What is the primary objective of NIS2?

The primary objective of NIS2 is to establish a high common level of cybersecurity and resilience across EU member states by strengthening critical infrastructure and digital services against cyber threats. NIS2 (Directive (EU) 2022/2555) expands beyond the original NIS Directive, imposing obligations on essential entities (e.g., 250+ employees, €50M+ turnover, €43M+ balance sheet) and important entities (e.g., 50+ employees, €10M+ turnover, €10M+ balance sheet) in sectors like energy, transport, health, digital infrastructure, postal services, waste management, and public administration. It mandates risk management, supply chain security, business continuity, and strict incident reporting to national CSIRTs.

Who is legally or professionally required to comply with NIS2?

NIS2 applies to all medium and large entities in specified sectors classified as 'essential' or 'important' entities within the EU. Essential entities typically have 250+ employees, €50M+ annual turnover, or €43M+ balance sheet; important entities have 50+ employees, €10M+ turnover, or €10M+ balance sheet—though criticality can override size if an entity is a sole provider of vital services. Covered sectors include energy (electricity, oil, gas, district heating, hydrogen), transport, banking, health, manufacturing, digital providers (cloud computing, online marketplaces), postal/courier, waste management, food production, and public administration. EU member states transposed by October 17, 2024, with effects from October 18.

Does NIS2 require an external audit or third-party certification?

NIS2 does not mandate external audits or third-party certification but empowers national authorities for supervision, including live spot checks and demands for real-time evidence of compliance. Oversight by designated authorities and CSIRTs focuses on continuous assurance via dynamic risk registers, asset inventories (OT/IT), and verifiable controls rather than periodic certifications. Entities must register with central authorities, providing details like name, contacts, sector, and operating states; variations exist by member state.

How often should an assessment for NIS2 be performed?

NIS2 requires ongoing, continuous risk assessments rather than fixed intervals, with quarterly updates to risk registers and asset inventories recommended for compliance. Entities must maintain proactive risk management under an "all-hazards" approach, including supply chain reviews, vulnerability mitigation, and closed-loop improvements. This supports real-time evidence for spot checks, shifting from static annual reviews to dynamic practices ensuring operational resilience.

What are the consequences of non-compliance with NIS2?

Non-compliance with NIS2 incurs fines up to €10 million or 2% of total global annual turnover for essential entities, and €7 million or 1.4% for important entities, plus potential business suspension and senior management liability. National authorities enforce via tiered penalties, spot checks, and remedial orders; senior executives face direct accountability for risk oversight failures.

An NIS2 be mapped to other international frameworks?

Yes, EU member states incorporate standards like ISO 27001, NIST CSF, and ENISA guidelines into national NIS2 frameworks to support compliance mapping. This alignment aids entities in leveraging existing controls for risk management, incident response, and supply chain security, though national variations apply.

What is the first step to begin implementing NIS2?

The first step for NIS2 implementation is to determine applicability by assessing entity size, sector, and criticality against EU thresholds, then register with national authorities. Conduct a gap analysis of current risk management, establish governance with board accountability, and develop incident reporting procedures (24-hour early warning, 72-hour notification, 1-month final report) tailored to member state requirements.

What is the primary objective of AS9100?

AS9100's primary objective is to establish a quality management system (QMS) for aviation, space, and defense organizations that ensures product safety, configuration integrity, and supply chain reliability. Developed by the IAQG, AS9100D (2016) builds on ISO 9001:2015's 10-clause structure, adding over 100 aerospace-specific requirements in Clause 8, including operational risk management (8.1.1), configuration management (8.1.2), product safety (8.1.3), and counterfeit parts prevention (8.1.4). It mandates process-based controls, risk-based thinking across enterprise (Clause 6.1) and operational levels, and continual improvement to prevent quality escapes in high-consequence environments.

Who is legally or professionally required to comply with AS9100?

AS9100 applies to organizations designing, developing, manufacturing, or servicing aviation, space, and defense products and services. It targets manufacturers of parts, materials suppliers, design centers, and quality support organizations in ASD supply chains; AS9110 covers MRO, AS9120 distributors. While voluntary, major OEMs and primes contractually require certification for supplier qualification, with visibility via IAQG's OASIS database. Scope (Clause 4.3) must justify non-applicabilities without compromising conformity, extending controls to suppliers and subcontractors.

Does AS9100 require an external audit or third-party certification?

Yes, AS9100 requires third-party certification through accredited bodies via a two-stage audit process. Stage 1 assesses documentation and readiness; Stage 2 verifies implementation and effectiveness using AS9101 guidance. Certification is maintained with annual surveillance audits and recertification every three years. Nonconformities demand corrective actions within 60–90 days, with evidence of process effectiveness via interviews, observations, and records.

How often should an assessment for AS9100 be performed?

AS9100 requires internal audits at planned intervals per a risk-based program (Clause 9.2), plus annual surveillance audits and recertification every three years post-certification. Management reviews (Clause 9.3) occur periodically, evaluating performance, risks, and improvements. Ongoing monitoring via KPIs ensures continual conformity.

What are the consequences of non-compliance with AS9100?

Non-compliance with AS9100 risks certification suspension, contract loss, and supply chain exclusion via OASIS delisting. Audits yield nonconformities requiring root-cause analysis (considering human factors); unresolved majors prevent certification. Operationally, it leads to quality escapes, product safety events, OEM penalties, and market disqualification, as primes mandate certification.

An AS9100 be mapped to other international frameworks?

Yes, AS9100D aligns with ISO 9001:2015's Annex SL structure, enabling mapping to integrated management systems. Its 10-clause PDCA framework (Clauses 4–10) supports compatibility without naming specifics, leveraging shared risk-based thinking, leadership, and performance evaluation for streamlined audits and governance.

What is the first step to begin implementing AS9100?

The first step is conducting a gap analysis against AS9100D clauses to assess current QMS maturity. Define scope (Clause 4.3), map processes, identify gaps in aerospace additions (e.g., Clause 8 controls), and prioritize via risk register, involving cross-functional teams for a remediation roadmap.

Standards Comparison

NIS2 vs AS9100

NIS2

Mandatory

2022

EU directive for cybersecurity resilience in critical sectors

AS9100

Mandatory

2016

International standard for aerospace quality management systems.

Quick Verdict

NIS2 mandates cybersecurity resilience for EU critical infrastructure operators, enforcing strict incident reporting and risk management to prevent disruptions. AS9100 certifies quality systems for aerospace firms, ensuring product safety and traceability. Organizations adopt NIS2 for regulatory compliance, AS9100 for market access.

Cybersecurity

NIS2

Directive (EU) 2022/2555 (NIS2 Directive)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Expands scope to medium/large entities across 18 sectors
Mandates 24-hour early warning incident reporting
Imposes direct senior management accountability
Levies fines up to 2% global annual turnover
Requires continuous supply chain risk management

Quality Management

AS9100

AS9100D: Quality Management Systems Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Configuration management for product integrity
Product safety processes across lifecycle
Counterfeit parts prevention controls
Operational risk management in Clause 8
Enhanced supplier and supply chain controls

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

NIS2 Details

What It Is

The NIS2 Directive (Directive (EU) 2022/2555) is an EU regulation replacing the 2016 NIS Directive. It establishes a high common level of cybersecurity across member states, targeting essential and important entities in expanded sectors like energy, transport, health, and digital services. NIS2 uses a risk-based approach with size-cap rules for medium/large organizations.

Key Components

**Risk managementContinuous assessments, supply chain security, access controls, encryption.
**Incident reportingEarly warning (24 hours), detailed report (72 hours), final report (1 month).
**Corporate accountabilitySenior management direct responsibility.
**Business continuityResilience plans and recovery procedures. Enforced by national authorities; no formal certification but strict compliance checks and fines up to 2% global turnover.

Why Organizations Use It

Mandatory for covered entities to avoid severe penalties, enhance cyber resilience, ensure service continuity, and foster stakeholder trust. It drives strategic risk reduction, regulatory alignment, and competitive edge in cybersecurity posture.

Implementation Overview

Assess scope by size/sector, implement measures, register with CSIRTs. Tailor to national laws post-October 2024 transposition. Involves gap analysis, training, audits; 12-18 months typical for most organizations.

AS9100 Details

What It Is

AS9100D (AS9100:2016) is the international quality management system (QMS) standard for aviation, space, and defense organizations. It builds on ISO 9001:2015 with over 100 aerospace-specific additions, using a risk-based, process-oriented approach to ensure product safety and supply chain integrity.

Key Components

10-clause Annex SL structure covering context, leadership, planning, support, operation, evaluation, and improvement.
Aerospace additions: configuration management (8.1.2), product safety (8.1.3), counterfeit parts prevention (8.1.4), operational risk management, human factors, and enhanced supplier controls.
Built on PDCA cycle; requires certification via accredited third-party audits (Stage 1/2, surveillance).

Why Organizations Use It

Meets OEM/contractual mandates for market access via OASIS database.
Reduces defects, improves delivery, lowers costs; mitigates safety risks in high-consequence industries.
Builds stakeholder trust, enhances competitiveness through traceability and continual improvement.

Implementation Overview

Phased: gap analysis, process design, training, internal audits, certification (6-18 months).
Applies to designers, manufacturers, MROs globally; suits all sizes with scaled rigor.

Key Differences

Aspect	NIS2	AS9100
Scope	Cybersecurity risk management, incident reporting, supply chain security	Quality management, product safety, configuration, counterfeit prevention
Industry	Essential/important entities in EU critical sectors (energy, transport, etc.)	Aviation, space, defense organizations worldwide
Nature	Mandatory EU regulation with national transposition	Voluntary certification standard based on ISO 9001
Testing	Incident reporting to CSIRTs, national authority supervision	Third-party Stage 1/2 audits, annual surveillance, recertification
Penalties	Fines up to 2% global turnover or €10M for essential entities	Loss of certification, no direct legal fines

Scope

NIS2

Cybersecurity risk management, incident reporting, supply chain security

AS9100

Quality management, product safety, configuration, counterfeit prevention

Industry

NIS2

Essential/important entities in EU critical sectors (energy, transport, etc.)

AS9100

Aviation, space, defense organizations worldwide

Nature

NIS2

Mandatory EU regulation with national transposition

AS9100

Voluntary certification standard based on ISO 9001

Testing

NIS2

Incident reporting to CSIRTs, national authority supervision

AS9100

Third-party Stage 1/2 audits, annual surveillance, recertification

Penalties

NIS2

Fines up to 2% global turnover or €10M for essential entities

AS9100

Loss of certification, no direct legal fines

Frequently Asked Questions

Common questions about NIS2 and AS9100

NIS2 FAQ

AS9100 FAQ

You Might also be Interested in These Articles...

HITRUST CSF MyCSF Platform Mastery: Infograph of Evidence Tagging Workflows and Top 5 Maturity Tier Acceleration Takeaways

Master MyCSF platform with infographics on evidence tagging for 1,400+ HITRUST controls across 19 domains. Cut documentation by 30%, boost Measured/Managed tier

Top 10 NIST CSF 2.0 Myths Busted: Separating Hype from Reality for Smarter Adoption

Bust 10 NIST CSF 2.0 myths like 'only for critical infrastructure' or 'Govern replaces Identify'. Plain-English breakdowns, evidence, and fixes for flexible ris

Beyond the Checkbox: Why Maturity Assessments are the Secret to Sustainable Compliance

Discover why maturity assessments beat binary compliance checks by uncovering hidden gaps and enabling continuous improvement for sustainable success. Read now!

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how NIS2 and AS9100 compare against other standards

Other NIS2 Comparisons

Other AS9100 Comparisons

Quick Verdict

What It Is

Key Components

**Risk managementContinuous assessments, supply chain security, access controls, encryption.

**Incident reportingEarly warning (24 hours), detailed report (72 hours), final report (1 month).

**Corporate accountabilitySenior management direct responsibility.

**Business continuityResilience plans and recovery procedures. Enforced by national authorities; no formal certification but strict compliance checks and fines up to 2% global turnover.

What It Is

Key Components

10-clause Annex SL structure covering context, leadership, planning, support, operation, evaluation, and improvement.

Aerospace additions: configuration management (8.1.2), product safety (8.1.3), counterfeit parts prevention (8.1.4), operational risk management, human factors, and enhanced supplier controls.

Built on PDCA cycle; requires certification via accredited third-party audits (Stage 1/2, surveillance).

Aspect

NIS2

AS9100

Scope

Cybersecurity risk management, incident reporting, supply chain security

Quality management, product safety, configuration, counterfeit prevention

Industry

Essential/important entities in EU critical sectors (energy, transport, etc.)

Aviation, space, defense organizations worldwide

Nature

Mandatory EU regulation with national transposition

Voluntary certification standard based on ISO 9001

Testing

Incident reporting to CSIRTs, national authority supervision

Third-party Stage 1/2 audits, annual surveillance, recertification

Penalties

Fines up to 2% global turnover or €10M for essential entities

Loss of certification, no direct legal fines