NIS2 Glossary: 41 Article 6 Definitions Translated Into Plain English (With Compliance Implications) - NIS2-Templates.com — NIS2 Compliance Templates for EU Organisations

Article 6 of the NIS2 Directive (EU 2022/2555) contains 41 definitions — the precise legal vocabulary that determines scope, obligations, and penalties across the EU’s cybersecurity framework. Most compliance teams know six of them. The gap between knowing the terms and understanding their compliance implications is where regulatory risk accumulates.

This glossary covers all 41 Article 6 definitions in plain English, alongside the institutional terms defined elsewhere in the directive — Essential entity, CSIRT, Competent authority, NIS Cooperation Group, CyCLONe — that compliance officers encounter most in practice. Each entry presents the directive’s language, a plain-English translation, and the compliance implication that makes the definition operationally significant.

NIS2 cross-references several other EU regulations — the Cybersecurity Act (Regulation 2019/881), the European Electronic Communications Code (Directive 2018/1972), and eIDAS (Regulation 910/2014). Where a definition defers to another regulation, this glossary notes the source and provides the substance. For background on the directive itself, see What Is the NIS2 Directive?

How to Use This Glossary

Terms are grouped thematically rather than alphabetically. Compliance teams encounter these definitions in clusters — incident terms together, entity terms together — and grouping them aids understanding and speeds up lookup during actual compliance work. Each entry follows a consistent format: the directive text, a plain-English translation, and the specific compliance implication.

Article 6 does not define every term used in the directive. Essential entity, Important entity, Competent authority, CSIRT, NIS Cooperation Group, and CyCLONe appear later in the directive and are included here because they are the most operationally significant terms in any compliance programme. For the complete directive text with article cross-references, see How to Find the NIS2 Full Text on EUR-Lex.

Core System and Security Terms

The following definitions establish the foundational vocabulary for the entire directive. These terms appear in Articles 21, 23, and 24 — the core compliance obligations — and misunderstanding them at the definitional level produces misaligned security programmes. A security assessment that protects only confidentiality, for example, misses the directive’s explicit inclusion of availability and authenticity as equally protected properties.

When the directive defines “security of network and information systems” as protecting four specific properties — availability, authenticity, integrity, and confidentiality — your security programme must map each control to at least one of those properties. Gaps in that mapping are the first thing an auditor flags.

76 Templates Pre-Mapped to Article 6 Security Definitions — Risk Assessment to Vulnerability Management in One Audit Trail

Risk Assessment Table + Risk Treatment Plan — methodology aligned to Article 6’s magnitude × likelihood risk definition with RACI for six roles
Vulnerability & Patch Management policy (Doc #20) — pre-mapped to Article 21(2)(e) and Article 6 definition 15 (vulnerability)

Instant DOCX + XLSX download. 1 year of updates included. Stripe-secured checkout.

€497
See how this fits →

Network and information system (Article 6, definition 1)

Directive text: An electronic communications network, or any device or group of interconnected devices that automatically process digital data, or digital data stored, processed, retrieved, or transmitted for their operation, use, protection, and maintenance.

Plain English: Any internet-connected computer, server, router, or network. If it stores or transmits data, it is a “network and information system” for NIS2 purposes — covering IT infrastructure (servers, laptops, cloud services) and OT infrastructure (industrial control systems, SCADA, PLCs).

Compliance implication: The breadth of this definition means most digital infrastructure within a covered entity falls under Article 21’s security measures, not just corporate IT. Operational technology environments require separate assessment.

Security of network and information systems (Article 6, definition 2)

Directive text: The ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or of the services offered via those systems.

Plain English: Four properties your security programme must protect: availability (systems stay online), authenticity (communications are genuine), integrity (data is not tampered with), and confidentiality (data is not exposed). This is the directive’s definition of what good security means — not just preventing data leaks.

Compliance implication: Article 21(2) security measures must demonstrably protect all four properties. A programme focused only on confidentiality — the most common default — is insufficient under the directive. See NIS2 Requirements: The 10 Cybersecurity Risk Management Measures for how each Article 21 measure maps to these properties.

Cybersecurity (Article 6, definition 3)

Directive text: As defined in Article 2(1) of Regulation (EU) 2019/881 (the Cybersecurity Act): activities, resources, and policies used to protect network and information systems, their users, and affected persons from cyber threats.

Compliance implication: NIS2 adopts the Cybersecurity Act’s definition, keeping the two frameworks aligned. ENISA guidance documents — which compliance authorities reference during audits — use the same definition as their baseline.

Vulnerability (Article 6, definition 15)

Directive text: A weakness, susceptibility, or flaw of ICT products or ICT services that can be exploited by a cyber threat.

Plain English: Any exploitable gap in software, hardware, firmware, or services — an unpatched server, an insecure API endpoint, a misconfigured firewall rule. The definition covers both known CVEs and zero-day conditions before public disclosure.

Compliance implication: Article 21(2)(e) mandates vulnerability management as one of the ten core security measures. Article 7(2)(f) requires national authorities to establish coordinated vulnerability disclosure policies. ENISA maintains the European Vulnerability Database under Article 12 — entities should monitor it for product vulnerabilities affecting their systems.

ICT product / ICT service / ICT process (Article 6, definitions 12–14)

These three definitions cross-reference Regulation (EU) 2019/881. An ICT product is an element or group of elements of a network or information system. An ICT service involves transmitting, storing, retrieving, or processing information. An ICT process covers design, development, or delivery activities for ICT products and services.

Compliance implication: Supply chain security obligations under Article 21(2)(d) extend across all three — covering hardware vendors, software vendors, and development service providers. The Commission’s Implementing Regulation CIR 2024/2690 defines specific security requirements for ICT service providers in Annex I categories.

Standard / Technical specification (Article 6, definitions 16–17)

Both cross-reference Regulation (EU) No 1025/2012. A standard is a technical specification adopted by a recognised standardisation body (ISO, ETSI, CEN). A technical specification prescribes requirements without requiring formal standardisation body approval.

Compliance implication: Entities can demonstrate compliance with Article 21 by applying harmonised standards. The most widely accepted is ISO/IEC 27001:2022 — ENISA guidance maps NIS2 requirements to its controls. Diverging from recognised standards without documented justification creates audit exposure.

Incident and Risk Terminology

Incident-related definitions directly trigger the directive’s most time-sensitive obligations: Article 23’s 24/72-hour reporting timeline and Article 14(4)’s duty to notify service recipients about significant cyber threats. The boundary between a reportable incident and a handled near-miss is not a matter of interpretation — it is a definitional test that determines whether your organisation is in breach of a deadline.

Incident (Article 6, definition 6)

Directive text: An event compromising the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, or of the services offered by, or accessible via, network and information systems.

Plain English: Any disruptive event affecting your systems or data — ransomware, accidental misconfiguration causing a service outage, a data breach. The definition is broad; the practical narrowing filter is “significant incident,” assessed under Article 23’s criteria.

Compliance implication: Not all incidents require reporting. Article 23 applies a significance test based on service disruption severity, number of affected users, and geographic spread. Your incident log should capture every incident; your classification procedure determines which trigger the 24/72-hour Article 23 notification obligations.

Near-miss (Article 6, definition 5)

Directive text: An event that could have compromised the availability, authenticity, integrity, or confidentiality of data or services but was successfully prevented from materialising or did not materialise.

Plain English: A close call with no actual compromise — a phishing email caught before anyone clicked, an attack blocked by your firewall before penetration, a software vulnerability patched before exploitation.

Compliance implication: Near-misses are not subject to mandatory reporting under Article 23. However, they must feed into your risk register and trigger a procedural review — competent authorities auditing your security programme treat near-miss handling as evidence of proactive risk management capability.

Incident handling (Article 6, definition 8)

Directive text: Any actions and procedures aiming to prevent, detect, analyse, and contain, or to respond to and recover from, an incident.

Plain English: The full lifecycle of your incident response programme — from detection and containment through forensic analysis, remediation, and service restoration.

Compliance implication: Article 21(2)(b) mandates incident handling as one of the ten core security measures. Procedures must be documented, tested, and assigned to named roles. Competent authorities routinely request evidence of tested incident handling capability — tabletop exercises and simulation reports are the standard proof.

Large-scale cybersecurity incident (Article 6, definition 7)

Directive text: An incident causing a level of disruption that exceeds a Member State’s capacity to respond, or affecting at least two Member States.

Plain English: A national or cross-border cyber event — ransomware simultaneously hitting multiple EU healthcare systems, a supply chain compromise affecting thousands of organisations, or infrastructure attacks requiring coordinated multi-state response.

Compliance implication: Most organisations will never trigger this definition. Cloud providers, critical infrastructure operators, and major digital service providers should understand it: a large-scale incident activates CyCLONe and intensified cross-border regulatory coordination. The political visibility is significantly higher than a standard Article 23 notification.

Risk (Article 6, definition 9)

Directive text: The potential for loss or disruption caused by an incident, expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident.

Plain English: Risk = magnitude × likelihood. The directive adopts the ISO 31000 formulation — your risk assessment methodology must produce quantified or semi-quantified outputs on both axes to meet the proportionality requirement.

Compliance implication: Every Article 21 security measure must be proportionate to the documented risk. That proportionality calculation starts with a documented risk assessment — the output of which justifies the level of investment in each control. Without a documented assessment, you cannot demonstrate proportionality to a competent authority during an audit.

Cyber threat (Article 6, definition 10)

Directive text: As defined in Article 2(8) of Regulation (EU) 2019/881: any potential circumstance, event, or action that could damage, disrupt, or otherwise adversely impact network and information systems, the users of such systems, and other persons.

Plain English: Any attack vector — state-sponsored intrusion, ransomware, insider threats, DDoS attacks, supply chain poisoning. The definition covers potential threats, not only confirmed attacks.

Compliance implication: Article 26 enables voluntary threat information sharing between entities and with national CSIRTs. Article 29 requires Member States to encourage entities to use threat intelligence. Participating in sector-specific ISACs (Information Sharing and Analysis Centres) satisfies this expectation in most Member States.

Significant cyber threat (Article 6, definition 11)

Directive text: A cyber threat which, based on its characteristics, can reasonably be assumed to have the potential for severe impact on network and information systems by causing considerable material or non-material damage.

Compliance implication: Article 14(4) requires entities to notify recipients of their services about significant cyber threats without undue delay and to advise them on protective measures. This notification obligation triggers before an incident occurs — it is a proactive warning duty, not a post-incident reporting obligation. It applies when a credible, severe threat is identified, regardless of whether it materialises.

Entity Classifications Under NIS2

NIS2 creates a two-tier entity framework. Article 3 defines Essential and Important entities by sector and size. Article 6 defines the types of organisations that populate those tiers. Your classification determines your supervision regime, reporting obligations, and maximum penalty exposure.

Essential entity (Article 3(1), Annex I)

Scope: An entity operating in a highly critical sector (Annex I — energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space), meeting the large enterprise threshold (250+ employees or over €50M turnover / €43M balance sheet), or designated as essential by a Member State regardless of size.

Plain English: The highest-obligation category. Certain entities qualify as Essential regardless of size: DNS root operators, TLD registries, certain trust service providers, and any entity a Member State designates as critical based on its societal or economic impact.

Compliance implication: Essential entities face proactive supervision — regular audits without a prior incident triggering them — personal liability for management bodies under Article 20, and penalties up to €10 million or 2% of total worldwide annual turnover. See Who Must Comply with NIS2? for the full sector-and-size determination framework.

Important entity (Article 3(2), Annex II)

Scope: An entity operating in a critical sector (Annex II — postal and courier services, waste management, manufacture of critical products, chemicals, food, manufacturing, digital providers, research organisations) meeting the medium enterprise threshold (50+ employees or over €10M turnover), and not qualifying as essential.

Plain English: A wider net with a lighter supervision touch. Maximum penalties are capped at €7 million or 1.4% of global annual turnover.

Compliance implication: The same Article 21 technical security measures apply to both entity types. The enforcement difference: Important entities trigger reactive supervision only after a reported incident, rather than proactive audit cycles. The practical risk for Important entities is that the first audit happens after something goes wrong.

Entity (Article 6, definition 38)

A natural or legal person created and recognised as such under the national law of its place of establishment, including companies, associations, partnerships, and other organisations with or without legal personality.

Compliance implication: The definition is broader than “company” — partnerships, associations, and sole traders operating services in Annex I or II sectors can be in-scope entities. Non-corporate organisational forms are not automatically excluded.

Managed service provider (Article 6, definition 39)

An entity providing services related to the installation, management, operation, or maintenance of ICT products, networks, infrastructure, applications, or end-user equipment.

Plain English: IT outsourcing firms, cloud-managed service providers, hosting providers, network operations companies.

Compliance implication: MSPs are directly in scope under Annex II as Important entities — regardless of the sectors their clients operate in. An MSP serving a mix of industries qualifies based on what it does, not who it serves. This is one of the most commonly missed NIS2 scope triggers for IT service businesses.

Managed security service provider — MSSP (Article 6, definition 40)

A managed service provider carrying out cybersecurity risk management activities — outsourced SOC operations, SIEM management, penetration testing, and security programme management.

Compliance implication: MSSPs are one of the few entity sub-categories explicitly named in the directive text. That specificity reflects the EU’s concern about security supply chain concentration: a compromised MSSP can simultaneously expose hundreds of client organisations. MSSPs should treat their own Article 21 compliance as a client-facing assurance requirement, not only an internal obligation.

Representative (Article 6, definition 34)

A natural or legal person established in the EU explicitly designated to act on behalf of DNS service providers, TLD registries, cloud providers, CDN operators, and managed service providers not established in the EU.

Compliance implication: Non-EU entities offering services within the EU must appoint a Representative in the Member State where their largest EU user base is located. UK-based cloud providers, US-based CDN operators, and non-EU MSPs serving EU clients are a frequent source of compliance gaps on this requirement.

Research organisation (Article 6, definition 41)

An entity whose primary goal is applied research or experimental development for commercial exploitation. Educational institutions — universities — are explicitly excluded from this definition.

Compliance implication: Commercial R&D centres, biotech research entities, and private research institutes may qualify under Annex I or II depending on their sector. Academic institutions conducting research are out of NIS2 entity scope, but commercialisation arms of universities may warrant separate assessment.

Public administration entity (Article 6, definition 35)

An entity recognised as such in a Member State, established to serve the general interest, with legal personality and financed or supervised by public authorities.

Compliance implication: Central government entities are mandatory in scope under Annex I. Local government is at Member State discretion — several Member States (Germany, France, Austria) have extended scope to regional and municipal authorities in their national transposition laws. Verify against your jurisdiction’s implementing legislation.

Governance Bodies and Competent Authorities

Five institutional bodies structure NIS2 enforcement and coordination. Your organisation will interact with at least two of them — your national Competent authority and your national CSIRT — from the moment a significant incident occurs. Knowing what each body can demand from you, and on what timeline, is foundational to compliance planning.

Your competent authority expects a documented Incident Handling Policy and a Risk Assessment Methodology when it arrives for supervision. The 24-hour CSIRT early-warning clock does not stop while you are still writing those documents.

8 Policies for the 24-Hour CSIRT Notification Window — Pre-Mapped to Article 21(2) and CIR 2024/2690

Incident Handling Policy (Doc #48) — the document your CSIRT contact will request immediately after you file the 24-hour early warning
Risk Assessment Methodology (Doc #05) + Risk Assessment Table — satisfies the documented risk assessment that competent authorities check before approving your Article 21 control set

18 files (8 core + 10 guides). Instant DOCX download. 1 year of updates included. Stripe-secured checkout.

€249
See what’s inside →

Competent authority (Article 8)

Each Member State must designate one or more competent authorities responsible for NIS2 supervision and enforcement. For entities with establishments in multiple Member States, the lead competent authority is the authority in the country where the entity’s main establishment is located.

Plain English: The national regulator that can audit, investigate, and fine you. Examples: BSI (Germany), NCSC-NL (Netherlands), ANSSI (France), CSIRT-IE (Ireland), CERT.be (Belgium). For cross-border entities, the lead authority coordinates with other Member State authorities but holds primary enforcement jurisdiction.

Compliance implication: Know your lead competent authority and register with it if your national transposition requires registration. Supervision timetables, audit formats, and communication protocols vary significantly by Member State. Contact details for all designated competent authorities are published on the ENISA website.

CSIRT — Computer Security Incident Response Team (Articles 9–10)

NIS2 requires each Member State to designate at least one national CSIRT with defined technical capabilities: 24/7 monitoring, incident analysis, early warning publication, coordinated vulnerability disclosure support, and cross-border coordination. National CSIRTs form the EU-wide CSIRTs Network under Article 15, with ENISA providing secretariat services.

Plain English: The national cyber incident response team — your primary contact point for Article 23 notifications and the body that provides technical analysis and assistance during significant incidents.

Compliance implication: Article 23 requires notification of significant incidents to your national CSIRT (or to the competent authority where it holds that function) within 24 hours of becoming aware the incident may be significant (early warning), and a full notification with assessment within 72 hours. The 24-hour clock starts at awareness, not at confirmation — waiting until an incident is fully confirmed before reporting is a breach of the early warning obligation.

NIS Cooperation Group (Article 14)

A strategic EU body composed of representatives from Member State competent authorities, the European Commission, and ENISA. It sets policy direction for NIS2 implementation, adopts technical guidelines and methodologies, conducts peer-learning exercises, and facilitates coordination across Member States.

Plain English: The EU’s NIS2 governance forum. Guidelines produced by the Cooperation Group represent authoritative interpretations of the directive’s requirements — particularly for sector-specific implementation and acceptable security baselines.

Compliance implication: Cooperation Group guidance documents directly inform what competent authorities expect in audits. Its work on Article 21 security measures, coordinated vulnerability disclosure, and supply chain security provides the clearest available framework for organisations building compliance programmes without sector-specific ENISA guidance.

ENISA — European Union Agency for Cybersecurity

ENISA (established by Regulation 2019/881, the EU Cybersecurity Act) supports NIS2 implementation through technical guidance, threat landscape reporting, capacity building, and secretariat services for both the CSIRTs Network and CyCLONe.

Plain English: The EU’s cybersecurity knowledge hub. ENISA guidance documents — on sector-specific security requirements, cloud security, supply chain risk — are the starting point for most technical compliance decisions and the reference point for competent authority auditors.

Compliance implication: ENISA guidance is not legally binding, but competent authorities routinely reference it as the benchmark for what “appropriate and proportionate” measures under Article 21 means in practice. Departing from ENISA recommendations without documented justification creates audit exposure — especially where ENISA has published sector-specific technical guidelines under Article 19.

CyCLONe — Cyber Crisis Liaison Organisation Network (Article 16)

Established by NIS2 to link national cyber crisis management authorities across Member States, with ENISA providing secretariat services. CyCLONe is activated for large-scale cybersecurity incidents crossing national borders or exceeding a single Member State’s response capacity.

Plain English: The EU’s crisis management layer above the CSIRTs Network — activated when a cyber incident affects multiple countries simultaneously or reaches a scale requiring political-level coordination across Member States.

Compliance implication: Most entities will interact with CyCLONe only indirectly, through their national CSIRT’s escalation procedures. Cloud providers, major digital infrastructure operators, and critical utilities operating across multiple EU Member States should understand CyCLONe activation criteria — a large-scale incident involving their services triggers cross-border coordination and significantly heightened regulatory and political visibility.

Digital Infrastructure and Service Providers

Article 6 definitions 18–37 cover the specific service types explicitly named in NIS2’s scope annexes. If your organisation provides any of the following services, these definitions determine your entity classification and therefore your supervision regime.

Internet exchange point (Article 6, definition 18)

A network facility that enables interconnection of more than two independent networks (autonomous systems) for the purpose of routing internet traffic between them.

Compliance implication: IXPs are in scope under Annex I as essential entities providing critical digital infrastructure. Their role in internet routing makes them high-priority supervision targets.

Domain Name System — DNS (Article 6, definition 19)

Directive text: A hierarchical distributed naming system that enables identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources.

Plain English: The internet’s address book — translating domain names (example.com) into IP addresses. DNS infrastructure is among the most critical services for overall internet availability.

DNS service provider (Article 6, definition 20)

An entity providing publicly available recursive domain name resolution services or authoritative domain name resolution services to internet users.

Compliance implication: DNS providers are in Annex I scope as essential entities. This includes hosting providers operating recursive resolvers for third-party clients — a frequently overlooked NIS2 scope trigger for web hosting companies. If your platform resolves DNS queries for customer domains, assess whether you qualify as a DNS service provider.

Top-level domain (TLD) name registry (Article 6, definition 21)

An entity delegated a specific TLD (.com, .de, .eu, etc.) and responsible for its administration, including domain name registration and technical operations.

Compliance implication: Country-code TLD registries are among the most critical digital infrastructure entities under Annex I. A security failure at a national TLD registry affects the accessibility of every domain in that namespace.

Cloud computing service (Article 6, definition 30)

Directive text: A digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources.

Plain English: IaaS (compute and storage), PaaS (development platforms), and SaaS (application services). The “on-demand” and “elastic” language tracks the NIST SP 800-145 cloud definition.

Compliance implication: Cloud computing service providers are in Annex II scope as important entities — or Annex I if designated by a Member State as critical. Non-EU cloud providers must appoint a Representative in the EU Member State where their largest EU user base is located.

Data centre service (Article 6, definition 31)

Structures or groups of structures dedicated to the centralised accommodation, interconnection, and operation of IT and network equipment, providing storage, processing, and networking services.

Compliance implication: Colocation data centre operators are in Annex II scope. Enterprise-operated data centres serving only internal IT needs are generally not in scope as “providers” of data centre services.

Content delivery network — CDN (Article 6, definition 32)

Directive text: A network of geographically distributed servers ensuring high availability, accessibility, or fast delivery of digital content and services to internet users on behalf of content providers.

Compliance implication: CDN providers are in Annex II scope. Non-EU CDN operators serving EU traffic must appoint a Representative. The breadth of this definition captures major global CDN operators regardless of their EU establishment status.

Social networking services platform (Article 6, definition 33)

A platform enabling end-users to connect, share, discover, and communicate with each other across multiple devices — via chats, posts, videos, and recommendations.

Compliance implication: Major social platforms are in Annex II scope. NIS2 security obligations apply alongside the Digital Services Act (DSA) — where requirements from both regimes apply, the stricter standard governs.

Trust service / Trust service provider (Article 6, definitions 24–27)

These four definitions cross-reference eIDAS (Regulation 910/2014). Trust services include electronic signatures, seals, timestamps, registered electronic delivery, and website authentication. Trust service providers issue the relevant certificates; qualified trust service providers appear on EU Trusted Lists and operate under the highest security standards.

Compliance implication: Trust service providers are in Annex I scope as essential entities. Qualified trust service providers face both NIS2 and eIDAS security requirements — where the two regimes apply, the stricter standard governs. The consequence of a qualified TSP failure extends beyond a single organisation to every relying party in that provider’s certificate chain.

Online marketplace / Online search engine (Article 6, definitions 28–29)

Online marketplaces cross-reference Directive 2005/29/EC; search engines cross-reference Regulation (EU) 2019/1150. Both are in Annex II scope as digital providers.

Compliance implication: Size thresholds apply — marketplaces and search engines with fewer than 50 employees and under €10M turnover fall below the Annex II threshold. Verify against actual headcount and revenue before assuming in-scope status.

Managed service provider / Managed security service provider

See definitions 39 and 40 in the Entity Classifications section above.

Electronic communications service / Electronic communications network (Article 6, definitions 36–37)

Both cross-reference Directive (EU) 2018/1972 (the European Electronic Communications Code). Networks include copper, fibre, wireless, and satellite infrastructure; services include voice calls, broadband, and messaging services.

Compliance implication: Telecoms operators are among the highest-criticality essential entities under Annex I. The EECC already imposed security obligations on telecoms; NIS2 aligns and extends these — where both apply, compliance teams should assess the combined obligation set rather than treating them as separate programmes.

Key Takeaways for Compliance Officers

Definitions interlock — trace them forward. Risk × likelihood = the proportionality calculation for every Article 21 measure. Incident = the trigger for Article 23 reporting. Vulnerability = the subject of Article 21(2)(e) patch management and Article 7 coordinated disclosure. Starting with definitions and tracing their forward obligations is more efficient than starting with the obligations and working backward.

Article 6 is not the whole picture. Essential entity, Important entity, Competent authority, CSIRT, NIS Cooperation Group, and CyCLONe are defined elsewhere in the directive. A compliance programme built only on Article 6 misses the institutional architecture — who supervises you, on what frequency, with what enforcement powers.

Cross-regulation alignment is intentional. NIS2 deliberately defers to the Cybersecurity Act, eIDAS, and the EECC rather than duplicating definitions. This creates a unified EU cybersecurity compliance vocabulary. The same definition of “ICT product” applies across EU cybersecurity law — which means an ISO 27001 control set, properly mapped, can serve multiple regulatory requirements simultaneously.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. NIS 2 Directive, Article 6: Definitions — nis-2-directive.com (verbatim directive text)
2. Article 6, Definitions — NIS2 Directive (EU) 2022/2555 — nis2resources.eu
3. EUR-Lex — Directive (EU) 2022/2555 of the European Parliament and of the Council: https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng (canonical primary source for all article cross-references)
4. NIS Directive 2 — ENISA (institutional context for CyCLONe, CSIRTs Network, Cooperation Group)