Quick summary

The NIS2 Directive expands EU cybersecurity obligations across critical sectors, introducing stricter governance, risk management, and reporting requirements. Organisations must adopt a proactive, risk-based approach to achieve compliance and strengthen operational resilience.

Introduction

Cybersecurity regulation in Europe has entered a new phase. The NIS2 Directive, adopted to replace the original Network and Information Security Directive, significantly broadens both the scope and enforcement of cybersecurity obligations.

The directive reflects the growing dependence on digital infrastructure across sectors such as energy, healthcare, and manufacturing. According to the European Commission, cyber threats targeting critical infrastructure have increased in scale and sophistication, driving the need for stronger and more harmonised rules (European Commission, 2024).

NIS2 responds by shifting cybersecurity from a technical concern to a strategic priority embedded in organisational governance.

Understanding the scope of NIS2

NIS2 expands the number of organisations required to comply by introducing clearer classifications and broader sector coverage.

Entities are divided into:

• Essential entities

• Important entities

The directive applies primarily to medium and large organisations operating in sectors critical to societal and economic stability.

Key sectors include:

• Energy and utilities

• Transport and logistics

• Healthcare and pharmaceuticals

• Digital infrastructure and cloud services

• Public administration

• Manufacturing of critical products

A concise explanation: NIS2 applies to organisations whose disruption would have significant societal or economic consequences.

In the Nordics, where energy grids, public services, and digital platforms are highly interconnected, this broader scope increases regulatory exposure across supply chains.

Takeaway: NIS2 significantly expands regulatory coverage across industries and organisation sizes.

Core cybersecurity requirements under NIS2

The directive introduces a risk-based approach to cybersecurity, requiring organisations to implement comprehensive and continuous security measures.

Key requirements include:

• Risk analysis and information system security policies

• Incident handling and response procedures

• Business continuity and disaster recovery plans

• Supply chain and third-party risk management

• Secure system development and maintenance

• Ongoing assessment of cybersecurity effectiveness

A concise explanation: NIS2 requires organisations to continuously identify, assess, and mitigate cybersecurity risks across operations.

According to ENISA, organisations adopting structured cybersecurity frameworks significantly improve resilience and reduce operational disruption (ENISA, 2024).

Takeaway: Compliance requires a structured, organisation-wide cybersecurity framework based on risk management principles.

Governance and management accountability

NIS2 introduces direct accountability for senior management, making cybersecurity a leadership responsibility rather than solely an IT function.

Management bodies must:

• Approve cybersecurity risk management measures

• Oversee implementation and compliance

• Participate in cybersecurity training

This aligns cybersecurity with corporate governance practices seen in financial and ESG reporting frameworks.

A concise explanation: leadership accountability ensures cybersecurity is prioritised at the strategic level.

This shift is particularly relevant in Europe, where regulatory frameworks increasingly emphasise executive responsibility for operational risk.

Takeaway: NIS2 places cybersecurity accountability at the executive level, reinforcing its strategic importance.

Incident reporting obligations

NIS2 strengthens incident reporting requirements with strict timelines:

• Early warning within 24 hours

• Incident notification within 72 hours

• Final report within one month

These measures aim to improve coordination between organisations and national authorities.

A concise explanation: rapid reporting enables faster response and better cross-border threat management.

According to IBM, the global average time to identify and contain a breach remains high, highlighting the need for faster detection and reporting mechanisms (IBM, 2024).

Takeaway: NIS2 enforces rapid reporting timelines to enhance collective cybersecurity response.

Supply chain and third-party risk management

Supply chain security is a central component of NIS2. Organisations must evaluate and manage risks associated with external vendors and partners.

Required actions include:

• Assessing supplier cybersecurity practices

• Embedding security requirements into contracts

• Continuously monitoring third-party risk

A concise explanation: supply chain security ensures that vulnerabilities in external partners do not compromise the organisation.

According to the World Economic Forum, supply chain cyber risks remain one of the top global cybersecurity challenges (World Economic Forum, 2024).

Takeaway: NIS2 extends cybersecurity responsibility beyond internal systems to include third-party ecosystems.

Enforcement and penalties

NIS2 introduces stricter enforcement mechanisms and significant financial penalties for non-compliance.

• Essential entities: up to €10 million or 2 percent of global turnover

• Important entities: up to €7 million or 1.4 percent of global turnover

Authorities also gain powers to conduct audits, inspections, and enforce corrective actions.

A concise explanation: penalties and oversight mechanisms ensure organisations take cybersecurity obligations seriously.

This approach aligns with broader EU regulatory trends, including GDPR, reinforcing consistency in enforcement.

Takeaway: Non-compliance with NIS2 can result in substantial financial and regulatory consequences.

Alignment with existing frameworks and standards

NIS2 aligns with established cybersecurity standards and EU regulations, enabling organisations to build on existing compliance efforts.

Key frameworks include:

• ISO 27001 for information security management

• EU Cybersecurity Act certification schemes

• GDPR for data protection and breach notification

A concise explanation: alignment reduces duplication and simplifies compliance processes.

According to the International Organization for Standardization, organisations implementing ISO 27001 benefit from improved risk management and stakeholder trust (ISO, 2024).

Takeaway: Leveraging recognised standards can streamline NIS2 compliance and improve efficiency.

Implementation challenges and practical steps

Despite clear requirements, many organisations face challenges in implementing NIS2.

Common issues include:

• Limited cybersecurity expertise

• Fragmented IT and operational technology environments

• Lack of visibility across supply chains

• Misalignment between business and security priorities

Practical steps include:

• Conducting a gap analysis against NIS2 requirements

• Establishing governance and accountability structures

• Investing in monitoring and detection capabilities

• Training employees and leadership

A concise explanation: effective implementation requires coordination across technology, processes, and people.

In digitally mature regions such as Denmark, integration across complex systems often presents a greater challenge than capability gaps.

Takeaway: A structured, cross-functional approach is essential for successful NIS2 implementation.

Conclusion

The NIS2 Directive represents a major step forward in EU cybersecurity regulation. It expands scope, strengthens enforcement, and embeds cybersecurity into organisational governance.

For organisations operating in or serving the EU, compliance is a strategic necessity. Beyond regulatory alignment, it provides an opportunity to enhance resilience, improve risk management, and build long-term trust.

FAQ

What is the NIS2 Directive?

NIS2 is an EU directive that strengthens cybersecurity requirements for critical and important sectors, replacing the original NIS Directive.

Who must comply with NIS2?

Medium and large organisations in critical sectors, as well as some smaller critical entities, must comply.

What are the main requirements?

Risk management, incident reporting, supply chain security, governance accountability, and business continuity planning.

When does NIS2 apply?

Member states had to transpose NIS2 into national law by October 2024, with enforcement ongoing from 2025.

How does NIS2 differ from NIS1?

It expands scope, introduces stricter penalties, strengthens governance requirements, and enforces faster incident reporting.

Sources

• NIS2 Directive overview – European Commission – https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
• ENISA Threat Landscape 2024 – ENISA – https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024
• Cost of a Data Breach Report 2024 – IBM – https://www.ibm.com/reports/data-breach
• Global Cybersecurity Outlook 2024 – World Economic Forum – https://www.weforum.org/publications/global-cybersecurity-outlook-2024/
• ISO/IEC 27001 Information Security Standard overview – ISO – https://www.iso.org/isoiec-27001-information-security.html