New

Now in Claude, ChatGPT, Cursor & more with our MCP server

Koji
ProductPricingEnterpriseAbout
Back to Koji
Koji Compliance

NIS2 (EU cybersecurity)

Koji's posture on the EU Network and Information Security Directive 2. Aimed at customers classified as 'essential' or 'important' entities, NIS2 cascades supply-chain cybersecurity obligations to vendors like Koji.

Last updated: May 2026Applies to: EU customers classified as essential or important entities under NIS2
Short answer: Koji sits below the size and sector thresholds that would classify us as an essential or important entity under NIS2. Customers in scope cascade their supply-chain obligations to Koji, and we address those through standard contractual commitments in our DPA, the controls described in our security overview and TOM, and the customer- notification commitments in our incident-response process.

What NIS2 is

NIS2 (Directive (EU) 2022/2555) is the EU's revised cybersecurity directive. It replaces the original 2016 NIS Directive and significantly expands both the entities in scope and the obligations on them. Member states transposed it into national law by 17 October 2024. National-level enforcement is now ramping up across the EU.

NIS2 distinguishes two categories of regulated entities:

  • Essential entities — large operators in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT-service management (B2B), public administration, and space.
  • Important entities — medium-sized operators in postal/courier, waste management, chemicals, food, manufacturing of medical devices and related, digital providers (e.g. online marketplaces, search engines, social networks), and research organizations.

Why this matters to Koji customers

Article 21 NIS2 requires essential and important entities to manage supply-chain cybersecurity risk, including the cybersecurity practices of their direct suppliers and service providers. In practice that means a NIS2-regulated customer must:

  • Assess the cybersecurity practices of Koji as a vendor
  • Reflect cybersecurity obligations in the contract with Koji
  • Receive timely incident notifications from Koji when relevant
  • Maintain ongoing oversight of Koji's cybersecurity posture

What Koji provides to NIS2-regulated customers

  • Documentation: Our security overview, technical and organizational measures, and pre-filled CAIQ Lite cover the vendor-assessment requirement. Available via the resources page.
  • Contractual commitments: Our DPA already includes Article 32-equivalent security commitments. NIS2-specific contract riders are prepared alongside the DPA for in-scope customers to formally reflect the supply-chain obligation.
  • Incident notification: Our incident-response process notifies affected customers without undue delay and within seventy-two hours of a personal-data breach. For non-personal-data security incidents that affect a NIS2-regulated customer's services, the same operating channels and on-call escalation apply, with notification timing aligned to the customer's own regulatory window (initial within 24 hours of awareness, incident report within 72 hours, final report within one month, as required by NIS2 Article 23).
  • Configurable retention and audit logging: Customers can extend audit-log retention to the period their national NIS2 implementation requires, typically 24 to 36 months.

National transposition and CSIRT coordination

NIS2 is a directive, not a regulation, so member states have transposed it into national law. The substance is harmonized but enforcement details (national CSIRTs, registration portals, supervisory authority) vary by country. Koji works with NIS2-regulated customers to make sure incident notifications reach the right national CSIRT through the customer's own channel; Koji does not file notifications with national regulators directly.

Scope clarifications

  • Koji's own registration: Koji's current size and service profile sit below the NIS2 thresholds for essential or important entity classification, so we are not a registrant in any member state. Customers that are registrants treat Koji as a third-party ICT service provider in their own supply-chain governance.
  • Service category: Koji is a customer- research platform, not a managed cybersecurity service. Where customers use Koji as part of a service chain that requires NIS2 supply-chain documentation, the rider scope is the customer-research service.

Getting a NIS2 contract rider

If your organization is in scope for NIS2 and you need a formal contract rider reflecting supply-chain cybersecurity obligations, email [email protected]. We respond within one business day with the proposed NIS2 rider scoped to your engagement.

Related coverage

Questions about this document? Contact compliance.Back to compliance hub