NIS2 Directive: Cybersecurity Obligations and What Operators Must Change

Introduction

The EU’s NIS2 Directive modernizes cybersecurity obligations for a broader set of sectors and companies than its predecessor. It brings clearer expectations on risk management, incident reporting, and supply-chain security, along with stronger supervisory powers and penalties. For covered organizations, the priority is translating legal requirements into concrete policies, technical controls, and reporting workflows.

NIS2 is as much about operational readiness as it is about compliance: you must be able to detect incidents quickly, coordinate response across vendors, and document how risks are managed on an ongoing basis.

Key Points

• Scope is wider. More sectors and company sizes are brought into scope, including critical digital infrastructure and key service providers.
• Risk management is mandated. Organizations must implement technical and organizational measures covering prevention, detection, response, and recovery.
• Incident reporting is stricter. Early warnings and full reports come with defined timelines, requiring clear playbooks and communication channels.
• Supply-chain security is explicit. Vendor risk management is no longer optional and must be documented.
• Accountability increases. Management bodies have explicit responsibility to oversee cybersecurity measures.

How To

1) Confirm whether you are in scope—and at what tier

Use your national transposition law to confirm whether the organization is an essential or important entity, then map each subsidiary or business line against those criteria. Document the rationale and keep a record of thresholds (employees, revenue, criticality) so the classification is defensible during audits.

2) Build a NIS2-ready risk management program

Start with a gap assessment against a recognized baseline (such as ISO 27001) and map each NIS2 requirement to an owner, control, and evidence source. Prioritize monitoring, backup, and recovery controls that prove operational resilience, not just policy compliance.

3) Define incident reporting workflows

Design a timeline-based playbook that can deliver an early warning within 24 hours, a more detailed notification within 72 hours, and a final report after remediation. Ensure legal, security, and communications teams share a single incident log with decision checkpoints and templates.

4) Formalize supply-chain security

Tier vendors by criticality, require incident notification SLAs, and validate their security posture with audits or certifications. For software suppliers, request SBOMs or vulnerability disclosures so you can assess downstream exposure quickly.

5) Train leadership and assign clear accountability

Run board-level briefings and tabletop exercises that simulate NIS2 reporting timelines and decision-making. Assign a single accountable executive for compliance oversight and measure progress with quarterly risk reviews.

Conclusion

NIS2 is a shift toward measurable cybersecurity maturity. Organizations that inventory assets, formalize incident reporting, and tighten supply-chain controls will be better positioned for compliance and for real-world resilience. The directive is not only about avoiding penalties—it is about building a security program that can stand up to modern threats.