What is the primary objective of **NIS2**?

**The primary objective of NIS2 is to establish a high common level of cybersecurity and resilience across EU member states by strengthening risk management, incident reporting, and governance for critical infrastructure and digital services.** It expands on the original NIS Directive to cover broader sectors including energy, transport, health, digital infrastructure like cloud computing, postal services, waste management, and food production, using an "all-hazards" approach to mitigate threats such as supply chain risks and advanced persistent threats.

Who is legally or professionally required to comply with **NIS2**?

**NIS2 applies to all medium-sized and large entities classified as 'essential' or 'important' within specified high-criticality sectors across EU member states.** Essential entities typically have 250+ employees, €50M+ annual turnover, or €43M+ balance sheet; important entities have 50+ employees, €10M+ annual turnover, or €10M+ balance sheet. Criticality of service can override size thresholds if an entity is a sole provider of essential services. Covered sectors include energy (electricity, oil, gas, district heating), transport, manufacturing, public administration, and digital providers like cloud services; transposition into national law occurred by October 17, 2024.

Does **NIS2** require an external audit or third-party certification?

**NIS2 does not mandate external audits or third-party certification but empowers national authorities and CSIRTs to conduct on-demand spot checks and require real-time evidence of compliance.** It shifts from static audits to continuous assurance, demanding auditable records like dynamic risk registers, OT/IT asset inventories, and supply chain oversight. Entities must register with central authorities, providing details such as name, contacts, sector, and operating member states; variations exist by country.

How often should an assessment for **NIS2** be performed?

**NIS2 requires ongoing, continuous risk assessments rather than fixed intervals, with quarterly updates to dynamic risk registers and asset inventories recommended for compliance.** Entities must maintain proactive risk management, including regular vulnerability identification, supply chain reviews, staff training recertification, and closed-loop improvements to ensure resilience. Incident response plans and business continuity measures demand real-time evidence, aligning with the directive's model of evidence-based assurance post-October 18, 2024.

What are the consequences of non-compliance with **NIS2**?

**Non-compliance with NIS2 incurs tiered fines up to €10 million or 2% of total global annual turnover for essential entities, and €7 million or 1.4% for important entities, plus potential business suspension and senior management liability.** National authorities enforce via spot checks, with senior executives directly accountable for cybersecurity failures. Additional remedies include remedial orders and cross-border cooperation among CSIRTs.

An **NIS2** be mapped to other international frameworks?

**Yes, EU member states incorporate standards like ISO 27001, NIST CSF, and ENISA guidelines into national NIS2 frameworks to facilitate mapping and compliance.** Organizations leverage these for risk management, incident handling, supply chain security, and governance, tailoring to NIS2's continuous assurance model while addressing variations in transposition across member states.

What is the first step to begin implementing **NIS2**?

**The first step for NIS2 implementation is to determine applicability by assessing entity size, sector, and operations against the size-cap rule and criticality criteria.** Conduct a gap analysis of current cybersecurity measures against requirements like risk management, incident reporting (24-hour early warning, 72-hour notification, one-month final report), and register with national authorities by required deadlines.

What is the primary objective of **AS9110C**?

**AS9110C's primary objective is to define quality management system requirements for aviation maintenance, repair, and overhaul (MRO) organizations to ensure consistent conformity to customer and regulatory requirements while enhancing safety and continual improvement.** It builds on ISO 9001:2015's high-level structure (Clauses 4-10), embedding aerospace-specific controls for configuration management, counterfeit parts prevention, human factors, traceability, and risk-based thinking (Clauses 6.1, 8.1.1). This supports continuing airworthiness, operational planning (Clause 8), and evidence of QMS effectiveness via documented information, internal audits, and management reviews.

Who is legally or professionally required to comply with **AS9110C**?

**AS9110C applies to MRO organizations performing maintenance on commercial, private, and military aircraft, including repair stations and OEM MRO divisions.** Target entities include independent repair stations, airline maintenance departments, component overhaul facilities, and those seeking IAQG OASIS listing or customer contracts. While not legally mandated, it is often contractually required by OEMs, airlines, and regulators (e.g., FAA/EASA Part 145 alignment), with scope defined per Clause 4 to address regulatory approvals, licenses, and capability lists.

Does **AS9110C** require an external audit or third-party certification?

**Yes, AS9110C requires third-party certification by an accredited registrar following Stage 1 (documentation review) and Stage 2 (on-site effectiveness audit).** Internal audits (Clause 9.2) and a management review with at least three months of operational data are prerequisites. Certification, valid for three years with annual surveillance, demonstrates QMS conformity and enables OASIS listing.

How often should an assessment for **AS9110C** be performed?

**AS9110C requires internal audits at planned intervals based on process risk, with full cycles completed before certification and ongoing thereafter.** Management reviews occur regularly (e.g., annually or per business cycles, Clause 9.3), using performance data, audit results, and nonconformities. Surveillance audits follow annually post-certification, with recertification every three years.

What are the consequences of non-compliance with **AS9110C**?

**Non-compliance with AS9110C risks regulatory sanctions, contract loss, and operational shutdowns.** It can lead to FAA/EASA Part 145 certificate suspension, fines (e.g., $100k/day), litigation from airworthiness failures, and exclusion from OEM/airline bids. Internally, it causes rework, AOG events, and reputational damage without auditable evidence of controls like traceability or counterfeit prevention.

An **AS9110C** be mapped to other international frameworks?

**Yes, AS9110C directly maps to ISO 9001:2015 via its Annex SL high-level structure and shares terminology like documented information and external providers.** Clause-to-clause correlation matrices support integration, leveraging common PDCA and risk-based thinking while retaining MRO-specific additions.

What is the first step to begin implementing **AS9110C**?

**The first step is a formal gap analysis mapping existing processes to AS9110C clauses, including regulatory alignment (e.g., EASA/FAA Part 145).** Secure executive sponsorship, define QMS scope (Clause 4), identify interested parties, and produce a prioritized gap register using IAQG tools like clause checklists and risk worksheets.

NIS2 vs AS9110C

Standards Comparison

NIS2

Mandatory

2022

EU directive for cybersecurity resilience across critical sectors

AS9110C

Mandatory

2016

Aerospace QMS standard for aircraft MRO organizations.

Quick Verdict

NIS2 mandates cybersecurity resilience for EU critical entities via risk management and rapid incident reporting, while AS9110C certifies quality systems for aviation MROs emphasizing traceability and airworthiness. EU firms comply with NIS2 legally; aerospace adopts AS9110C for contracts and safety.

Cybersecurity

NIS2

Network and Information Systems Directive 2 (NIS2)

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Expands scope via size-cap rule to medium/large entities
Mandates strict 24-hour early warning incident reporting
Imposes direct senior management accountability for compliance
Levies fines up to 2% global annual turnover
Requires continuous supply chain risk management measures

Quality Management

AS9110C

AS9110C: Quality Management Systems for Aircraft Maintenance

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based thinking embedded in planning and operations
Configuration management and part traceability controls
Counterfeit and suspect parts prevention processes
Human factors integration in competence and audits
Maintenance release and project management requirements

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

NIS2 Details

What It Is

NIS2, officially Directive (EU) 2022/2555, is an EU regulation strengthening cybersecurity. It expands the original NIS Directive's scope to essential and important entities in 18 sectors like energy, transport, and digital infrastructure. Adopts a risk-based approach emphasizing continuous assurance over static compliance.

Key Components

Four pillars: risk management, incident reporting, business continuity, corporate accountability.
Strict reporting: 24-hour early warning, 72-hour notification, one-month final report.
Leverages standards like ISO 27001 and NIST CSF; focuses on supply chain security, access controls, encryption.
No formal certification but subject to audits and spot checks.

Why Organizations Use It

Ensures legal compliance amid transposition by October 2024, avoiding fines up to 2% global turnover. Enhances resilience against threats like APTs and ransomware, protects critical services, builds stakeholder trust, and drives competitive cyber maturity.

Implementation Overview

Targets medium/large EU entities (50+ employees or €10M turnover). Involves risk assessments, training, reporting procedures, governance changes. Ongoing process with national variations, spot checks by CSIRTs; proactive adoption recommended for resilience.

AS9110C Details

What It Is

AS9110C (AS9110:2016 Rev C) is an international quality management system (QMS) standard for aviation maintenance, repair, and overhaul (MRO) organizations. It builds on ISO 9001:2015 with aerospace-specific requirements for safety-critical maintenance processes. Its primary scope covers aircraft and component MRO, emphasizing risk-based thinking (RBT), configuration control, and continuing airworthiness.

Key Components

10 clauses following ISO High Level Structure (HLS).
Core areas: leadership commitment, operational planning (Clause 8), counterfeit parts prevention, human factors, supplier controls, internal audits, and management reviews.
Built on PDCA cycle and RBT; requires documented evidence of QMS operation.
Certification via accredited registrars with Stage 1/2 audits.

Why Organizations Use It

Meets customer/OEM contract requirements and regulatory alignment (FAA/EASA Part-145).
Mitigates safety risks, reduces rework/AOG events, improves on-time delivery.
Enhances market access via IAQG OASIS listing, builds stakeholder trust.
Drives efficiency (5-12% labor cost reduction) and competitive differentiation.

Implementation Overview

Phased approach: gap analysis, process design, pilot, audits, certification (6-12 months typical).
Applies to MROs of all sizes globally; involves training, eQMS, KPIs.
Requires operational QMS exercise (3+ months data) before certification. (178 words)

Key Differences

Aspect	NIS2	AS9110C
Scope	Cybersecurity risk management, incident reporting for critical sectors	Quality management for aviation maintenance, repair, overhaul
Industry	Essential/important entities in EU sectors like energy, transport	Aerospace MRO organizations worldwide
Nature	Mandatory EU regulation with national transposition	Voluntary certification standard based on ISO 9001
Testing	Incident reporting timelines to CSIRTs, national audits	Internal audits, management reviews, certification audits
Penalties	Fines up to 2% global turnover or €10M	Loss of certification, no direct legal fines

Scope

NIS2

Cybersecurity risk management, incident reporting for critical sectors

AS9110C

Quality management for aviation maintenance, repair, overhaul

Industry

NIS2

Essential/important entities in EU sectors like energy, transport

AS9110C

Aerospace MRO organizations worldwide

Nature

NIS2

Mandatory EU regulation with national transposition

AS9110C

Voluntary certification standard based on ISO 9001

Testing

NIS2

Incident reporting timelines to CSIRTs, national audits

AS9110C

Internal audits, management reviews, certification audits

Penalties

NIS2

Fines up to 2% global turnover or €10M

AS9110C

Loss of certification, no direct legal fines

Frequently Asked Questions

Common questions about NIS2 and AS9110C

NIS2 FAQ

AS9110C FAQ

You Might also be Interested in These Articles...

Practical Implementation Blueprint for Regulation S-K Item 106: Cybersecurity Governance and Risk Management Disclosures in 10-Ks

Step-by-step guide for Item 106 cybersecurity disclosures in 10-Ks: risk management, board oversight, Inline XBRL templates (Dec 2024 compliance). Templates for

ISO 27701 2025 Update: Navigating Standalone Certification Myths, Audit Realities, and a 90-Day PIMS Launch Plan

Debunk ISO 27701 2025 standalone certification myths vs ISO 27001. Get a 90-day PIMS launch roadmap, checklists & audit prep to certify faster amid global priva

Breaking Down NIST CSF 2.0 Structure: Core, Tiers, Profiles, and Real-World Application

Master NIST CSF 2.0 structure: Govern + 5 Core functions, Tiers (Partial-Adaptive), Profiles for gaps, and real-world apps. Build effective cyber risk strategie

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

SOC 2 vs ISO/IEC 42001:2023

Compare SOC 2 vs ISO/IEC 42001:2023—data security controls vs AI governance std. Unlock differences, benefits & pick the best for trust & compliance now!

COPPA vs FedRAMP

Compare COPPA vs FedRAMP: Child privacy rules meet federal cloud security. Key diffs, $170M fines, consent methods & baselines. Master compliance now!

OSHA vs FERPA

Unlock OSHA vs FERPA: Compare workplace safety standards with student privacy laws. Essential guide to compliance, key differences, and best practices for educators & execs. Dive in!

NIS2

AS9110C

Quick Verdict

NIS2

Key Features

AS9110C

Key Features

Detailed Analysis

NIS2 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

AS9110C Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

NIS2 FAQ

What is the primary objective of NIS2?

Who is legally or professionally required to comply with NIS2?

Does NIS2 require an external audit or third-party certification?

How often should an assessment for NIS2 be performed?

What are the consequences of non-compliance with NIS2?

An NIS2 be mapped to other international frameworks?

What is the first step to begin implementing NIS2?

AS9110C FAQ

What is the primary objective of AS9110C?

Who is legally or professionally required to comply with AS9110C?

Does AS9110C require an external audit or third-party certification?

How often should an assessment for AS9110C be performed?

What are the consequences of non-compliance with AS9110C?

An AS9110C be mapped to other international frameworks?

What is the first step to begin implementing AS9110C?

You Might also be Interested in These Articles...

Practical Implementation Blueprint for Regulation S-K Item 106: Cybersecurity Governance and Risk Management Disclosures in 10-Ks

ISO 27701 2025 Update: Navigating Standalone Certification Myths, Audit Realities, and a 90-Day PIMS Launch Plan

Breaking Down NIST CSF 2.0 Structure: Core, Tiers, Profiles, and Real-World Application

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

SOC 2 vs ISO/IEC 42001:2023

COPPA vs FedRAMP

OSHA vs FERPA