NIS2 (Network and Information Security Directive 2 - Directive (EU) 2022/2555) is the EU directive on the security of network and information systems. The deadline for its transposition into national law expired on 17 October 2024 - in Poland it is being implemented through an amendment to the Act on the National Cybersecurity System (legislative process ongoing). If you run an energy, banking or manufacturing company, or you are a digital service provider, NIS2 most likely covers you. What does it mean for ITSM? Art. 21 NIS2 lists cybersecurity risk management measures - from access control through change management to the obligation to report significant incidents. In this article I show how ManageEngine ServiceDesk Plus supports these requirements, plus a practical checklist for IT managers.
Which companies does NIS2 cover?
Essential entities - sectors of highest importance:
- Power plants and electricity grids
- Railways and public transport
- Banks and financial institutions
- Hospitals and healthcare services (critical systems)
- Water and wastewater supply
- Gas production and distribution facilities
Important entities - other sectors covered by the directive:
- Factories and manufacturing (outside the above categories)
- Postal and courier services
- Waste management
- Digital service providers (cloud, hosting, DNS, SSL certificates)
- Public marketplaces
Scope: NIS2 as a rule applies to medium and large entities (from around 50 employees or a corresponding turnover threshold) operating in the listed sectors. Some types of entities - DNS providers, domain registries, public communications network providers - may be covered regardless of size. The final scope and any exclusions follow from the national implementing act, so the status of your company is best verified individually.
NIS2 compliance audit - see where you stand.
Analysis of NIS2 requirements for your organization - 30 minutes online.
Book 30 min →NIS2 Art. 21 - 10 security requirements for IT
Every entity covered by NIS2 MUST implement these 10 requirements:
| # | Requirement | Practical description |
|---|---|---|
| 1 | Threat Management | Identify, catalog and monitor IT threats. CVSS scoring process, vulnerability tracking. |
| 2 | Access Control | MFA (multi-factor authentication), role segregation (RBAC), principle of least privilege. Audit trail for every login. |
| 3 | Asset Management | Catalog of all IT systems, hardware, software. Lifecycle tracking, business value. |
| 4 | Change Management | Every IT change (patch, update, configuration) must be logged, approved, tested. CAB (Change Advisory Board). |
| 5 | Supply Chain Security | Security control over third-party suppliers: cloud providers, SaaS, integrations. SLAs with security clauses. |
| 6 | Incident Management | Incident response plan, escalation, communication, documentation. Reporting to authorities within 72h for serious incidents. |
| 7 | Backups and Disaster Recovery | Daily backups, offline copy, DR plan with RTO/RPO. DR testing every 6-12 months. |
| 8 | Security Training | Annual training for all employees (phishing, social engineering, passwords). Attendance documentation. |
| 9 | Penetration Testing | At least once a year: penetration testing, vulnerability scanning, red team exercise. Results report. |
| 10 | Audit Logging | All security events logged: logins, changes, incidents. Audit trail kept at least 12 months. |
How ITSM helps you meet NIS2
A modern ITSM system (like ManageEngine ServiceDesk Plus) is the foundation of NIS2 compliance:
- Incident Management - every security incident is logged with timestamp, escalation and status.
- Change Management - every change (patch, update) is tracked: who, when, what changed, whether testing was performed, whether approval was obtained.
- Asset Management - catalog of every system: servers, laptops, software, licenses, vendor, version, vulnerabilities.
- Audit Trail - ITSM logs all actions: logins, changes, IT actions, communication. That is evidence for a NIS2 auditor.
- Reporting - ITSM generates reports: number of incidents per month, mean time to resolve, number of changes approved, whether SLAs were met.
Without ITSM you are at risk for NIS2 compliance - you have no proof you manage incidents, changes and assets. A detailed checklist for the IT department is in a separate article: NIS2 - IT manager checklist.
The 72h incident reporting obligation - how ITSM makes reporting easier
Art. 23 NIS2: A NIS2-covered entity MUST report a "serious incident" (for example ransomware, data breach) to the security authorities within 72 hours of detection.
What does "detection" mean? The moment the IT team discovered the incident (not when it started, but when they noticed). That is why an ITSM with accurate timestamping is critical - you must be able to say: "Incident detected 2024-05-15 08:30, reported to authorities 2024-05-16 14:00" - proof you had a 30-hour buffer.
ManageEngine ServiceDesk Plus automatically logs report time and every incident status change. You can generate a report from time of opening to time of notifying authorities - that is compliance documentation. To strengthen security further, also see our article on ManageEngine CVE and vulnerability management.
NIS2 × ManageEngine ServiceDesk Plus checklist
Below is a practical implementation list:
- Install ManageEngine ServiceDesk Plus Professional/Enterprise (Incident, Change and Asset Management modules required)
- Configure Incident Management: categories (security, confidentiality, availability), priorities, SLAs for serious incidents (max 72h to report to authorities)
- Enable Change Management: every change requires a request, testing, CAB approval, audit trail
- Configure Asset Management: import all IT systems (servers, laptops, software, licenses)
- Audit Trail: make sure ITSM logs all actions (minimum 12 months of history)
- ITSM backup: the ManageEngine server must be backed up daily, offline copy weekly. DR plan with RTO max 4 hours
- MFA: enable Multi-Factor Authentication for all ITSM users
- RBAC: set roles - IT Manager, Incident Manager, Change Manager, Auditor. Access segregation.
- Reporting: generate a monthly report - number of incidents, number of changes, audit trail excerpt, compliance check
- Training: annual training for the IT team on ITSM, incident response, NIS2 compliance
FAQ - NIS2 and ITSM compliance
Which companies does NIS2 cover?
NIS2 splits addressees into two groups: 1) Essential entities - energy, transport, banking, healthcare, water, digital infrastructure. 2) Important entities - manufacturing, postal services, waste management, digital service providers. The directive applies as a rule to medium and large entities in those sectors, though some types are covered regardless of size. The final scope and dates follow from the national implementing act - check your company's status individually.
NIS2 Art. 21 - what are the 10 IT requirements?
Art. 21 NIS2 requires: 1) IT threat management. 2) Access control (MFA, role segregation). 3) Asset management. 4) Change management. 5) Third-party supply chain security. 6) Security incident management (incident response plan). 7) Backups and disaster recovery. 8) Security training for employees. 9) Security testing (penetration testing, vulnerability scanning). 10) Security event monitoring and logging (audit trail).
The 72h incident reporting obligation - what does it mean?
A NIS2-covered company MUST report a security incident (ransomware, data breach) to the security authorities within 72 hours of detection. If the incident involves GDPR personal data, you also have to report it to the Polish DPA. Without an ITSM with an audit trail you are lost - you do not know exactly when the incident started. ManageEngine ServiceDesk Plus automatically logs report time, escalation and notification - that is evidence for the auditor.
Does ManageEngine ServiceDesk Plus meet NIS2?
Yes, ManageEngine ServiceDesk Plus Professional/Enterprise meets most Art. 21 requirements: 1) Incident Management, 2) Audit trail, 3) Access control (RBAC, MFA), 4) Change Management with CAB, 5) Problem Management (root cause analysis), 6) Reporting to authorities (incident tracking, timestamps). Also required: SDP backup, disaster recovery plan, penetration testing. ManageEngine alone does not satisfy everything but is a foundation for compliance.
Related articles
ManageEngine ServiceDesk Plus price - how much does implementation cost? ManageEngine implementation in Poland - step-by-step process ITSM for manufacturing - solutions for factoriesDoes your company meet the NIS2 requirements?
Rotech Group will check your IT infrastructure and ITSM processes against NIS2 Art. 21. Gaps report, remediation plan, ManageEngine implementation quote. No commitment.
Book a free consultation →