PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free NIS 2 Foundation Practice Questions

Pass your PECB NIS 2 Directive Foundation exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which NIS 2 body facilitates strategic cooperation and information exchange among Member States at policy level and involves representatives from Member State competent authorities?

A
B
C
D
to track
Same family resources

Explore More PECB Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

PECB / EXIN ISO/IEC 20000 Foundation

Practice Questions

PECB Certified Data Protection Officer (GDPR CDPO)

Practice Questions

PECB Certified DORA Lead Manager

Practice Questions

PECB Certified ISO/IEC 27001 Foundation

Practice Questions

PECB Certified ISO/IEC 27032 Lead Cybersecurity Manager

Practice Questions

PECB Certified ISO/IEC 27701 Lead Auditor (PIMS)

Practice Questions
2026 Statistics

Key Facts: NIS 2 Foundation Exam

17 October 2024

Transposition Deadline

NIS 2 Article 41

€10M or 2%

Max Fine — Essential Entities

NIS 2 Article 34

€7M or 1.4%

Max Fine — Important Entities

NIS 2 Article 34

10

Minimum Cybersecurity Measures (Art. 21)

NIS 2 Article 21(2)

24h / 72h / 1 month

Incident Reporting Timelines

NIS 2 Article 23

70%

PECB Foundation Passing Score

PECB

~40 MCQ / 60 min

Foundation Exam Format

PECB

Directive 2022/2555

Official Citation

EU Official Journal

PECB NIS 2 Directive Foundation is a 2-day course-and-exam format covering the fundamentals of Directive (EU) 2022/2555. The closed-book exam has approximately 40 multiple-choice questions, a 60-minute limit, and requires 70% to pass. It is the entry point for the PECB NIS 2 certification pathway.

Sample NIS 2 Foundation Practice Questions

Try these sample questions to test your NIS 2 Foundation exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which EU Directive does the NIS 2 Directive (Directive 2022/2555) repeal and replace?
A.Directive 2016/1148 (NIS 1 Directive)
B.Directive 2013/40/EU (Attacks Against Information Systems)
C.Directive 2002/58/EC (ePrivacy Directive)
D.Directive 2016/680 (Law Enforcement Data Protection)
Explanation: NIS 2 (Directive 2022/2555) expressly repeals and replaces Directive 2016/1148, the original NIS 1 Directive. NIS 2 significantly expands scope, harmonises penalties, and strengthens governance obligations compared to its predecessor.
2By what date were EU Member States required to transpose the NIS 2 Directive into national law and begin applying its measures?
A.17 October 2024
B.1 January 2025
C.17 April 2025
D.31 December 2024
Explanation: Article 41 of NIS 2 required Member States to transpose the Directive and apply its measures from 17 October 2024. Despite this deadline, many Member States were late, prompting the European Commission to open infringement procedures.
3Under the NIS 2 Directive, entities in Annex I sectors that meet the large-enterprise size threshold are automatically classified as which type of entity?
A.Essential entities
B.Critical entities
C.Important entities
D.Designated entities
Explanation: Annex I lists 'sectors of high criticality' (energy, transport, banking, health, digital infrastructure, etc.). Large enterprises operating in Annex I sectors are classified as essential entities. Essential entities face stricter supervision and higher maximum penalties than important entities.
4Which size threshold distinguishes a large enterprise from a medium enterprise under the NIS 2 Directive's entity classification rules?
A.At least 100 employees or more than €25 million annual turnover
B.At least 500 employees or more than €100 million annual turnover
C.At least 250 employees or more than €50 million annual turnover
D.At least 50 employees or more than €10 million annual turnover
Explanation: NIS 2 references EU SME definitions: a large enterprise has at least 250 employees OR exceeds €50 million annual turnover AND €43 million balance sheet. This threshold determines whether an Annex I entity is essential (large) or important (medium).
5Which of the following sectors is listed in Annex I (sectors of high criticality) of the NIS 2 Directive?
A.Food production, processing and distribution
B.Postal and courier services
C.Banking
D.Manufacturing of medical devices
Explanation: Banking is explicitly listed in Annex I of NIS 2 as a sector of high criticality, alongside energy, transport, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.
6Regardless of their size, which of the following entities is automatically in scope of NIS 2?
A.Small manufacturers of food products in one Member State
B.Microenterprise postal couriers operating regionally
C.Trust service providers
D.Small catering businesses serving public sector clients
Explanation: NIS 2 Article 2(2) specifies that certain entities fall within scope regardless of size, including trust service providers (as defined in eIDAS), top-level domain name registries, DNS service providers, and providers of public electronic communications networks.
7Under NIS 2, which bodies are primarily responsible for supervising compliance by essential and important entities at the national level?
A.Competent authorities designated by each Member State
B.ENISA and Europol jointly
C.The European Commission's DG CONNECT
D.National data protection authorities (DPAs)
Explanation: NIS 2 requires each Member State to designate one or more competent authorities responsible for cybersecurity and the supervision of NIS 2 obligations. These national bodies carry out supervisory, investigative, and enforcement activities. ENISA plays an advisory and coordination role but is not a direct supervisor.
8What is the correct initial reporting timeline under NIS 2 Article 23 when an entity becomes aware of a significant incident?
A.Submit a full incident report within 24 hours
B.Submit an incident notification within 48 hours and a final report within 30 days
C.Submit an early warning within 24 hours and an incident notification within 72 hours
D.Notify the CSIRT within 72 hours and authorities within 7 days
Explanation: Article 23 of NIS 2 establishes a three-stage process: (1) early warning within 24 hours of awareness, (2) incident notification within 72 hours with initial severity assessment, and (3) a final report within 1 month. The 24-hour early warning alerts authorities to potential cross-border patterns.
9When must the final incident report be submitted under NIS 2 Article 23 for a significant incident that has been resolved?
A.Within 7 days of the incident notification
B.Within 14 days of the early warning
C.Not later than one month after the incident notification
D.Within 90 days of becoming aware of the incident
Explanation: Article 23(4) requires the final report no later than one month after submitting the incident notification (the 72-hour update). If the incident is still ongoing at that point, the entity submits a progress report instead and a final report within one month of resolution.
10Which condition must be met for an incident to be classified as 'significant' and trigger NIS 2 reporting obligations?
A.The incident has caused or can cause severe operational disruption or financial loss
B.The incident must cause confirmed data loss of personal data
C.The incident must be confirmed as a ransomware attack
D.The incident must have been detected by an IDS and logged in the SIEM
Explanation: NIS 2 Article 23(3) defines a significant incident as one that has caused or is capable of causing severe operational disruption to the service or financial loss for the affected entity, or has caused or is capable of causing considerable material or non-material damage to other natural or legal persons.

About the NIS 2 Foundation Exam

The PECB NIS 2 Directive Foundation certification validates understanding of the EU NIS 2 Directive (Directive 2022/2555) — its scope, entity classifications, cybersecurity requirements, incident reporting obligations, governance, and penalties.

Questions

40 scored questions

Time Limit

60 minutes

Passing Score

70%

Exam Fee

Included in training course; standalone pricing varies by partner (PECB)

NIS 2 Foundation Exam Content Outline

50%

Fundamental Concepts and Definitions of NIS 2

Scope of Directive 2022/2555, essential and important entity classifications, Annex I and II sectors, size thresholds, definitions (incident, vulnerability, risk, cyber threat), relationship with NIS 1 and GDPR

50%

NIS 2 Requirements for Implementing a Cybersecurity Program

Article 21 risk management measures (10 minimum), incident reporting timelines (24h/72h/1 month), governance and management accountability (Article 20), supply chain security, administrative penalties, supervisory bodies

How to Pass the NIS 2 Foundation Exam

What You Need to Know

  • Passing score: 70%
  • Exam length: 40 questions
  • Time limit: 60 minutes
  • Exam fee: Included in training course; standalone pricing varies by partner

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

NIS 2 Foundation Study Tips from Top Performers

1Know the Annex I vs Annex II sector distinction and which sectors fall into each — common exam topic
2Memorise the three-stage incident reporting timeline: 24h early warning, 72h notification, 1-month final report
3Understand the two fine tiers: essential entities (€10M / 2% global turnover) vs important entities (€7M / 1.4%)
4Learn all 10 minimum measures under Article 21(2)(a)-(j) — each letter maps to a specific measure
5Distinguish essential entity proactive (ex ante) supervision from important entity reactive (ex post) supervision

Frequently Asked Questions

What is the PECB NIS 2 Directive Foundation exam format?

The PECB NIS 2 Directive Foundation exam has approximately 40 multiple-choice questions with a 60-minute time limit. It is a closed-book exam typically taken at the end of the 2-day PECB NIS 2 Foundation course. A score of 70% is required to pass and earn the Foundation certificate.

What topics does the NIS 2 Foundation exam cover?

The exam covers two main areas: (1) fundamental concepts and definitions of the NIS 2 Directive — scope, essential vs important entity classifications, Annex I and II sectors, size thresholds, and key definitions; and (2) NIS 2 requirements for implementing a cybersecurity program — the 10 Article 21 measures, incident reporting timelines, governance and management accountability, supply chain security, and penalties.

Is there a prerequisite for the PECB NIS 2 Foundation exam?

There are no formal prerequisites for the NIS 2 Foundation. A general understanding of IT or cybersecurity is helpful but not required. The Foundation is designed as an entry point for anyone who needs to understand the NIS 2 Directive's requirements — including compliance officers, legal professionals, IT managers, and consultants.

How do I become a PECB Certified NIS 2 Foundation?

The typical pathway is to complete the 2-day PECB NIS 2 Directive Foundation course through an authorised PECB training partner and pass the included examination with at least 70%. The Foundation certificate is then valid for 3 years. It is the entry level of the PECB NIS 2 certification path, which also includes Lead Implementer and Internal Auditor levels.

What is the difference between NIS 2 essential and important entities?

Essential entities are generally large enterprises (250+ employees or €50M+ turnover) in Annex I high-criticality sectors such as energy, transport, banking, health, and digital infrastructure. Important entities are generally medium or large enterprises in Annex II sectors, or medium enterprises in Annex I sectors. Essential entities face proactive supervision and higher maximum fines (€10M or 2% of global turnover); important entities face reactive supervision and lower fines (€7M or 1.4%).

What are the NIS 2 incident reporting timelines?

NIS 2 Article 23 requires a three-stage process: an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours with an initial severity assessment and indicators of compromise, and a final report within one month of the incident notification. For ongoing incidents, a progress report is due at one month and a final report within one month of resolution.