Preparing for NIS2: What Your Organization Needs to Know About Europe’s New Cybersecurity Directive 

Article Cyber Security & Privacy

Cybersecurity regulations in Europe have evolved dramatically in recent years, with a growing emphasis on resilience, accountability, and the ability to quickly recover from incidents. This is where NIS2, the EU’s latest directive, comes in. Building on well-known frameworks like the ISO 27000 series, NIS2 is designed to bring risk management, continuity planning, and supply chain oversight into sharper focus. It is more than a compliance task—it is a mandate for organizations to secure operations from the ground up and the boardroom down. As each Member State transposes NIS2 into national law, businesses face new requirements that stretch across borders and industries, imposing accountability on senior management and requiring swift incident reporting. Therefore, understanding the directive’s specifics—and acting early—is essential in ensuring your organization will meet compliance and lead with resilience. Here is what you need to know to get ahead. 

A new layer of compliance: What is different with NIS2?

Those already familiar with the ISO 27000 series should recognize several shared principles of NIS2, such as the emphasis on risk management and cybersecurity measures. However, NIS2 brings additional obligations that extend beyond the typical requirements of ISO certification, especially with its mandatory stance on supply chain risk management and cybersecurity awareness, which now extends to all levels of the business. 
Here are key differences worth noting: 

  • Risk management and business continuity: NIS2 pushes beyond ISO 27001’s more general guidelines and formalizes the need for a risk-based approach that includes robust business continuity planning. 
  • Supply chain risk management: The new directive details more stringent third-party supply chain oversight, holding companies accountable for their contractors’ and suppliers’ cybersecurity practices. 
  • Awareness and training: NIS2 goes beyond the regular awareness requirements with a specific requirement for board-level cybersecurity training. This means senior leaders can no longer defer to IT, Risk, or Security teams when decisions need to be taken—they must understand and be actively involved. 

In short, NIS2 ups the ante on existing cybersecurity standards, highlighting Europe’s ambition to make digital infrastructure not just secure but resilient, reliable, and more responsive to evolving threats. 

Four Steps to Jumpstart NIS2 Compliance

Cybersecurity experts have underlined several ways organizations can kick off their journey toward compliance. Here are four steps any business can follow to ensure they are ahead of the game: 

  1. Check if NIS2 applies to you: The first, most obvious step is to check if NIS2 will even impact your business at all. The easiest way to understand this is by knowing that NIS2 splits businesses into “essential” and “important” categories, each with specific compliance obligations. Essential entities are typically large companies in critical areas like energy and healthcare, while important entities are mid-sized yet still economically significant. If you have over 50 employees or a turnover above €10 million, you are covered. So, the first thing you should do is run an internal check to confirm your category and know what level of oversight applies. For multinationals, understanding the specific rules in each country is key.
  2. Get ready for cross-border registration: NIS2 requires affected organizations to register with authorities in every EU country where they operate, and each country may have slight variations in its rules. Planning for this ahead of time will most certainly save a lot of hassle. If you operate in multiple regions, it might be worth working with experts familiar with both EU-wide directives and local rules to ensure you are covered.
  3. Train senior management: NIS2 puts senior management on the compliance hook, so leadership needs specific training on these new requirements. This is not about technical skills but is based on a solid understanding of NIS2’s demands around incident reporting, response protocols, and overall risk management. Leaders with a clear grasp of these responsibilities will have a big influence on the organization, setting the standard for security throughout.
  4. Set up incident reporting protocols: NIS2 requires that cyber incidents be reported within 24 hours, so having a well-practiced, fast-acting reporting process will be paramount. Establish an incident response team, test your protocols, and consider using automated systems to streamline detection and alerts. This way, your team can quickly document incidents and meet reporting requirements without scrambling around. If you take these steps in plenty of time, there is a greater chance that your company will build a solid foundation for NIS2 compliance, enhancing its overall robustness for all things cybersecurity.

Addressing Multi-Country Requirements

One challenge many companies face is that, unlike regulations, directives like NIS2 are not uniform across countries—they allow each Member State to create its own implementing laws. This can result in potential discrepancies between countries. For example, Germany’s Bundesamt für Sicherheit in der Informationstechnik (BSI) will serve as the central supervisory authority, while Dutch companies will need to report to Rijksinspectie Digitale Infrastructuur (RDI). Both agencies have similar mandates but may interpret compliance requirements slightly differently. 

There is also a chance that complications will arise with supply chains and third-party vendors. NIS2 requires organizations to assess supply chain cybersecurity practices, meaning companies that supply to essential or important entities in the EU may also need to adapt to NIS2 requirements even if they are not directly bound by the directive. 

For non-EU businesses, especially those operating through subsidiaries or vendors, aligning with NIS2 requirements could become a de facto standard for retaining European clients.  

Don’t wait, act now

NIS2’s far-reaching requirements call attention to the importance of a proactive cybersecurity culture for all those that it applies to. It is about more than just maintaining firewalls and training staff on phishing—it requires a fundamental shift in how companies manage cybersecurity risk. Board members, executives, and operational leaders will have to drive this culture from the top down, prioritizing both preventive and reactive security measures. 

For now, the directive is still in the process of national transposition across Member States, but once it is enacted in each country, compliance requirements will come into immediate effect. Therefore, businesses should not wait to act. The EU has made it clear that enforcement of these regulations will be strict, with supervisory authorities empowered to perform audits and impose fines for non-compliance. 

Organizations should treat NIS2 as a long-term strategy, embedding cybersecurity at every operational level to build resilience against future threats. Companies with robust information security measures already in place, like those with ISO 27001 certification, will find themselves in a strong position. However, even these organizations will need to address NIS2’s added focus areas, including supply chain monitoring, mandatory incident reporting, and management accountability. No one is off the hook. 

Preparing for NIS2: keysteps for compliance

Given how fast the cybersecurity landscape is evolving, NIS2 compliance should be at the forefront of an organization’s strategic planning. Here is a quick overview of how to get the ball rolling:  

  • Determine if NIS2 applies to your company and establish your compliance pathway.
  • Plan for multi-country registration and prepare your regional compliance strategy.
  • Implement a senior management training program to instill a top-down understanding of cybersecurity responsibilities.
  • Finally, develop incident reporting protocols that align with NIS2’s 24-hour requirement.

By proactively following these steps, your business will be well-positioned to meet NIS2’s demands, reducing the risk of fines and reinforcing your reputation as a secure and resilient business partner. This article was created through the collaboration of Andrea Krush (Netherlands), Patric Lenhart (Germany), and Robin Herrmann (Switzerland).

Andrea Krush
By Andrea Krush
Senior Manager – Cyber Security

13 Dec 2024
Knowledge Hub overview