat intelligence for financial entities. For a broader compliance picture, see how ISO 27001, NIS2, and DORA overlap.
Ready to get NIS2 compliant? View Threat Landscape pricing or request evaluation access.