NIS2 entered into force across the EU in October 2024. If you operate in one of the sectors it covers — and the list is longer than most organizations realize — you are already subject to its requirements. The question is no longer whether NIS2 applies to you. It's whether you're ready.

What NIS2 actually requires

The directive establishes a baseline of cybersecurity risk management measures across critical and important entities. This includes governance at the highest level — your board and senior management are explicitly responsible for approving security measures and overseeing their implementation. It includes incident reporting with strict timelines: significant incidents must be reported to national authorities within 24 hours of detection. And it includes supply chain security — you are responsible not just for your own systems, but for the security practices of the suppliers and service providers you rely on.

The penalties for non-compliance are material: up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% for important entities.

Who is covered

NIS2 covers a significantly wider scope than its predecessor. Essential entities include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important entities extend this to postal services, waste management, chemicals, food, manufacturing, digital providers, and research.

If you are a mid-sized company in any of these sectors — or a supplier to companies in these sectors — you are almost certainly within scope.

The compliance trap

Many organizations are approaching NIS2 as a box-ticking exercise: produce the documentation, pass the audit, move on. This is a mistake, and not just because it creates legal exposure. The organizations that treat NIS2 as a minimum threshold tend to build fragile compliance programs that fall apart under operational pressure or fail to address the actual risks they face.

The smarter approach is to use NIS2 as an anchor for a broader security improvement program — one that builds genuine capability, not just paper compliance. This means aligning your risk management with ISO 27001, establishing real governance structures, and making supply chain security a business practice rather than a procurement questionnaire.

Where to start

The first step is understanding your actual scope and obligations. Many organizations are surprised to find they qualify as essential entities, or that their subsidiaries fall under different national implementations of the directive. A gap analysis against the NIS2 requirements — mapped to your actual operations, not a generic template — gives you a clear picture of where you stand and what needs to change.

From there, the path is systematic: governance structures, risk management processes, incident response capability, supply chain controls, and the reporting mechanisms that regulators will expect to see working under pressure.

NIS2 compliance is achievable. But it requires treating it as a governance and operational challenge, not a documentation exercise