By Peter Herr, Regional Director, DACH at Diligent

The recent delays in the implementation of NIS2 – only Belgium and Croatia have transposed the directive into national law by the original deadline of October 17, 2024 – may prove to be a blessing in disguise, as it offers IT teams the opportunity to improve their compliance – Refine strategies. With an estimated 160,000 directly affected companies in the EU, excluding their supply chains, the scale of this overall challenge should not be underestimated. However, the time shift offers the opportunity to increase resilience, streamline compliance strategies and thereby gain a competitive advantage.

What is NIS2?

NIS2 is a legal framework designed to improve cybersecurity in critical sectors in the EU. It significantly expands the scope of its predecessor from 7 to 18 sectors and introduces stricter requirements for organizations classified as “essential” or “important”. “Important organizations” (with at least 50 employees and an annual turnover or total assets of 10 million euros) can expect reactive monitoring and regular audits. “Essential companies” (larger companies with more than 250 employees and an annual turnover of 50 million euros or a balance sheet total of 43 million euros) are proactively monitored by the regulators.

A key feature of the regulation is the schedule for reporting events. This is indeed very demanding: an early warning must be given within 24 hours, followed by a comprehensive report of the event within 72 hours and a final report within 30 days of the event being reported. This sequential reporting structure requires sophisticated automation and analytics capabilities because it cannot be maintained manually. Technical teams must implement systems to quickly assess whether an incident reaches the threshold of “significance” and identify possible cross-border impacts. Above all, they must be able to assess within 24 hours whether an action is illegal.

While Member States are still working, albeit belatedly, on transposing NIS2 into national law, organizations should focus on laying the technical foundations for compliance. By April 2025, Member States must establish comprehensive lists of essential and important entities registered in their territory, as well as organizations providing domain name registration services. This creates a clear timetable for the implementation of the necessary technical measures described in Article 21 of the final version of the Directive.

The importance of NIS2

According to the World Economic Forum (WEF) Global Cybersecurity Outlook 2024 Insight Report, the cybersecurity industry grew four times faster than the global economy in 2023. However, digital inequality is increasing, and the gap between organizations that are resilient to cyberattacks and those that are not is widening.

As compliance becomes more complex and rapid, the number of small and medium-sized businesses addressing cybersecurity is shrinking. According to a recent report from Data Global Group, there is currently a lack of awareness of the general cyber threat landscape and one’s own risk profile: Only 62 percent of small businesses regularly install security updates, and only 18 percent have a contingency plan in place in the event of an emergency. In addition, more than half of small and medium-sized companies (SMEs) see the ongoing costs and the effort for technical adjustments and updates as the biggest obstacle to IT security. Only large and highly regulated multinational companies can overcome these challenges because they can entrust specialized teams with this task.

What lies ahead for companies

The new regulation provides for a multi-tiered sanction structure for violations, which must be carefully examined in advance as part of the risk assessment. Essential organizations face fines of up to 10 million euros or 2 percent of their global annual turnover, while key companies face fines of up to 7 million euros or 1.4 percent of their turnover.

However, the consequences go beyond fines. IT teams also need to prepare for possible non-monetary sanctions, which are enshrined in the NIS2 policy and can have a significant impact on the business. This includes the mandatory implementation of the recommendations of the security audit, which requires a complete adaptation of the existing security measures. Official orders to retrofit and adapt security measures to the strict NIS2 requirements may also follow.

Management now bears direct responsibility for cybersecurity, with repeated violations threatening sanctions up to and including withdrawal of management function. This makes cybersecurity a top priority, focusing on governance and strengthening organizational resilience. The real challenge is leveraging regulatory compliance to strengthen overall cybersecurity practices, improve supply chain security, and earn stakeholder trust – a key focus area where advanced governance, risk and compliance platforms are needed (GRC) can provide support to ensure readiness and flexibility.

Take measures to comply with regulations

A strategic focus on governance, risk management and compliance is a prerequisite for preparing for the implementation of the regulation. Boards and executives must prioritize cybersecurity as a business-critical issue and integrate it into the overall governance framework. This requires ensuring that senior management is equipped with the knowledge and tools to effectively monitor cybersecurity measures.

At the operational level, organizations should adopt risk-based measures tailored to their specific threat profiles. This includes securing internal and external systems through vulnerability monitoring, enforcing multi-factor authentication and implementing encryption. Incident response must also be robust, with automated systems enabling rapid detection, reporting and remediation of breaches.

To ensure supply chain security under NIS2, technical leaders must prioritize working directly with their suppliers’ cybersecurity measures. This includes not only assessing the extent to which suppliers are prepared for a cyber attack, but also including security requirements in supply contracts to ensure compliance with the directive’s minimum standards. NIS2 requires both essential and essential companies to manage risks to network and information systems in their supply chains. These regulatory measures provide greater transparency of supplier systems and continuous monitoring as companies are now expected to proactively identify and address vulnerabilities that may lie hidden in their supply chain.

By implementing these measures, companies can not only ensure compliance, but also improve their resilience to increasingly sophisticated supply chain attacks. In the long term, this will make supply chains much safer because they are controlled by multiple bodies.

Look forward and seize the opportunity

The delay in implementing the regulation is not only a reprieve, but also an opportunity for companies to get ahead of the curve. By strengthening governance, adapting risk management practices and adopting forward-looking compliance measures, companies can turn regulatory requirements into a strategic advantage. At a time when cybersecurity is both a regulatory and operational priority, the ability to adapt and lead will determine long-term resilience and success. Companies that adhere to cyber security regulations will not only meet regulatory requirements, but also provide real protection against emerging cyber threats.