Who this page is for
This page is written for executives, IT and security leaders, compliance and risk teams in organisations that may fall within the NIS2 scope or that are affected via supply chains.
What NIS2 is
NIS2 succeeds the original European NIS directive. It widens the in-scope sectors and organisations considerably and requires systematic risk management, technical and organisational measures, incident reporting and explicit management accountability.
NIS2 is a directive. It is transposed into national law. The concrete obligations come from the respective national act.
Purpose of the directive
The goal is a higher and more consistent cyber security baseline across the EU and stronger resilience of important services. Sectors such as energy, transport, health, finance, digital infrastructure, public administration and food are expected to be better prepared against cyber incidents.
Who may be affected
In simplified terms NIS2 distinguishes between essential and important entities in the named sectors. Exact thresholds and definitions come from the national transposition acts.
Organisations that are not directly in scope may still be affected indirectly through supplier relationships - for example via contractual requirements from customers.
Typical focus areas
Key areas to prepare include:
- Risk management for cyber security
- Technical and organisational measures
- Supply chain and third-party risk
- Incident reporting within tight windows
- Leadership and staff training
- Business continuity and recovery
- Accountability and liability of management
Pragmatic preparation
A structured gap analysis against a recognised framework such as ISO 27001 or the CIS controls works well. Organisations already implementing them are usually well prepared and mostly need to close gaps in reporting paths, supplier management and management accountability.
Rehearsed reporting chains and clear documentation matter, because speed counts during an incident.
Common misconceptions
Often heard:
- 'We are too small.' Suppliers can still be affected.
- 'We have ISO 27001, so we are done.' Helpful but does not cover all NIS2-specific topics such as reporting, supply chain and management responsibility.
- 'NIS2 is just for IT.' No. Leadership, risk and legal are all involved.
Legal note
This article offers editorial orientation and is not legal advice. The applicable national transposition act is decisive for concrete duties. A qualified legal review is recommended.
Checklist
- Applicability assessed and documented
- Risk analysis and control catalogue updated
- Reporting and early-warning process rehearsed
- Supply chain and critical providers reviewed
- Leadership and staff training documented
- Asset and vulnerability management in place
- Business continuity and recovery tested
- Management accountability defined in writing
Frequently asked questions
+Is NIS2 directly applicable law?
No. NIS2 is a directive and is transposed into national law. Concrete duties follow from the respective national act.
+What about suppliers?
Suppliers that are not directly in scope may still be obliged via contractual requirements from their customers.
+Is ISO 27001 enough?
ISO 27001 helps significantly but does not fully cover NIS2-specific topics such as reporting, supply chain and management responsibility.
Related topics
Effective enterprise security combines governance with concrete technical and organisational controls. This page shows what decision makers and IT leaders should focus on first - calm, practical and clearly prioritised.
DORA consolidates European requirements for digital operational resilience in the financial sector. This page provides factual orientation - not legal advice.
A security incident requires a clear process, rehearsed roles and prepared communication. Improvising during an incident wastes time and creates mistakes. This page covers the phases, responsibilities and common pitfalls.
Awareness works when it is continuous, relevant and fairly measurable. A yearly mandatory training is not enough. This page shows what good organisational awareness looks like.
TIBER-EU is the European framework for threat-led resilience testing of critical functions. This page explains the idea, the phases and the link to DORA and TLPT - intentionally at a high level and without describing concrete attack techniques.
A security operations centre combines people, process and technology to detect cyber incidents early, handle them in a structured way and learn from them. This page covers tasks, models and common pitfalls.