100+ Free NIS 2 LI Practice Questions

Pass your PECB NIS 2 Directive Lead Implementer exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

What is the formal legal reference for the NIS 2 Directive?

Regulation (EU) 2016/679

Directive (EU) 2016/1148

Directive (EU) 2022/2555

Regulation (EU) 2022/2554

to track

2026 Statistics

Key Facts: NIS 2 LI Exam

70%

Passing Score

PECB

Exam Questions

3 hours, open-book

Minimum Measures

Article 21(2)

24h / 72h / 1mo

Reporting Timeline

Article 23

EUR 10M / 2%

Max Fine (Essential)

Article 34

17 Oct 2024

Transposition Deadline

EU Commission

NIS 2 Directive Lead Implementer is PECB's flagship implementation credential for the EU's expanded cybersecurity directive (Directive (EU) 2022/2555). The transposition deadline of 17 October 2024 has passed, and Member States are now in active enforcement, making this certification highly relevant in 2026. The exam contains 12 scenario-based questions over 3 hours, is open-book, and requires 70% to pass. Content spans 6 competency domains: NIS 2 fundamentals, planning the implementation, roles and risk management, controls and incident management, communication and awareness, and testing and monitoring. Fees typically run $500-$1,000. Essential entities face fines up to EUR 10M or 2% global turnover; important entities up to EUR 7M or 1.4%.

Sample NIS 2 LI Practice Questions

Try these sample questions to test your NIS 2 LI exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1What is the formal legal reference for the NIS 2 Directive?

A.Regulation (EU) 2016/679

B.Directive (EU) 2016/1148

C.Directive (EU) 2022/2555

D.Regulation (EU) 2022/2554

Explanation: The NIS 2 Directive is formally Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022. Directive (EU) 2016/1148 is the original NIS 1 Directive that NIS 2 repealed. Regulation (EU) 2016/679 is the GDPR, and Regulation (EU) 2022/2554 is the Digital Operational Resilience Act (DORA).

2By what date were EU Member States required to transpose the NIS 2 Directive into national law?

A.25 May 2018

B.17 October 2024

C.14 December 2022

D.18 October 2025

Explanation: Article 41 of the NIS 2 Directive set 17 October 2024 as the deadline for Member States to adopt and publish national transposition measures, with provisions applying from 18 October 2024. The Directive was published on 14 December 2022 but the transposition window was 21 months. As of 2026, Member States are in active enforcement phase.

3Which directive does NIS 2 repeal and replace?

A.Directive (EU) 2016/1148 (NIS 1)

B.Directive 95/46/EC (Data Protection Directive)

C.Directive 2008/114/EC (ECI Directive)

D.Directive (EU) 2019/1024 (Open Data Directive)

Explanation: NIS 2 repeals Directive (EU) 2016/1148 (the original NIS Directive) effective 18 October 2024, the day after the transposition deadline. The 2008/114 ECI Directive on European Critical Infrastructures was replaced by the CER Directive (EU) 2022/2557, which is a sister directive to NIS 2.

4What two categories of in-scope entities does NIS 2 define?

A.Operators of Essential Services and Digital Service Providers

B.Essential entities and important entities

C.Critical entities and supporting entities

D.Public entities and private entities

Explanation: NIS 2 introduces a binary classification of essential entities (Annex I sectors of high criticality) and important entities (Annex II other critical sectors). This replaces the NIS 1 distinction between Operators of Essential Services (OES) and Digital Service Providers (DSPs). Critical entities is the term used in the parallel CER Directive.

5Which sector is listed in Annex I (sectors of high criticality) of NIS 2?

A.Postal and courier services

B.Waste management

C.Drinking water

D.Manufacture of chemicals

Explanation: Drinking water is one of the eleven Annex I sectors of high criticality, alongside energy, transport, banking, financial market infrastructures, health, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Postal/courier, waste management, and chemical manufacturing are Annex II sectors.

6As a general rule, an organization in an Annex I sector that meets the size cap will be classified as which type of entity?

A.Important entity

B.Essential entity

C.Critical entity

D.Excluded entity

Explanation: By default, large entities operating in Annex I (high-criticality) sectors are classified as essential entities. Medium-sized entities in Annex I sectors and large entities in Annex II sectors are typically classified as important entities. Member States retain discretion to upgrade classifications based on national risk.

7What size threshold generally applies for an entity to fall in scope of NIS 2 by default?

A.Micro entities only (fewer than 10 employees)

B.Medium-sized and large entities (50+ employees or EUR 10M+ turnover)

C.Only entities with more than 1,000 employees

D.Only listed companies on EU stock exchanges

Explanation: NIS 2 applies the size-cap rule from EU Recommendation 2003/361/EC: medium and large entities (50 or more employees, or annual turnover and balance sheet exceeding EUR 10 million). Some categories (e.g., DNS service providers, TLD name registries, qualified trust service providers, public administration) fall in scope regardless of size.

8Which article of NIS 2 sets out cybersecurity risk-management measures?

A.Article 20

B.Article 21

C.Article 23

D.Article 32

Explanation: Article 21 (Cybersecurity risk-management measures) is the operational heart of NIS 2, requiring entities to take appropriate and proportionate technical, operational, and organisational measures and listing the ten minimum measures. Article 20 covers governance, Article 23 covers reporting obligations, and Article 32 covers supervisory and enforcement measures for essential entities.

9Which EU body provides the secretariat of EU-CyCLONe and supports cooperation between Member States?

A.European Data Protection Board (EDPB)

B.European Union Agency for Cybersecurity (ENISA)

C.European Commission DG CONNECT

D.Europol

Explanation: ENISA, the EU Agency for Cybersecurity, provides the secretariat of EU-CyCLONe (European Cyber Crisis Liaison Organisation Network) and supports the secure exchange of information between Member States. ENISA also maintains the European vulnerability database referenced in Article 12 and assists the Cooperation Group.

10NIS 2 expanded the number of in-scope entities from roughly 20,000 under NIS 1 to approximately how many?

A.50,000

B.100,000

C.300,000

D.1,000,000

Explanation: NIS 2 brings approximately 300,000 organisations across 18 sectors into scope, a roughly fifteen-fold increase from the estimated 20,000 entities under NIS 1. This dramatic expansion reflects the addition of new sectors (food, manufacturing, public administration, space) and the size-cap rule.

About the NIS 2 LI Exam

PECB NIS 2 Directive Lead Implementer validates the knowledge and skills needed to support an organization in planning, implementing, managing, monitoring, and continually improving a cybersecurity program aligned with the EU NIS 2 Directive (Directive (EU) 2022/2555). The exam covers NIS 2 fundamentals and scope, Annex I and Annex II sectors, the 10 minimum cybersecurity risk-management measures (Article 21), governance and management body responsibilities (Article 20), the 24-hour / 72-hour / 1-month incident reporting obligations (Article 23), supply chain security, cooperation with national CSIRTs and EU-CyCLONe, and alignment with ISO/IEC 27001, ISO 22301, GDPR, and DORA.

Questions

12 scored questions

Time Limit

3 hours

Passing Score

70%

Exam Fee

$500-$1,000 (PECB)

NIS 2 LI Exam Content Outline

10%

NIS 2 Fundamentals and Scope

Directive (EU) 2022/2555, NIS 1 vs NIS 2, Annex I essential and Annex II important entities, size thresholds

15%

Planning NIS 2 Implementation

Gap analysis, scoping, transposition timeline, registration with NCA, alignment with ISO/IEC 27001 and ISO 22301

20%

Governance, Roles, and Risk Management

Article 20 management body liability, Article 21 risk-management approach, ISO 27005, supply chain risk

25%

Cybersecurity Controls and Incident Management

10 Article 21 measures, BCM, cryptography, MFA, vulnerability handling, Article 23 reporting (24h / 72h / 1 month)

15%

Communication, Cooperation, and Awareness

Cooperation Group, CSIRTs Network, EU-CyCLONe, ENISA, single point of contact, training, public communication

15%

Testing, Monitoring, and Continual Improvement

Effectiveness assessment, internal audit, supervisory measures, penalties, corrective actions, PDCA

How to Pass the NIS 2 LI Exam

What You Need to Know

Passing score: 70%
Exam length: 12 questions
Time limit: 3 hours
Exam fee: $500-$1,000

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

NIS 2 LI Study Tips from Top Performers

1Read Directive (EU) 2022/2555 cover-to-cover, especially Articles 20, 21, and 23 — the open-book exam rewards rapid navigation

2Memorize the 24-hour / 72-hour / 1-month reporting cadence and what each report must contain under Article 23

3Know all 10 Article 21(2) minimum measures (a) through (j) verbatim — they are the spine of any implementation scenario

4Distinguish Annex I essential entities from Annex II important entities and the size thresholds (medium / large) and exceptions

5Understand Article 20 personal liability for management bodies and the mandatory training obligation

6Map NIS 2 measures to ISO/IEC 27001:2022 Annex A controls and ISO 22301 BCM clauses to leverage existing frameworks

Frequently Asked Questions

What is the PECB NIS 2 Directive Lead Implementer exam format?

The exam is open-book with 12 scenario-based questions to be completed in 3 hours, requiring 70% to pass. PECB is progressively transitioning some certifications to multiple-choice format. Questions assess your ability to apply NIS 2 Directive requirements (Articles 20, 21, 23) to realistic implementation scenarios in essential and important entities.

Why is NIS 2 Lead Implementer important in 2026?

The NIS 2 Directive transposition deadline was 17 October 2024, meaning EU Member States are now in active enforcement. Around 300,000 organizations across 18 sectors fall in scope, up from roughly 20,000 under NIS 1. Essential entities face fines up to EUR 10 million or 2% of global turnover, and management bodies can be held personally liable under Article 20, driving urgent demand for qualified implementers.

What are the 10 minimum cybersecurity measures under Article 21?

Article 21(2) lists ten minimum measures: (a) risk analysis and information system security policies; (b) incident handling; (c) business continuity and crisis management; (d) supply chain security; (e) security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure; (f) policies to assess effectiveness; (g) basic cyber hygiene and training; (h) cryptography and encryption; (i) human resources security, access control, and asset management; (j) multi-factor authentication or continuous authentication and secured communications.

What are the NIS 2 incident reporting deadlines under Article 23?

Article 23 requires three-stage reporting for significant incidents: an early warning within 24 hours of awareness, a more detailed incident notification within 72 hours including initial severity assessment, and a final report within one month of the notification. Reports go to the national CSIRT or competent authority. The phased approach balances speed of containment with depth of post-incident learning.

What is the difference between essential and important entities?

Essential entities operate in Annex I sectors of high criticality (energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space). Important entities operate in Annex II other critical sectors (postal/courier, waste management, chemicals, food, manufacturing, digital providers, research). Essential entities face stricter ex-ante supervision and fines up to EUR 10M or 2% turnover; important entities face ex-post supervision and fines up to EUR 7M or 1.4% turnover.

How does NIS 2 relate to ISO/IEC 27001, GDPR, and DORA?

ISO/IEC 27001:2022 provides a control framework that maps cleanly to many Article 21 measures, making an existing ISMS a strong NIS 2 starting point. GDPR addresses personal data protection while NIS 2 addresses network and information system security; both require incident reporting but to different authorities. DORA (Digital Operational Resilience Act) is sector-specific (financial entities) and acts as lex specialis, taking precedence over NIS 2 for in-scope financial firms in matters DORA covers.