The EU’s Network and Information Security (NIS2) Directive takes effect today, introducing wide-ranging changes that will affect many organisations responsible for critical infrastructure across a variety of sectors. Unlike narrowly targeted regulations, NIS2 covers a broad set of entities and seeks to strengthen cyber resilience across the European Union.
Andrea Carcano, Co-founder and Chief Product Officer at Nozomi Networks, warned of serious financial consequences for those who fail to comply: “Non-compliance with NIS2 could result in fines amounting to €10 million or 2% of global turnover for essential entities and €7 million or 1.4% of global turnover for important entities.”
NIS2 is broader in scope than regulations such as DORA, which primarily targets the banking sector. The directive requires organisations to incorporate cybersecurity measures scaled to the nature, scope, and size of the services they provide.
Carcano recommends that organisations reassess security priorities, especially around operational technology (OT). Key steps include improving asset visibility, conducting regular risk assessments, and extending risk management practices beyond IT to fully cover OT environments.
Carl Leonard, EMEA Cybersecurity Strategist at Proofpoint, emphasises the enhanced powers given to authorities under NIS2, including the ability to suspend organisations from providing services and to hold senior executives accountable for regulatory breaches.
“Authorities can order organisations to stop poor practices, make public their mistakes, and require corrective action,” Leonard explained.
Leonard also notes the directive’s strict reporting deadlines. Organisations must submit an early warning notification within 24 hours of an incident, a much tighter timeframe than GDPR’s 72-hour breach notification window, although GDPR penalties for data protection violations can be higher.
He believes NIS2 establishes a new baseline for acceptable cybersecurity and encourages organisations to go beyond minimum compliance to gain a competitive advantage. The directive’s combination of significant fines and active compliance monitoring is intended to ensure that critical service providers take cybersecurity seriously and adopt a shared sense of responsibility across the EU.
Tim Grieveson, SVP and Global Cyber Risk Advisor at Bitsight, highlights that while third-party and supply chain risks are challenging, they are manageable. He stresses the importance of understanding NIS2’s wider scope and deploying essential tools to achieve comprehensive visibility across networks and vendor relationships.
The directive also increases the personal accountability of business leaders, reinforcing corporate responsibility for cybersecurity. In the UK, leaders may not always face direct personal liability under NIS2, but they can still be held accountable under the Companies Act 2006 for governance failures that result in harm to the business or its customers.
Edwin Weijdema, EMEA Field CTO at Veeam, observed that a large share of organisations were at risk of missing the NIS2 compliance deadline: “66% of businesses were set to miss the NIS2 compliance deadline this week.”
With the possibility of increased accountability for C-suite executives, Weijdema urges leaders to view NIS2 as an opportunity to bolster data resilience. He recommends proactively adopting stronger security measures to counter growing global cyber threats.
NIS2 marks a significant shift in European cybersecurity governance. While implementation will present challenges, the directive’s emphasis on proactive resilience, adoption of modern security technologies, and increased collaboration among stakeholders aims to better protect the EU’s digital infrastructure.
(Photo by Sara Kurfeß)
See also: IMT-2030 Vision: Industry experts outline the path to 6G
Want to learn more about cybersecurity and the cloud from industry leaders? Consider attending Cyber Security & Cloud Expo, held in Amsterdam, California, and London. The event brings together experts across cybersecurity and cloud technology and is co-located with events focused on blockchain, digital transformation, IoT technology, and AI and big data.
Explore other upcoming enterprise technology events and webinars powered by TechForge.