2023
The EU's NIS2 Directive—successor to the 2016 Network and Information Security Directive—entered into force in January 2023 with an EU member state transposition deadline of October 2024. NIS2 significantly expanded the scope of mandatory cybersecurity requirements, bringing new sectors under mandatory security obligations, tightening technical and governance requirements for covered entities, and introducing personal liability provisions for senior management that fundamentally changed how boards engaged with cybersecurity. For organizations in NIS2's scope, compliance became a board-level priority rather than an IT department responsibility.
NIS2's scope expansion makes it one of the most consequential EU cybersecurity mandates since GDPR. Understanding which sectors and organizations are covered, what the specific requirements entail, and how enforcement is evolving in the post-transposition period is essential for any organization with EU operations.
NIS2's Expanded Scope
NIS1 covered operators of essential services in limited sectors and digital service providers. NIS2 dramatically expanded this scope across two tiers. Essential entities—subject to the strictest requirements and proactive supervision—include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space sectors. Important entities—subject to requirements with reactive supervision—include postal services, waste management, chemicals, food, manufacturing, digital providers, and research.
The scale of the expansion is significant. Where NIS1 covered a relatively small number of operators in specific critical infrastructure sectors, NIS2 covers a large fraction of the economy. Medium and large enterprises in the covered sectors are automatically in scope; smaller entities may be included if supervisory authorities determine they play a critical role. The practical effect is that many mid-market companies that hadn't previously considered themselves cybersecurity-regulated entities discovered they were in NIS2 scope.
The Technical and Governance Requirements
NIS2's security requirements are organized around ten minimum measures that covered entities must implement: risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, security in network and information systems acquisition, effectiveness testing, cybersecurity training and basic practices, cryptography and encryption policies, human resources security and access control policies, and multi-factor authentication.
The risk-based requirement—implementing security measures appropriate to the risks—is supplemented by these minimum measures that provide a baseline floor. Organizations can't argue that their risk assessment determined specific minimum measures were unnecessary; the minimum measures are mandatory regardless of risk assessment outcomes.
Supply chain security receives specific attention in NIS2, reflecting lessons from SolarWinds and similar attacks. Covered entities must assess and address risks from their ICT service providers, including evaluating vendor security practices and contractual security provisions. This requirement extends NIS2's effective scope to the vendors of covered entities, creating supply chain pressure on technology companies to demonstrate their security practices.
The senior management accountability provisions are NIS2's most organizationally distinctive element. Management bodies—boards and senior management—must approve and oversee cybersecurity risk management measures. They can be held personally liable for infringements resulting from failure to fulfill their cybersecurity obligations. This is a direct legislative response to the pattern of boards treating cybersecurity as a delegated IT responsibility without meaningful oversight.
Immediate Impact: Board Engagement Transforms
NIS2's senior management liability provisions drove immediate organizational governance changes:
- Board cybersecurity agenda items became mandatory: directors approving and monitoring cybersecurity programs to fulfill their oversight obligations
- CISO board reporting structures elevated: CISOs gaining direct board access for cybersecurity updates
- NIS2 compliance programs launched across affected sectors: organizations assessing their NIS2 scope and building compliance programs
- Incident notification procedures were updated: NIS2's 24-hour early warning, 72-hour notification, and one-month final report timeline requirements drove incident response process redesign
- Supply chain security assessments were launched: covered entities evaluating their ICT vendor security practices under NIS2's supply chain provisions
Lessons Learned: Compliance Requires More Than Documentation
Early NIS2 enforcement has reinforced the lesson that supervisory authorities are evaluating operational capability, not documentation quality. The incident notification requirements—24-hour early warning for significant incidents—test whether organizations actually have the detection capability and response procedures to meet the timeline. Organizations that pass the documentation test but fail the operational test discover this at the worst possible time: during an actual incident.
The supply chain security requirements created unexpected scope discovery. Organizations conducting NIS2-required supply chain assessments discovered they had more ICT vendors with security implications than their formal vendor inventories showed. Shadow IT relationships, direct procurement by business units, and legacy vendors without current security assessments were consistently found in NIS2 supply chain reviews.
Evolution: NIS2 Enforcement in 2025-2026
NIS2's October 2024 transposition deadline has passed. National competent authorities across EU member states are establishing enforcement programs and beginning supervisory activities for in-scope entities. The enforcement approach varies by member state—some NCAs are taking a guidance-first approach, others have begun proactive audits of high-priority essential entities. The enforcement trajectory is toward more active supervision over time.
The Outpace Approach: NIS2 Compliance
Outpace Professional Services conducts NIS2 scope assessments, gap analyses, and compliance program development for organizations navigating NIS2 requirements. Our assessments evaluate both the documented compliance elements—policies, procedures, risk assessments—and the operational capability elements that enforcement will test: detection capability, incident response procedures, supply chain security practices.
For clients that span multiple EU cybersecurity regulations—NIS2, DORA, and sector-specific requirements—we design integrated compliance programs that address common requirements once rather than building separate programs for each regulation. The EU cybersecurity regulatory convergence makes this integration increasingly important for compliance efficiency.
The Compliance Urgency
NIS2 obligations are currently in effect for all in-scope entities in member states that have transposed the directive. Organizations that haven't completed scope assessments and compliance gap analyses are already behind the regulatory requirement and should prioritize this work immediately.
💡 Ready for a NIS2 compliance assessment? Outpace Professional Services evaluates your NIS2 scope, assesses your current security practices against NIS2 requirements, and designs compliance programs that address both documentation and operational capability—building genuine resilience, not just regulatory paperwork.
