2 March 2025
Regulatory Pressure
How the NIS2 Directive has raised cybersecurity expectations across the EU and what organizations need to do to comply.
The NIS2 Directive has significantly raised cybersecurity expectations across the European Union. Replacing the original 2016 NIS Directive, it widens the range of organizations in scope and sets a firmer, more consistent baseline for how they manage cyber risk. Companies in sectors such as energy, transport, banking, health, water, digital infrastructure, and public administration now need to implement robust risk management practices, maintain structured incident reporting, and ensure supply chain security. Member states were required to transpose the directive into national law by October 2024, so for most organizations the obligations are no longer on the horizon; they are already in force.
Who NIS2 applies to
One of the biggest changes is scope. NIS2 divides in-scope organizations into essential and important entities, generally covering medium and large organizations in the designated sectors, and it captures many companies that the original directive never touched. Crucially, being in scope is not something a company opts into. If you operate in a covered sector above the relevant size threshold, the obligations apply whether or not you have been formally notified, and the responsibility to determine that sits with you. For many organizations, the first real task is simply working out where they stand and which entities in the group are affected.
More than a legal obligation
Compliance with NIS2 is more than a legal obligation; it is a chance to strengthen operational resilience. Organizations are expected to demonstrate tangible steps to prevent, detect, and respond to incidents, and to report significant incidents on a tight timeline. The stakes are concrete: essential entities can face fines of up to €10 million or 2% of global annual turnover, whichever is higher, and NIS2 makes senior management directly responsible for overseeing cyber risk, with the possibility of personal liability. Reputational damage frequently outlasts the financial penalty. Taken together, these consequences move cybersecurity from an IT concern to a board-level one, and underscore the business value of getting ahead of the requirements rather than reacting to them.
Embedding security into daily operations
For IT leaders and security teams, NIS2 emphasizes embedding security into daily operations rather than treating it as an annual audit. The directive sets out a baseline of measures every in-scope organization is expected to have in place, including risk analysis and information security policies, incident handling, business continuity and backup, supply chain security, secure development and vulnerability management, access control and encryption, and staff training. Continuous monitoring, automated testing, and secure development practices must be part of the workflow, ensuring that policies are actionable, measurable, and effective. By adopting these practices early, organizations can turn regulatory compliance into a competitive advantage, showcasing a culture of accountability where cybersecurity is a continuous organizational priority rather than a checkbox exercise.
What organizations should do
Meeting NIS2 is less about a single project and more about durable process. Practical starting points:
- Confirm your scope. Determine whether you qualify as an essential or important entity under NIS2 and your national transposition.
- Formalize risk management. Document policies for risk analysis, access control, encryption, and business continuity.
- Get incident reporting ready. Put processes in place to meet the 24-hour early-warning and 72-hour reporting deadlines.
- Secure your supply chain. Assess and monitor the security practices of key vendors and dependencies.
- Brief leadership. Make sure management understands its oversight duties and personal accountability.
Turning these requirements into an operating reality is where many organizations stall. Our Advisory & Consulting team helps you assess NIS2 scope, close the gaps in your risk management and reporting processes, and build compliance into day-to-day operations rather than treating it as a one-off exercise.
How secure are you, really?
Let our experts help you build a resilient defense, tailored to your business needs.