NIS2 and AI Systems: The Cybersecurity Overlap Most Compliance Teams Miss

NIS2 — Directive (EU) 2022/2555 — is the major upgrade to EU cybersecurity law that came into force in member states over 2024-2025. It expanded the in-scope perimeter from a few hundred operators of essential services to tens of thousands of "essential" and "important" entities across 18 sectors. The bar for cybersecurity governance, incident reporting, and supply chain security stepped up significantly.

Most of the early NIS2 work focused on traditional IT security: network segmentation, MFA, vulnerability management. AI systems were not on the first-wave radar. They should be on the second wave.

This is the practical overlap between NIS2 obligations and AI agent operations, with the controls that satisfy both regimes at once.

Who is in NIS2 scope

NIS2 covers two categories of entity:

Essential entities in sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, ICT service management.

Important entities in sectors including postal services, waste management, chemicals, food, manufacturing of certain critical products (medical devices, pharmaceuticals, transport equipment, computer/electronic/optical products, electrical equipment, machinery, motor vehicles, other transport equipment), digital providers (online marketplaces, search engines, social platforms), research.

Size thresholds apply: generally medium-sized (50+ staff or EUR 10m+ turnover) or large (250+ staff or EUR 50m+ turnover), with some sub-sectors in scope regardless of size. Member states have transposed the directive with national variations; check the specific transposition where you operate.

If you are reading this and you operate in a digitised industry with EU customers, there is a meaningful chance NIS2 applies to you or your customers.

What NIS2 actually requires

The core obligations:

1. Risk management measures including policies on cryptography, supply chain security, incident handling, business continuity, vulnerability handling and disclosure, secure development, cyber hygiene, training, MFA, asset management
2. Governance: management bodies must approve cybersecurity risk-management measures and supervise their implementation; can be held personally liable for non-compliance
3. Incident reporting: significant incidents reported to the national CSIRT within tight timelines (early warning within 24 hours, notification within 72 hours, final report within one month)
4. Information sharing with national authorities and other entities
5. Supply chain security: assess and manage cybersecurity risks in the supply chain, including for direct suppliers and service providers

Fines: up to EUR 10 million or 2% of global turnover for essential entities; EUR 7 million or 1.4% for important entities. Plus the personal liability angle for management.

Where AI agents intersect NIS2

AI agents touch NIS2 in five concrete ways:

1. Agents as part of the security boundary

If you are an in-scope entity, AI agents that process data or take actions on your systems are part of the IT estate NIS2 protects. The risk management measures cover them. Vulnerability handling covers them. Supply chain assessment covers them.

The control implications:

• AI agents inventoried with the same rigour as other IT assets
• AI agent vulnerabilities (prompt injection, model jailbreaks, tool misuse) tracked alongside traditional CVEs
• Access controls applied to AI agents and the tools they invoke
• Encryption in transit and at rest applied to AI agent data flows

2. Agents in the supply chain

NIS2's supply chain provisions require you to assess the cybersecurity risk of suppliers and service providers. If you buy AI capability from a vendor, that vendor is in your supply chain for NIS2 purposes.

The control implications:

• AI vendor due diligence (see the vendor due diligence checklist) extended to cover the cybersecurity-specific NIS2 elements
• Contractual requirements on the AI vendor for incident notification, vulnerability disclosure, and operational security
• Sub-processor chain mapped: your AI platform vendor depends on model providers; those are sub-processors that NIS2 supply chain rules reach through

3. Agents that affect operational resilience

For sectors covered by sector-specific resilience rules (DORA in financial services, the energy sector rules, the healthcare-specific transpositions), AI agents that affect operational continuity are in scope for the resilience obligations on top of NIS2.

The control implications:

• AI agent failure modes assessed for operational continuity impact
• Business continuity plans cover AI agent outage and degraded operation
• Testing of AI agent resilience under stress (volume, latency, model availability)

4. Incidents involving AI agents

When something goes wrong with an AI agent that affects the security of your systems or the integrity of operations, NIS2 incident reporting may apply. A prompt injection that exfiltrates data is a security incident. A model malfunction that corrupts operational data is a security incident. The reporting timelines apply.

The control implications:

• AI-specific incident response runbook with NIS2 reporting triggers documented
• 24-hour early warning capability for significant AI incidents
• Coordination between the AI operations team and the CISO function

5. Information sharing on AI threats

NIS2 envisions information sharing on threats and vulnerabilities between in-scope entities. AI-specific threats (newly discovered jailbreak techniques, model supply chain compromises, prompt injection patterns) fit into this channel.

The control implications:

• Membership in relevant ISAC or sector information-sharing arrangements that cover AI threats
• Process for ingesting and acting on shared AI threat intelligence

Where NIS2 and the EU AI Act overlap

The two regimes are complementary, not duplicative. The overlap zones:

• Audit logs: AI Act Article 12 requires comprehensive AI inference logs; NIS2 requires security event logs. The same audit log infrastructure can satisfy both if designed to do so.
• Incident reporting: AI Act incident reporting (for serious incidents involving high-risk systems) and NIS2 incident reporting overlap when an incident is both a serious AI incident and a significant cybersecurity incident. Coordinate the reporting so you do not file inconsistent narratives to different authorities.
• Risk management: AI Act risk management for high-risk systems and NIS2 risk management for the broader IT estate share methodology and governance structures. One enterprise risk register with AI-specific and cybersecurity-specific entries works better than parallel registers.
• Supply chain: AI vendor due diligence under the AI Act and supplier due diligence under NIS2 use the same documentation. Make it once, use it twice.
• Governance: management body approval of risk-management measures under NIS2, board-level oversight of high-risk AI under the AI Act. Same forum, different agenda items.

What good NIS2-AI integration looks like

The mature pattern in regulated organisations:

• AI agents are part of the same IT asset inventory as other systems
• The AI operations function reports into the CISO for security matters and into a separate AI governance lead for AI-specific risk
• One audit log infrastructure with rich enough content for AI Act, NIS2, and GDPR requirements simultaneously
• Incident response runbooks include AI-specific scenarios and the cross-regulator reporting triggers
• Vendor due diligence is one process with AI-specific, security-specific, and data-protection-specific question sets
• The annual risk assessment covers AI risks in the cybersecurity context, not in a separate workstream

This avoids the trap of three parallel compliance functions (AI Act, NIS2, GDPR) re-doing each other's work, which is the dominant failure pattern in early implementations.

Where to start if you are catching up

Pick the highest-risk AI agent in your estate. Walk it through the NIS2 risk management measures (cryptography, supply chain, incident handling, business continuity, vulnerability handling, secure development, cyber hygiene, training, MFA, asset management) and identify the gaps. Most teams find they have addressed half by accident through their existing security program; the other half are AI-specific work the security team did not know to do.

Close the gaps on that one agent. Use it as the template for the rest of the estate. By the time you have done five agents this way, the pattern is settled and the remaining agents can be assessed and remediated in batches.

NIS2 is here. The AI Act is here. The win is treating them as one coherent compliance posture rather than three separate ones competing for the same engineering hours.