Many organizations still think NIS2 is a problem for someone else: a matter for large utilities or telecom operators, not for them. Then a customer sends a security questionnaire, a supplier contract adds a clause about incident reporting, or a national authority asks them to register, and the scope suddenly becomes very real.
NIS2 is the EU directive that replaces the original NIS Directive. It expands the number of sectors covered, tightens the security obligations, and classifies organizations as either "essential" or "important" entities. It is not a policy you publish once: it is a set of operational duties that reach into governance, processes, contracts and technology. Here is what it actually requires, and where the most common gaps hide.
What NIS2 actually requires
Beyond a written policy, several areas shape compliance.
- Management accountability. Management bodies must approve and oversee the cybersecurity risk-management measures, and they can be held personally liable for failures. Members of management, and staff more broadly, are expected to follow regular cybersecurity training.
- Article 21 risk-management measures. These include incident handling; business continuity, backup and disaster recovery; supply chain security; vulnerability handling and disclosure; policies on cryptography and encryption; access control and multi-factor authentication; and asset management and basic cyber hygiene.
- Incident reporting. Significant incidents must be reported against a strict clock: an early warning to the CSIRT or competent authority within 24 hours, a fuller incident notification within 72 hours, and a final report within one month.
- Registration. In-scope entities must register with their national authority, so that regulators know who falls under the directive and can supervise accordingly.
- Supply chain security. You are responsible not only for your own posture, but for the security of the direct suppliers and service providers woven into your operations.
The deadlines are behind us, not ahead
The "we still have time" argument no longer holds. The transposition deadline for member states passed in October 2024, and enforcement is now underway across the EU. National authorities are registering entities, issuing guidance and, increasingly, checking compliance. Even organizations that are not directly designated as essential or important are pulled in indirectly, because they sit in the supply chain of entities that are in scope and must answer for their own security.
Why the exposure is real
- Problem: NIS2 is often treated as a paper exercise, when it rests on living processes, evidence and a reporting capability that works under pressure.
- Impact: for essential entities, penalties can reach up to 10 million EUR or 2% of total worldwide annual turnover, whichever is higher. Add to that management liability, the loss of trust, and contractual risk with your clients.
- Action: treat NIS2 as a continuous program, with management oversight, documented measures, a rehearsed incident-reporting drill, and the ability to prove, on request, that your controls work.
The gaps most often underestimated
Three blind spots come up constantly. First, the paper exercise: policies exist on paper, but the underlying controls are never tested and management never truly engages. Second, supply-chain security: organizations secure their own perimeter but have no view of the suppliers and service providers embedded in their operations. Third, the reporting clock: without a rehearsed process, the 24-hour early warning and 72-hour notification are almost impossible to meet in the chaos of a real incident.
Take stock in a few minutes
Before investing in a compliance program, gauge your starting point. Our free NIS2 readiness self-assessment walks through the areas above, computes a maturity score and highlights your priorities. No sign-up, no data sent: everything is calculated in your browser.
Once your gaps are identified, the Compliance module turns these requirements into a prioritized action plan, with continuous compliance evidence rather than a point-in-time audit.
NIS2 is not a box you tick once. It is a way to demonstrate, at any time, that you genuinely manage cyber risk across your organization and your supply chain. This self-assessment does not replace legal advice, but it tells you exactly where to start.