What is the primary objective of **NIS2**?

**The primary objective of NIS2 is to establish a high common level of cybersecurity and resilience across EU member states by strengthening critical infrastructure and digital services against cyber threats.** It expands upon the original NIS Directive, imposing obligations on **essential entities** (e.g., 250+ employees, €50M+ turnover, €43M+ balance sheet) and **important entities** (e.g., 50+ employees, €10M+ turnover, €10M+ balance sheet) in sectors like energy, transport, health, digital infrastructure, postal services, waste management, and food production. NIS2 mandates risk management, incident reporting (24-hour early warning, 72-hour notification, one-month final report to national CSIRTs), supply chain security, business continuity, and senior management accountability to ensure harmonized, proactive cybersecurity.

Who is legally or professionally required to comply with **NIS2**?

**NIS2 legally requires compliance from all medium-sized and large entities in specified high-criticality sectors operating in the EU, classified as 'essential' or 'important' entities.** This includes a **size-cap rule** applying to entities with 50+ employees or €10M+ annual turnover for important entities, and 250+ employees, €50M+ turnover, or €43M+ balance sheet for essential entities; criticality can override size if an entity is a sole provider of vital services. Covered sectors encompass energy (electricity, oil, gas, district heating, hydrogen), transport, banking, health, ICT, manufacturing, digital providers (cloud computing, online marketplaces), public administration, postal/courier, waste management, and food production. EU member states transposed NIS2 by October 17, 2024, with national variations.

Does **NIS2** require an external audit or third-party certification?

**NIS2 does not mandate external audits or third-party certification but empowers national authorities to conduct spot checks and demand real-time evidence of compliance.** Oversight shifts to continuous assurance via live inspections by designated competent authorities and CSIRTs, requiring auditable records of risk management, incident response, supply chain security, and business continuity. Entities must register with central authorities, providing details like name, contacts, sector, and operating member states. While not required, alignment with standards like ISO 27001 supports evidence-based compliance.

How often should an assessment for **NIS2** be performed?

**NIS2 requires ongoing, continuous risk assessments rather than fixed intervals, with dynamic updates such as quarterly risk registers and asset inventories.** Entities must maintain proactive risk management under an "all-hazards" approach, including regular vulnerability scans, supply chain reviews, staff training recertification, and closed-loop improvements for OT/IT assets. Incident reporting timelines enforce real-time responsiveness (24-hour early warnings), while national authorities enable spot checks for live verification, transforming compliance into a perpetual discipline post-October 18, 2024.

What are the consequences of non-compliance with **NIS2**?

**Non-compliance with NIS2 results in tiered fines up to €10 million or 2% of total global annual turnover for essential entities, and €7 million or 1.4% for important entities, plus potential business suspension and senior management liability.** Enforcement by national authorities includes spot checks, remedial orders, and personal accountability for executives overseeing cybersecurity. Failure to report incidents within mandated timelines (24/72 hours/one month) or implement risk measures exacerbates penalties, with measures effective from October 18, 2024, across EU states.

An **NIS2** be mapped to other international frameworks?

**Yes, EU member states incorporate standards like ISO 27001, NIST CSF, and ENISA guidelines into national NIS2 frameworks to facilitate mapping and compliance.** Organizations leverage these for risk management, incident handling, and supply chain security, adapting existing controls to NIS2's continuous assurance model without direct equivalence mandates.

What is the first step to begin implementing **NIS2**?

**The first step to implement NIS2 is to determine applicability by assessing entity size, sector, and operations against the size-cap rule and criticality criteria.** Conduct a gap analysis of current risk management, register with national authorities if covered, and prioritize dynamic risk registers, incident reporting procedures, and senior governance accountability ahead of transposition deadlines varying by member state.

What is the primary objective of **AS9120B**?

**AS9120B's primary objective is to establish a quality management system (QMS) for organizations that procure, store, split, and resell aerospace parts without altering product characteristics.** Built on ISO 9001:2015's 10-clause structure, it adds over 100 aerospace-specific requirements addressing distribution risks like loss of traceability, counterfeit/suspected unapproved parts, documentation errors, and external provider controls to ensure chain-of-custody integrity.

Who is legally or professionally required to comply with **AS9120B**?

**AS9120B applies to stockist distributors, pass-through distributors, and organizations performing batch splitting in aviation, space, and defense supply chains.** It targets those procuring, storing, and reselling parts without modification; certification is not legally mandatory but is a commercial requirement from OEMs and primes for supply chain approval, with ~2,442 global certifications as of 2023.

Oes **AS9120B** require an external audit or third-party certification?

**AS9120B requires third-party certification through accredited bodies for OASIS listing and market access.** Organizations undergo Stage 1 (documentation) and Stage 2 (implementation) audits per AS9101, followed by annual surveillance and triennial recertification to verify QMS effectiveness.

How often should an assessment for **AS9120B** be performed?

**AS9120B requires internal audits at planned intervals to cover all processes annually, plus management reviews at defined intervals.** External surveillance audits occur yearly post-certification, with full recertification every three years; assessments evaluate QMS suitability, risks, nonconformities, and supplier performance.

What are the consequences of non-compliance with **AS9120B**?

**Non-compliance with AS9120B risks contract disqualification, exclusion from OEM supplier lists, and supply chain rejection.** It leads to audit nonconformities, loss of OASIS visibility, potential recalls, legal liabilities from counterfeit parts, and commercial exclusion in ASD markets.

An **AS9120B** be mapped to other international frameworks?

**AS9120B aligns directly with ISO 9001:2015's high-level structure, enabling seamless mapping of its 10 clauses.** Aerospace additions (e.g., counterfeit prevention, traceability) build on ISO baseline without standalone compatibility to non-ISO frameworks.

What is the first step to begin implementing **AS9120B**?

**The first step is conducting a formal gap analysis against AS9120B clauses using a certified checklist.** This identifies scope, "not applicable" justifications (e.g., Clause 8.3 design), risks, and priorities like supplier controls and traceability, followed by appointing a Management Representative.

NIS2 vs AS9120B

Standards Comparison

NIS2

Mandatory

2022

EU regulation enhancing cybersecurity resilience for critical sectors

AS9120B

Mandatory

2016

Aerospace QMS standard for distributors ensuring traceability and counterfeit prevention.

Quick Verdict

NIS2 mandates cybersecurity resilience for EU critical sectors via risk management and rapid incident reporting, while AS9120B certifies quality systems for aerospace distributors ensuring traceability and counterfeit prevention. Organizations adopt NIS2 for regulatory compliance; AS9120B for supply chain approval.

Cybersecurity

NIS2

Directive (EU) 2022/2555 (NIS2)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Expanded scope with size-cap rule for medium/large entities
Strict multi-stage incident reporting (24/72-hour timelines)
Direct senior management accountability for compliance
Fines up to 2% of global annual turnover
Continuous risk management and supply chain security

Quality Management

AS9120B

AS9120B: Quality Management Systems for Distributors

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Counterfeit and suspected unapproved parts prevention
Traceability and chain-of-custody for split lots
Enhanced external provider controls and flowdown
Configuration management in distribution operations
Risk-based planning addressing distributor hazards

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

NIS2 Details

What It Is

NIS2, officially Directive (EU) 2022/2555, is an EU regulation expanding the original NIS Directive. It establishes a high common cybersecurity level across member states by bolstering resilience of critical infrastructure and digital services. Applies risk-based, all-hazards approach to essential and important entities.

Key Components

**Risk managementContinuous assessments, supply chain security, access controls, encryption.
**Incident reporting24-hour early warning, 72-hour notification, one-month final report.
**Business continuityCrisis response and recovery plans.
**Corporate accountabilitySenior management direct responsibility. Aligns with standards like ISO 27001, NIST CSF. Compliance enforced via national authorities, spot checks.

Why Organizations Use It

Mandatory for in-scope entities to avoid fines up to €10M or 2% global turnover. Enhances cyber resilience, ensures service continuity, builds stakeholder trust. Supports multi-state operations amid evolving threats.

Implementation Overview

Conduct gap analysis, implement measures, register with CSIRTs, train staff. Targets medium/large entities in 18 sectors (e.g., energy, transport) across EU. Ongoing supervision, no formal certification but aligns with frameworks. Transposed nationally by October 2024.

AS9120B Details

What It Is

AS9120B is the IAQG quality management system standard for aviation, space, and defense distributors. It augments ISO 9001:2015's high-level structure with distributor-specific requirements. Primary purpose: mitigate risks like traceability loss, counterfeit parts, and documentation errors in procurement, storage, splitting, and resale without altering products. Employs risk-based thinking and PDCA cycle.

Key Components

Over 100 aerospace additions to ISO 9001 clauses 4-10.
Pillars: context analysis, leadership, planning, support, operations (traceability, counterfeit prevention, external providers), performance evaluation, improvement.
Built on 10-clause HLS; certification via accredited bodies with OASIS listing.

Why Organizations Use It

Commercial necessity for OEM/Tier-1 supply chains.
Reduces supply chain risks, builds customer trust via auditable chain-of-custody.
Enhances efficiency, market access (2,442 global certifications), competitive edge.

Implementation Overview

Phased: gap analysis, process design, training, audits (6-12 months).
Applies to distributors globally; requires internal audits, management review, certification audits.

Key Differences

Aspect	NIS2	AS9120B
Scope	Cybersecurity risk management, incident reporting, business continuity	Quality management for aerospace parts distribution, traceability
Industry	Essential/important entities in EU sectors like energy, transport	Aerospace distributors globally, aviation/space/defense supply chains
Nature	Mandatory EU regulation with national transposition	Voluntary IAQG certification standard based on ISO 9001
Testing	Incident reporting timelines, national authority supervision	Third-party audits, internal audits, management reviews
Penalties	Fines up to 2% global turnover or €10M	Loss of certification, no direct legal fines

Scope

NIS2

Cybersecurity risk management, incident reporting, business continuity

AS9120B

Quality management for aerospace parts distribution, traceability

Industry

NIS2

Essential/important entities in EU sectors like energy, transport

AS9120B

Aerospace distributors globally, aviation/space/defense supply chains

Nature

NIS2

Mandatory EU regulation with national transposition

AS9120B

Voluntary IAQG certification standard based on ISO 9001

Testing

NIS2

Incident reporting timelines, national authority supervision

AS9120B

Third-party audits, internal audits, management reviews

Penalties

NIS2

Fines up to 2% global turnover or €10M

AS9120B

Loss of certification, no direct legal fines

Frequently Asked Questions

Common questions about NIS2 and AS9120B

NIS2 FAQ

AS9120B FAQ

You Might also be Interested in These Articles...

From Reactive Gatekeeper to Proactive Strategist: How Compliance Software Reshapes the Compliance Professional's Day

Discover how compliance software automates monitoring, delivers real-time insights, and transforms compliance pros from reactive gatekeepers to proactive strate

The Tool Landscape for Reaching and Maintaining ISO 27701 Compliance

Discover the top tools for ISO 27701 compliance. Compare functionality, complexity, costs, and benefits to choose the best solution for your privacy program. Ac

DORA Third-Party Risk Management: A Consultant’s Guide to Mapping Critical ICT Service Providers in 2026

Navigate DORA's complex third-party risk pillar. Step-by-step consultant guide to identify critical ICT providers, remediate Article 30 contracts, and build the

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

K-PIPA vs APRA CPS 234

Compare K-PIPA vs APRA CPS 234: Korea's consent-driven privacy law vs Australia's board-led security standard. Uncover 72h breaches, CPOs, testing, fines up to 3% revenue. Master compliance today!

FISMA vs ISO 50001

Compare FISMA cybersecurity vs ISO 50001 energy management: key differences in compliance, risk frameworks & strategies for agencies & orgs. Boost resilience now!

PRINCE2 vs HITRUST CSF

PRINCE2 vs HITRUST CSF: Compare governance-driven project management with certifiable security controls. Uncover principles, processes, maturity scoring & compliance paths. Boost success—read now!

NIS2

AS9120B

Quick Verdict

NIS2

Key Features

AS9120B

Key Features

Detailed Analysis

NIS2 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

AS9120B Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

NIS2 FAQ

What is the primary objective of NIS2?

Who is legally or professionally required to comply with NIS2?

Does NIS2 require an external audit or third-party certification?

How often should an assessment for NIS2 be performed?

What are the consequences of non-compliance with NIS2?

An NIS2 be mapped to other international frameworks?

What is the first step to begin implementing NIS2?

AS9120B FAQ

What is the primary objective of AS9120B?

Who is legally or professionally required to comply with AS9120B?

Oes AS9120B require an external audit or third-party certification?

How often should an assessment for AS9120B be performed?

What are the consequences of non-compliance with AS9120B?

An AS9120B be mapped to other international frameworks?

What is the first step to begin implementing AS9120B?

You Might also be Interested in These Articles...

From Reactive Gatekeeper to Proactive Strategist: How Compliance Software Reshapes the Compliance Professional's Day

The Tool Landscape for Reaching and Maintaining ISO 27701 Compliance

DORA Third-Party Risk Management: A Consultant’s Guide to Mapping Critical ICT Service Providers in 2026

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

K-PIPA vs APRA CPS 234

FISMA vs ISO 50001

PRINCE2 vs HITRUST CSF