NIS2 Is Here and Most Companies Aren't Ready
The EU's NIS2 directive is now enforceable. A realistic look at what's required, who's affected, and why compliance programs are scrambling.
On this page
October 2024 came and went. NIS2 is now enforceable across the EU.
I’ve spent the past few months helping organizations figure out what this means for them. Here’s the reality check version, not the consultant-speak version.
What Is NIS2, Actually?
NIS2 (Network and Information Systems Directive 2) is the EU’s updated cybersecurity regulation. Think of it as “GDPR but for cybersecurity.”
Key points:
- Applies to many more sectors and organizations than NIS1
- Requires specific security measures
- Mandates incident reporting within 24 hours (initial) and 72 hours (full)
- Has actual teeth - fines up to €10M or 2% global revenue
Unlike NIS1, which was mostly ignored, NIS2 appears to have political will behind enforcement.
Who’s Affected?
Essential entities (higher requirements):
- Energy
- Transport
- Banking
- Financial market infrastructure
- Healthcare
- Drinking water
- Digital infrastructure
- ICT service management
- Public administration
- Space
Important entities (slightly lower bar):
- Postal and courier services
- Waste management
- Chemicals
- Food
- Manufacturing (medical devices, computers, electrical equipment, machinery, vehicles)
- Digital providers (online marketplaces, search engines, social platforms)
- Research organizations
Size thresholds:
- Medium enterprises: 50+ employees OR €10M+ turnover
- Large enterprises: 250+ employees OR €50M+ turnover
Smaller companies can be in-scope if they’re critical to supply chains of essential entities.
What’s Actually Required?
NIS2 Article 21 lists security measures. Here’s the plain English version:
1. Risk analysis and security policies
Translation: You need documented policies and regular risk assessments. Surprise.
2. Incident handling
Translation: Have an incident response plan. Test it. Actually use it when incidents happen.
3. Business continuity and crisis management
Translation: Backup management, disaster recovery, and plans for when things go wrong.
4. Supply chain security
Translation: Know your vendors. Assess their security. Have contract language about security requirements.
This one’s causing headaches. Turns out most companies don’t really know their supply chain.
5. Security in acquisition, development, and maintenance
Translation: Secure development lifecycle, patch management, configuration management.
6. Assessing security measure effectiveness
Translation: Actually test whether your controls work. Audits, assessments, pen tests.
7. Cybersecurity hygiene and training
Translation: Security awareness training and basic practices.
8. Cryptography and encryption
Translation: Encrypt sensitive data. Use proper key management.
9. HR security and access control
Translation: Background checks, least privilege, access management.
10. Multi-factor authentication
Translation: MFA. Yes, it’s specifically called out.
The Incident Reporting Problem
This is where organizations are panicking.
Requirements:
- 24 hours: Early warning to CSIRT if incident is significant
- 72 hours: Full incident notification with assessment
- 1 month: Final report with root cause, remediation, cross-border impact
What counts as “significant”:
- Causes or can cause severe operational disruption
- Causes or can cause significant financial loss
- Affects or can affect others with considerable damage
The problem:
Most organizations can’t currently:
- Detect incidents within 24 hours
- Assess severity quickly enough to meet timelines
- Produce meaningful reports in 72 hours
- Interface with relevant CSIRTs
The gap between “what’s required” and “what’s operationally possible” is significant.
What I’m Seeing on the Ground
1. Confusion about scope
“Are we an essential entity or important entity?” “Does our subsidiary in [country] count separately?” “What about our SaaS product used by essential entities?”
Lawyers are getting rich answering these questions.
2. Supply chain chaos
Essential entities are sending security questionnaires to all their vendors. Vendors don’t know how to answer. Nobody knows what “adequate” looks like.
“Please provide evidence of your NIS2 compliance.” “We’re not in scope for NIS2.” “You might be part of our supply chain.” ”…”
3. Reporting infrastructure doesn’t exist
Who’s your relevant CSIRT? What’s their submission format? Who in your org is authorized to report?
Many organizations can’t answer these questions.
4. Existing frameworks help… sort of
If you’re already compliant with:
- ISO 27001
- SOC 2
- NIST CSF
You’re ahead. But NIS2 has specific requirements (the 24-hour reporting, for instance) that these frameworks don’t fully address.
Practical Steps
If you’re staring down NIS2 compliance:
First: Determine if you’re in scope
- What sector(s)?
- What size?
- What member state(s)?
Get legal advice if unclear.
Second: Gap assessment
Map NIS2 requirements against your current state. Be honest about gaps.
Third: Incident reporting preparation
This is the most urgent:
- Identify relevant CSIRTs
- Understand submission requirements
- Create templates
- Assign responsibilities
- Practice
You can’t build this capability after an incident.
Fourth: Supply chain documentation
- List critical suppliers
- Assess their security (or get them to self-assess)
- Update contracts with security requirements
- Create monitoring process
Fifth: Everything else
The rest of the security measures are standard good practice. If you’re not doing them already, use NIS2 as justification to get resources.
Enforcement Reality
Will there be enforcement? The directive allows fines up to €10M or 2% global turnover.
My guess:
Year 1-2: Focus on egregious failures and post-breach investigations Year 3+: More proactive audits and enforcement
The GDPR pattern: slow start, then regulators get serious.
Don’t assume you’ll fly under the radar.
The Silver Lining
NIS2 is forcing conversations that needed to happen.
“We need budget for incident response capability.” “Finally.”
“We need to actually inventory our software supply chain.” “About time.”
“We need to test our disaster recovery plans.” “We have disaster recovery plans?”
Some organizations are using NIS2 as the forcing function for security improvements that were always needed.
Resources
- NIS2 Directive Full Text
- ENISA NIS2 Guidance
- Your national transposition law (requirements vary by member state)
- Your relevant CSIRT list
Compliance doesn’t equal security. But non-compliance can equal fines. NIS2 at least pushes in the right direction.
Related Articles
CISA's KEV Catalog Just Got Teeth: What the New BOD Means for You
The new binding operational directive expands KEV requirements beyond federal agencies. Here's what changed and why private sector should pay attention.
What 2025 Taught Us About Security (The Real Version)
Looking back at a year of breaches, vulns, and trends. What actually mattered versus what got the headlines.