Navigating NIS2 and fortifying Europe's digital frontiers

The original NIS Directive from 2016 was the first EU-wide cybersecurity legislation, but its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to growing threats posed by digitalization and the surge in cyber-attacks, the European Commission submitted NIS2 to strengthen requirements significantly. The new directive expands the scope to more sectors, streamlines reporting obligations, introduces stricter enforcement requirements, and harmonizes sanctions across all Member States – creating unified protection against evolving digital threats.

NIS2 significantly expands its scope from the original directive to include more entities and sectors. New additions are the telecommunication, social media platforms and public administration (entities of central and provincial governments). Entities fall into two categories, operators of essential services and important entities. The directive targets sectors such as energy, transport, health and digital infrastructure with baseline cybersecurity risk management measures and reporting obligations. This broader coverage aims to protect critical digital and physical infrastructure across Europe.

NIS2 reinforces security requirements through a number of important measures. It broadens its scope to more sectors and entities and accounts for supply chain security. The directive simplifies reporting requirements for incidents and establishes more stringent monitoring and enforcement requirements. It adds the concept of “management body” accountability within companies, so that leadership is directly responsible for cybersecurity. NIS2 also harmonizes and strengthens the sanctions across all EU Member States to ensure that consequences of non-compliance are consistent across the European Union.

NIS2 sets out significant penalties for non-compliance including non-monetary remedies, administrative fines, and criminal sanctions. For essential entities, fines can be as high as EUR 10 million or 2% of global annual turnover – whichever is greater. For important entities, the penalties can reach EUR 7  million or 1.4% of global turnover – whichever is higher. These significant penalties highlight the importance of this directive and the EU’s commitment to ensuring that robust cybersecurity standards are upheld by all organizations covered by this directive, which makes compliance a critical business priority.

The current NIS2 framework allows Member States to determine which SMEs are essential or important to their respective economy and society. This leaves legal ambiguity for SMEs that are operating across multiple Member States, as classification may differ from country to country. Compliance with the requirements of NIS2 can be difficult and expensive for SMEs with limited resources. However, the directive also presents opportunities for SMEs to strengthen their cybersecurity posture, which may bring competitive benefits through their security compliance and increased customer trust.

The NIS2 directive is a huge opportunity for all CISOs to gain power within the company. By bringing management body accountability, NIS2 promotes cybersecurity to the board-level concern, instead of merely an IT concern. This creates opportunities for security leaders to secure resources, implement comprehensive security programs, and demonstrate business value through compliance. Organizations that take a proactive approach to NIS2 can turn compliance requirements into competitive advantages, earning trust from customers and partners with verified security practices.

Yes, EZ Insights provides direct support for NIS2 and other compliance requirements. EZ Insights delivers daily reports offering actionable insights and proof of control – necessary documentation to show compliance. It offers visibility into the configuration, availability, performance, security, and costs of the cloud. For European companies, our Cybersecurity Scan also offers mapping to NIS 2.0 principles combined with the alignment to CIS Controls v8 framework. Together, these tools help you navigate the complex compliance landscapes, prioritize security initiatives, measure progress and build audit-ready documentation for compliance with regulations.

Preparation for NIS2 entails an all-encompassing approach to cybersecurity. Start with a comprehensive evaluation of your current security posture to identify gaps against NIS2 requirements. Implement effective risk management practices including supply chain security, incident reporting processes, and access controls. Provide clear accountability at management level where required by the directive. Put continuous monitoring and threat detection capabilities in place. Formulate incident response strategies with predetermined reporting timelines. Partner with experienced cybersecurity providers who understand both the technical demands and the regulatory environment of the different EU Member States.

Intwo provides comprehensive Security Concierge services designed specifically to help organizations be in compliance with NIS2 and secure their digital future. Our services include cybersecurity assessments including NIS2 mapping, 24/7 security monitoring and incident response, vulnerability management, access controls, and compliance management. We leverage Microsoft security platforms such as Azure Sentinel for threat detection and Microsoft Defender for protection. Our approach combines technology implementation, training, awareness programs, and governance frameworks – making sure that cybersecurity is integrated into your operations and not just a compliance box to tick.