Europe's NIS2 Clock Is Already Ticking: Why Your Five-Minute SNMP Poll Won't Make the 24-Hour Deadline

NIS2's 24-hour early-warning clock starts the moment you become aware of a significant incident. If your network monitoring still polls device counters every five minutes, the clock is already running before anyone in your NOC has seen the event. That gap, between the regulatory cadence and the telemetry cadence, is the part of NIS2 compliance no dashboard can fix.

What we don't claim

Before the regulatory exposition or the technical case, the honest frame:

What NIS2 actually requires

NIS2 is the European Union's second-generation Network and Information Security Directive (Directive (EU) 2022/2555). It replaces the 2016 original and sets a harmonised cybersecurity baseline across all 27 member states; national rules apply from 18 October 2024. The directive sweeps in roughly 160,000 entities, regional ISPs, IXPs, sovereign-cloud and data-centre operators, MSSPs and trust service providers, alongside the tier-one carriers. All of them sit inside the same compliance perimeter, with the same reporting clock.

Most operators have not internalised what a 24-hour clock anchored on awareness means in practice. Before the telemetry argument, here is what that clock looks like.

Worth sitting with that for a moment. A regulator who later finds out the incident actually started at T-minus-90 minutes, because your 5-minute SNMP cycle missed the first three states, is not going to give back the time the polling cadence ate.

Who NIS2 catches, and what it costs to miss

ENISA estimates more than 160,000 entities fall under NIS2, against 10–15,000 under NIS1. The directive splits them into essential entities (Annex I: energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration) and important entities (Annex II: postal, waste, food, manufacturing of critical products).

Who's in for IP Infusion's audience

• Regional fibre ISPs, mobile and Open RAN operators: essential, size-exempt.
• IXPs, data-centre and cloud providers (including sovereign cloud): essential.
• Trust service providers: always essential, no size floor.
• MSPs and MSSPs: essential under ICT service management.

For public electronic communications, DNS, TLD and trust services, the size threshold does not save you.

Penalties, personal liability, and the reporting clock

Article 34's €10M or 2% of turnover figure for essential entities (€7M / 1.4% for important entities) is the EU-wide floor that member states can exceed, not a cap; none have gone lower. Article 20 puts the obligation on named individuals at the management body, and Article 32(5)(b) lets regulators temporarily prohibit a CEO or legal representative from managerial functions until the breach is remediated. Article 33 extends the same enforcement to important entities; Germany codifies personal executive liability in Section 38(2) of the BSIG (the German IT Security Act). Article 23 anchors the reporting clock on awareness: 24-hour early warning, 72-hour incident notification, one-month final report.

Germany leads transposition with NIS2UmsuCG (in force since 6 December 2025, 29,500+ entities, no transition period). Italy and Austria reach full force by October 2026; most other large markets are in force or still drafting. Enforcement has started: as of early 2026, the BSI has issued formal notices to in-scope entities, Germany has opened proceedings for late incident notification, France has issued formal warnings, and Italy has initiated sectoral inspections. The large turnover-based fines have not yet landed, but the GDPR-style escalation is clearly underway.

Article 21(2) lists ten minimum risk-management measures. The ones that drive this post are (b) incident handling, (f) policies to assess effectiveness of measures、および (d) supply chain security. The first two share a technical prerequisite most operators have not built: continuous, standards-based network telemetry. The third requires a supply chain you can actually inspect.

Already running in transposed NIS2 jurisdictions

While the incumbents publish NIS2 readiness whitepapers, European operators on OcNOS are already in production inside transposed jurisdictions. eww ITandTEL runs a sovereign MPLS backbone in Upper Austria on disaggregated 400G ZR+ hardware (essential-entity profile under Austria's NISG 2026). DIGI Group runs OcNOS for OLT aggregation in Romania, where the DNSC can verify the hardware and software substitution path. AnschlussWerk across DACH and ASOM-Net in Denmark run OcNOS in production under Germany's NIS2UmsuCG, the most aggressive regime in Europe. Three jurisdictions, three operators, one architectural shape. The rest of this post is the technical reasoning behind that shape.

Why your network telemetry is the gap (and the industry is selling you the wrong fix)

Your detection is only as fast as your telemetry. NIS2 never uses the word "monitoring" in its operative articles, and vendors have taken that as cover to frame the directive as a governance exercise. That framing does not hold up: Implementing Regulation (EU) 2024/2690 and ENISA's Technical Implementation Guidance v1.0 (26 June 2025) name network traffic monitoring, log management and anomaly detection outright for digital-infrastructure entities, and operators outside IR 2024/2690 scope face the same expectations through national transposition. Article 23's 24-hour clock leaves very little room once a five-minute SNMP cycle has eaten part of it.

Why SNMP cannot carry the load

Three failure modes, each of which eats into the response window under a 24-hour clock:

• Polling cadence. A 5 to 15 minute interval means your awareness of any event lags by up to a full cycle. A volumetric DDoS that ends inside one window, or a BGP withdrawal that re-converges before the next poll, is invisible to the NMS. You learn about it from a downstream complaint, and you have already burned hours of the 24-hour budget.
• Last-value-only sampling. If a link flaps fifty times between polls, you see one final state. The forensic timeline that Article 23's 72-hour notification and one-month final report expect is hard to reconstruct from data that was never captured.
• Fragile transport. SNMP traps over UDP/162 are fire-and-forget. In a control-plane storm, exactly the moment you most need the alert, the traps are the first thing the network drops. SNMPv1/v2c community strings are cleartext, and SNMPv3 USM deployment in transit gear remains uneven.

An operator can still meet the directive's reporting cadence while running SNMP, provided their processes are tight enough. The trade-off is awareness latency and forensic depth: the response window is narrower than it could be, and the timeline reconstructed for the regulator is thinner.

What "compliance platforms" get wrong

The dominant vendor narrative treats NIS2 as a SIEM, XDR or AIOps procurement. The platforms themselves (Cisco, Splunk, Dynatrace and the rest) are excellent at what they do, but the ingestion model they inherit cannot beat its own inputs: observability platforms ingest what the network feeds them, they cannot detect what the network never reported. Per-GB ingest pricing then penalises the very telemetry volume that makes detection useful. Carrier-grade transport, the IXP, data-centre interconnect and sovereign-cloud underlay where telco NIS2 obligations actually bite, is largely invisible to endpoint and perimeter stacks.

The durable fix is to push the detection plane down into the network OS itself, in a vendor-neutral format. Same physics, regardless of which logo sits on top.

What streaming telemetry actually changes

The specifics matter:

• gNMI runs gRPC over HTTP/2, supports TLS, and offers ON_CHANGE event subscriptions alongside Sample mode for periodic counters. Real-time streaming. Not five-minute polling.
• OpenConfig YANG gives you one schema across vendors: the same XPath at /interfaces/interface/state/counters/in-discards is portable across any network OS that implements openconfig-interfaces. One parser across the estate, with the same alerting rules and the same audit trail running on top.
• TLS-secured transport: gNMI sessions are mutually authenticated with X.509 certificates, not cleartext community strings.

We made the longer technical argument in February 2026 in Stop polling, start streaming: why SNMP is crippling your network visibility. NIS2 is what turns it from an architectural preference into a regulatory one.

Open networking provides the telemetry foundation NIS2 architectures require

NIS2 has two technical expectations the rest of an operator's reporting posture rests on: continuous network-layer visibility (Articles 21(2)(b/c/f/g) and, for digital-infrastructure entities, IR 2024/2690) and supplier transparency (Article 21(2)(d)). The proprietary majors now all expose OpenConfig YANG and gNMI, so the gap is not about telemetry standards. It is about supply-chain layer count: a vertically-integrated chassis is one vendor across silicon, hardware, NOS and orchestration; a disaggregated stack splits the same network into independently sourceable layers, which is what makes the Article 21(2)(d) supplier assessment tractable.

This matters more as European operators move to IPoDWDM with 400G ZR+ optics and SR-MPLS / SRv6 in the core, where optical pre-FEC BER drift, segment-routing transitions and BFD session state are the early-warning signals SNMP cannot see fast enough to be useful.

Native streaming telemetry, not a bolt-on

OcNOS exposes gNMI as a system-level subsystem, not a management overlay, with TLS-secured transport and OpenConfig YANG schemas. The properties that matter for NIS2:

• OpenConfig YANG data models for interfaces, BGP, routing-policy, system and platform paths. A standardised schema is what lets a single alerting rule set survive a multi-vendor estate. Without it, every box is its own parser problem.
• gNMI Subscribe with ON_CHANGE event streaming for state, plus periodic Sample mode for counters. Push, not poll. The difference shows up in awareness latency, not in feature-comparison matrices.
• BGP RPKI Origin Validation rejects invalid BGP routes at the device. An auditable anti-prefix-hijack control relevant to the broader network-security obligations under Article 21(2).
• sFlow line-rate flow sampling across the SKU range, sitting alongside gNMI's state and counter streams rather than in place of them.
• BMP route monitoring with BGP-LS topology export so a controller or SIEM sees every announce and withdraw, not just interface counters. Exactly the kind of state-transition record the 72-hour and 30-day reporting clocks expect.

Disaggregation is supply chain transparency

Article 21(2)(d) requires entities to assess each direct supplier's security practices. Implementing Regulation (EU) 2024/2690 turns that into a per-component disclosure expectation, and ENISA's June 2025 guidance reads it as an implicit SBOM mandate.

A monolithic chassis is a single closed bill of materials the operator cannot inspect, audit or substitute from within. A disaggregated stack (OcNOS on whitebox hardware from Edgecore or UfiSpace, sourced through integrators such as EPS Global in the EU) splits that BOM into independently sourceable layers, each with its own SBOM, each swappable on its own schedule. Germany's 5G Toolbox cost (Huawei out of 5G core by end-2026, network management systems in access and transport by end-2029) is what single-vendor lock-in looks like once a high-risk-vendor designation lands. Article 21(2)(d) comes down to whether the supply chain behind the transport layer can be inspected. Architectures of this shape can be. Vertically-integrated ones cannot.

The eww ITandTEL, DIGI, AnschlussWerk and ASOM-Net deployments above are not coincidence. They share the same four-trait shape: disaggregated hardware the operator can audit, native streaming telemetry from day one, a supply chain that survives a high-risk-vendor designation without a multi-year rip-and-replace, and an audit trail a BSI, ANSSI, ACN or DNSC assessor can actually inspect.

NIS2 is not a checkbox you buy from a vendor. It is a supply chain audit governed by a physics problem. No dashboard above the telemetry plane can detect an incident faster than the plane below it refreshes.

The unified compliance platforms on offer from the incumbents reproduce the concentrated-supplier exposure Article 21(2)(d) is designed to surface, which is an awkward position from which to fix it.

IP Infusion について · IP Infusion is the leader in disaggregated networking solutions. OcNOS is deployed in production by service providers, IXPs, data-centre operators and sovereign-cloud platforms across Europe, North America, APAC and EMEA. Learn more at ipinfusion.com.