Your NIS2 compliance playbook: What you need to know

The Network and Information Systems Directive 2(NIS2) isn’t your typical EU red tape. It’s a cybersecurity mandate that can no longer be ignored.  If you’re an IT admin, a compliance officer, or someone wrangling third-party risks in your supply chain, NIS2 should now be on your radar. 

This directive is the EU’s way of telling organizations, ‘Enough excuses. Secure your systems, protect your services, or face the consequences.’

What is the NIS2 directive?

NIS2 (Network and Information Systems Directive 2) is an EU regulation designed to enhance cybersecurity across critical sectors. It aims to improve the overall resilience of network and information systems, particularly those used by essential services like energy, transport, healthcare, and digital infrastructure. 

The directive requires organizations to adopt stricter security measures, report cybersecurity incidents, and ensure the continuity of their services. NIS2 expands its scope to include more sectors and establishes stronger penalties for non-compliance, driving a more proactive approach to cybersecurity across the EU.

NIS 2 background and how it is different from NIS 1?

NIS1 tried to set the stage in 2016. It aimed to unify cybersecurity rules across the EU. But in practice? It was more suggestion than a standard. Different countries went in different directions. Some organizations got serious; others played the waiting game.

Meanwhile, threat actors didn’t wait. They moved faster than policy. By the time ransomware-as-a-service hit full stride, NIS1 already looked outdated. Enter NIS2, built from six years of pain points, threat evolution, and calls for real alignment.

Why was NIS2 introduced?

The EU introduced NIS2 to fix key weaknesses found in the original NIS Directive. A review revealed critical gaps in cybersecurity readiness and coordination across Member States.

Key issues included:

• Low cyber resilience in many businesses.
• Poor joint crisis response between countries and companies.
• Lack of shared threat awareness, making coordinated action difficult.
• Inconsistent security standards across the EU.

NIS2 aims to close these gaps by strengthening security requirements, improving collaboration, and creating a more unified approach to cyber threats.

Growing dependency on digital infrastructure in essential services

You can’t separate “digital” from “critical” anymore. Hospital ventilators run on connected software. Water purification systems use remote telemetry. One misconfiguration and you’re dealing with more than downtime, you’re dealing with public safety.

Scope of the NIS2 directive

NIS2 applies to more organizations, more sectors, and more risk types. It doesn’t stop at obvious targets like hospitals or energy providers. It reaches deep into:

• Essential entities: Operators of truly critical services like electricity, healthcare, water supply, and banking.
• Important entities: DNS services, digital infrastructure, logistics platforms, and manufacturing of key goods.

If your operations are digital and your disruption could cause serious societal or economic impact, congratulations, you’re probably in scope.

Even smaller orgs (under 50 employees) can be caught in the net if they work in high-impact sectors or are essential to national operations.

Key goals of the EU cybersecurity initiative

Let’s be clear: NIS2 isn’t about paperwork. It’s about making sure that if something fails, it doesn’t cascade into chaos. Goals include:

• Making cyber hygiene mandatory, not optional
• Forcing visibility into supply chains
• Aligning cyber strategy with boardroom decisions
• Standardizing reporting and recovery across member states

Who needs to comply with NIS2 directives?

1. Essential and important entities – What’s the difference?

Essential entities:

• Face proactive audits
• Include energy, water, finance, and health
• Expected to build high-assurance security frameworks

Important entities:

• Have slightly looser oversight
• Cover sectors like food supply, postal services, and digital infrastructure

Both must meet the same security standards. The difference is in how closely they’re monitored.

2. Inclusion criteria – Size, sector, services

You’re in scope if:

• You have >50 employees or €10 million+ turnover
• You belong to a listed critical sector
• You offer services to or operate in multiple EU states

There’s no “but we’re small” excuse. If your risk profile is high, NIS2 applies.

3. Cross-border operators and third-party responsibilities

Operate in multiple countries? You’ll be supervised by one primary authority but still held accountable across the EU. And if your third-party provider drops the ball, you’re still liable.

Expect to prove that your vendor relationships are secure, monitored, and governed by enforceable contracts. Third-party audits aren’t optional anymore.

Core pillars of NIS2

• Governance and accountability: Under NIS2, execs and boards are accountable for cybersecurity. Appoint a lead, review at board level, and document leadership responsibility.
• Risk management and cybersecurity hygiene: If you’re missing MFA, patching, logging, or remote access controls, your security policy is outdated and not NIS2-ready.
• Incident response planning: NIS2 demands formal incident response plans, reviewed yearly, tested with tabletop drills, and aligned with business continuity. No more winging it.

And remember: the 24-hour reporting clock starts when you become aware, not after you finish containment.

• Business continuity and resilience: Resilience means fast recovery. Test backups, define failover paths, and document RTOs and RPOs. NIS2 expects proof, not promises.
• Supply chain and third-party security: NIS2 makes supply chain security mandatory. Classify vendors, vet them at onboarding, add security clauses, and set clear breach escalation paths.

What are the compliance requirements for NIS2? (Articles 20–25)

Article 20: Cyber governance at the board level

Boards must:

• Take direct responsibility for cybersecurity oversight
• Receive regular briefings on risk exposure and mitigation
• Ensure cyber risk is embedded in business strategy

Article 21: Mandatory cybersecurity measures

This article reads like a starter pack for smart security:

• Access control and MFA
• Vulnerability and patch management
• Supply chain risk management
• Crisis management procedures

These aren’t just recommendations, they’re non-negotiable.

Article 22: Coordinated EU-wide risk assessments

Welcome to shared intelligence. This article mandates:

• EU-wide collaboration on emerging threats
• Sector-specific risk baselines
• Faster sharing of mitigation tactics
  

Article 23: Reporting obligations and 24-hour rule

If something goes wrong, you’ve got 24 hours to report it. That clock starts ticking the moment you know, not when you’ve contained it. 

Reports must include:

• Description and timeline
• Impact on operations
• Mitigation already underway

Article 24: Use of EU cybersecurity certification schemes

Using certified solutions is one way to prove you’re playing smart. Look to schemes under the EU Cybersecurity Act, especially for cloud, identity, and endpoint services.

Article 25: Emphasis on standardisation and co-operation

Stop reinventing the wheel. NIS2 pushes for:

• Common standards
• Shared playbooks
• Collaborative learning from breaches

It’s all about getting everyone on the same tactical page.

NIS2 vs other frameworks

Understanding how NIS2 compares to other well-known frameworks isn’t just a comparison exercise, it’s how organizations can make sense of overlapping regulations, avoid redundancy, and invest time and budget where it matters most.

How does NIS2 affect an organization?

NIS2 introduces a new level of cybersecurity expectations across sectors. For businesses that rely majorly on digital infrastructure, the directive brings a mix of technical, legal, and operational changes.

a. Technical controls: encryption, patching, logging

The directive emphasizes the need for strong technical safeguards. Organizations are expected to:

• Apply encryption to protect sensitive data both in transit and at rest
• Implement timely patch management for systems and applications
• Maintain comprehensive logging to support incident detection and response

These controls are aimed at improving baseline security across all critical services.

b. Legal and compliance obligations

NIS2 strengthens the legal framework around cybersecurity. Key changes include:

• Tighter incident reporting requirements, including a 24-hour window for initial notification
• Increased penalties for non-compliance, aligning with other EU regulations
• Defined accountability structures, clarifying roles within each organization

These obligations create a more consistent compliance environment across the EU.

c. Operational changes: IR plans, audits, team responsibilities

Beyond technical and legal shifts, NIS2 also influences day-to-day operations. Organizations need to:

• Develop and maintain a formal incident response (IR) plan
• Conduct regular security audits and risk assessments
• Clearly assign security roles and responsibilities across teams

These requirements encourage a more structured and proactive security approach.

Industry use cases for the NIS2 directive

Some sectors face heightened expectations due to their importance to public welfare and infrastructure.

For example:

• Healthcare providers must secure patient data and ensure continuity of care during cyber incidents
• Energy companies are expected to safeguard critical infrastructure and prevent large-scale disruptions
• Cloud service providers face increased oversight due to their central role in enabling other sectors

Organizations in these industries should be especially attentive to how NIS2 applies to their operations.

1. NIS2 and supply chain security

Studies claim that around 60% of cyberattacks now stem from vulnerabilities in the supply chain. The spotlight is on supply chains, and regulators are watching. With the NIS2 Directive now in force across the EU, organizations can no longer afford to overlook third-party risks.

Why suppliers are now in the firing line: Under the NIS2 directive, it’s not just the main entity that’s accountable. Suppliers, vendors, and service providers are now considered critical pieces of the cybersecurity puzzle. If one goes down, you could be held responsible. That’s a big shift from earlier thinking, where only direct infrastructure was scrutinized.

Why the change? Attackers always aim to exploit the weakest link. Third-party breaches showed how even secure firms can be compromised if their partners aren’t.

2. Third-party due diligence: What must change

NIS2 sets a higher bar for third-party risk management. Old vendor checklists is a past order phenomenon. Organizations must:

• Actively monitor supplier security postures
• Assess contractual obligations around cybersecurity
• Require transparency on incident reporting and response plans

Due diligence isn’t a one-off. It’s now a continuous process.

3. Risk assessment of critical supply chains

Risk assessments must cover all “essential” and “important” entities in the chain. This includes software providers, cloud hosts, and even maintenance contractors. Key actions include:

• Mapping the full supply chain
• Scoring vendors by criticality
• Running regular threat modeling and impact analysis

Ignoring this could lead to fines—and worse, operational disruptions.

NIS2 enforcement and penalties

1. Penalties – Fines and administrative measures

Fines under NIS2 are significant. Entities can face up to €10 million or 2% of global turnover, whichever is higher. That’s on par with GDPR-level enforcement.

But it’s not just about money. Regulators can also:

• Suspend executives
• Require public disclosure of breaches
• Force companies to stop certain operations until compliant

2. Supervisory authorities and enforcement models

Each Member State has a National Competent Authority (NCA) in charge of supervision. These authorities:

• Conduct audits
• Review incident reports
• Issue remediation mandates

They’ll also coordinate with CSIRTs (Computer Security Incident Response Teams), adding another layer of oversight.

3. Member State differences in enforcement

While the directive is EU-wide, implementation varies. Some states may take a more aggressive stance, others a more cooperative approach. That means businesses operating in multiple countries must track each state’s enforcement strategy closely.

How to become NIS2 compliant?

1. Conduct a NIS2 gap assessment

A NIS2 gap assessment identifies what’s missing in your current policies, processes, and tech stack. It should look at:

• Governance structures
• Risk management processes
• Incident handling capabilities

This will shape your remediation roadmap.

2. Set up governance and ownership

You need clear internal ownership. Who’s responsible for what?

Assign:

• NIS2 leads or coordinators
• Cross-functional governance teams
• Clear reporting lines to senior leadership

No more unclear roles or ad hoc responses.

3. Staff training and awareness campaigns

Cybersecurity isn’t just IT’s job. Everyone needs to understand their role under NIS2.

Prioritize:

• building awareness campaigns
• regular security workshops
• Real-world use case risk demonstrations

People can’t comply with what they don’t understand.

4. Use of UEM, endpoint protection, and asset control tools

Tools matter, too. NIS2 expects strong technical controls.

Start with:

• Unified Endpoint Management (UEM)
• Advanced endpoint protection (EPP + EDR)
• Asset visibility and control tools

Make sure systems are patched, monitored, and auditable.

5. Role of the EU cybersecurity certification framework

The EU’s Cybersecurity Certification Framework helps in NIS2 directive requirements. It offers schemes for products and services, which can:

• Support your NIS2 compliance
• Show due diligence to regulators
• Help assess vendor certifications

Look into EUCS (for cloud services) and EUCC (for ICT products).

6. Aligning with ENISA guidance and ISO standards

ENISA recommends aligning with standards like:

• ISO/IEC 27001 (for InfoSec management)
• IEC 62443 (for OT security)
• NIST CSF (for control mapping)

While not mandatory, they show your commitment to best practices.

NIS2 and operational technology security

a. ICS/SCADA vulnerabilities

Operational Technology (OT) systems like SCADA and ICS are now front and center. These systems often run on legacy tech with limited visibility. NIS2 mandates better protection, including:

• Network segmentation
• Monitoring and alerting
• Access control

b. Impact on critical infrastructure and smart manufacturing

Critical sectors like energy, water, transport, healthcare, must now secure both IT and OT environments. That includes smart factories using IoT and AI.

NIS2 closes the gap between these two worlds. If you’re not managing this integration, you’re exposed.

c. Best practices for segmentation and visibility

Segmentation and visibility are non-negotiable. Use:

• Zoning in networks
• Real-time OT monitoring tools
• Logs integrated into your SIEM

No blind spots allowed.

What organizations should be doing now

The NIS2 directive is all about what you need to be ready for, and expects you to step up. It is pushing organizations to take a closer look at how prepared they actually are. The scope is wider, the deadlines are tighter, and more industries are now part of the picture.

Waiting for enforcement to begin is not a strategy; it is a risk. If your business operates in or with the EU, there is also a clear push for accountability, right up to the boardroom. Start building those controls, streamline your reporting, and make sure your teams are aligned. NIS2 tests whether your systems, people, and processes are ready for real-world threats. That kind of preparation sets you apart.

Compliance done early is control, not catch-up.