Why NIS2 Will Change How European Businesses Think About Cybersecurity

The NIS2 Directive doesn't just tighten cybersecurity requirements for organisations, it puts individual executives on the line. Here's what that actually means, and why waiting to act is the riskiest move of all.

There's a pattern that comes up repeatedly in conversations with senior executives about NIS2. The regulation has been on their radar for a while, the IT department has raised it once or twice, and the response has generally been: "We'll get to it." The thing is, NIS2 is no longer something you get to. It's already in force. And unlike previous cybersecurity frameworks, this one doesn't stop at the organisation's front door.

The part that tends to get people's attention, once they actually read the small print, is the personal liability clause. Under NIS2, senior management can be held individually responsible for cybersecurity failures. That's not a theoretical risk buried in an obscure annex. It's written into the directive, and member states are required to implement it.

What Has Actually Changed with NIS2?

NIS2 is the successor to the original Network and Information Security Directive from 2016, but the scope and teeth of the new version are considerably sharper. The first version applied to a relatively narrow set of critical infrastructure operators. NIS2 extends that reach significantly, covering 18 sectors and an estimated 160,000 entities across the EU.

For many organisations, particularly mid-sized companies in sectors like manufacturing, logistics, food supply, waste management, and digital services, NIS2 represents their first encounter with mandatory cybersecurity regulation. The assumption that "this is an enterprise problem" no longer holds. If your organisation meets certain size and sector thresholds, you're in scope, whether you've prepared for it or not.

The Liability Question: What Exactly Is at Stake?

This is where NIS2 departs most sharply from previous regulation. Article 20 of the directive requires member states to ensure that "management bodies" of covered organisations are held responsible for compliance with cybersecurity risk management measures. It goes further: management can be temporarily prohibited from exercising management functions if they're found to have been negligent in their duties.

In practice, this means boards and C-suite executives need to actively understand and oversee their organisation's cybersecurity posture, not delegate it entirely and hope for the best. They need to approve cybersecurity risk management policies, receive regular reporting on the organisation's security status, and be able to demonstrate that they've taken their obligations seriously.

It's worth being clear: this doesn't mean every director needs to become a security expert. What it does mean is that "I didn't know" is no longer a defensible position. Ignorance of the risk landscape, particularly when a directive this significant has been in force since late 2024, is itself treated as a governance failure.

The Incident Reporting Timeline Is Tighter Than You Think

Another element that catches organisations off guard is the reporting timeline. Under NIS2, a significant cybersecurity incident triggers a cascade of mandatory notifications. Within 24 hours of becoming aware of the incident, an early warning must be filed with the relevant national authority. A full incident notification follows within 72 hours. A final report is required within one month.

These deadlines sound manageable until you're actually in the middle of an incident. Without a documented incident response plan, clear internal escalation procedures, and pre-established contacts with the relevant authorities, hitting a 24-hour reporting window is genuinely difficult. Organisations that haven't done the groundwork typically discover this the hard way.

Supply Chain Risk: The Obligation Nobody Talks About Enough

One of the less-discussed aspects of NIS2 is its reach into the supply chain. Covered organisations aren't just responsible for their own cybersecurity, they're required to assess and manage the cybersecurity risks posed by their suppliers and service providers. If a third-party vendor causes or facilitates a breach, the covered organisation can still be held accountable for having failed to manage that risk appropriately.

This creates a genuine compliance challenge for organisations with complex vendor ecosystems. It's not enough to send out a questionnaire once a year and file the responses. NIS2 expects a structured, ongoing approach to supplier risk, with documented assessments, contractual requirements, and regular reviews. For many organisations, this is new territory entirely.

The Two Categories: Essential vs. Important

NIS2 divides covered entities into two tiers, each with different obligations and penalty thresholds. Essential Entities operate in the highest-risk sectors, including energy, transport, banking, health, and critical digital infrastructure. Important Entities cover a broader range of sectors like manufacturing, food production, postal services, and waste management.

The distinction matters for several practical reasons. Essential Entities face proactive supervision from authorities and fines of up to €10 million or 2% of global annual turnover. Important Entities are subject to reactive supervision, with maximum fines of €7 million or 1.4% of global turnover. Both tiers carry personal liability provisions for management. Neither is something to be complacent about.

Where Most Organisations Are Getting Stuck

In practice, the most common sticking point isn't a lack of willingness to comply. It's knowing where to start. The NIS2 text is dense, the CyberFundamentals framework that underpins compliance in Belgium (and which aligns closely with NIS2 requirements more broadly) requires a careful gap analysis to apply correctly, and the sheer volume of documentation and process work involved can feel overwhelming without a clear roadmap.

The organisations that are making the most progress tend to have one thing in common: they started with an honest assessment of where they actually stand, rather than trying to work backwards from the framework. A proper scoping exercise, clarifying whether you're an Essential or Important entity and mapping your specific obligations, gives you something concrete to work with. From there, a structured gap analysis tells you what needs to change, in what order, and with what resources.

The organisations still doing nothing, by contrast, tend to be waiting for more clarity, more time, or a more convenient moment. None of those things are coming. NIS2 is in force, national enforcement is ramping up, and the gap between where most mid-market organisations are today and where they need to be is not shrinking on its own.

A Practical Path Forward

For most organisations, NIS2 compliance doesn't need to be a multi-year, all-at-once transformation. A modular approach, starting with scoping and classification to understand your obligations, moving into a gap analysis against the CyberFundamentals framework, and then systematically closing the gaps in priority order, is both realistic and defensible from a regulatory standpoint.

The board training component is often more valuable than organisations expect. Getting your senior leadership team genuinely up to speed on their obligations, in a practical session rather than a lengthy briefing document, tends to shift the internal dynamic around cybersecurity in a lasting way. When leadership understands the personal stakes, the budget conversations tend to go rather differently.

The important thing is to start, and to start with something that gives you a clear picture of where you are. Even a preliminary scoping and classification exercise gives you a defensible basis for prioritising your response and demonstrating to regulators that you're taking the obligation seriously.