The clock has already struck for NIS2 compliance, and organisations across the EU are grappling with what this means for their cyber security strategies. With steep fines and even personal liability for board members at stake, the pressure is on. Before diving into specific implementation steps, it’s crucial to take a step back and evaluate your organisation’s current cyber security posture.
What measures are already in place? Where are the gaps? Starting with this evaluation can prevent unnecessary duplication of effort and help define the scope of what needs to be done. From there, organisations can leverage existing frameworks and align with other established regulations to meet NIS2 requirements more efficiently, even amidst the ongoing national transposition process.
In this article Selma Mujcic, Cyber Associate based in S-RM’s Netherland’s office, explores how to navigate NIS2 by building on what organisations already have—using frameworks such as ISO 27001, NIST, and others — to streamline compliance and strengthen your organisation’s overall resilience.
What is NIS2 and why does it matter?
Firstly, why does Europe need NIS2? The original NIS directive, introduced in 2016, aimed to harmonise cyber security across the EU. However, its limited scope left many critical sectors uncovered, and uneven enforcement weakened its impact. As cyber threats evolved, it became clear that a stronger framework was needed. NIS2 was introduced to address these gaps, expand its reach, and ensure consistent cyber security standards across the EU.
As cyber threats grew more sophisticated, the EU recognised that the old directive wasn't enough to protect its critical infrastructure.’’
Formally titled “Directive (EU) 2022/2555 on measures for a high common level of cyber security across the Union” and published on December 14, 2022, NIS2 aims to strengthen the cyber security posture of entities deemed critical to Europe's infrastructure.
Unlike regulations such as the General Data Protection Regulation (‘GDPR’) that apply uniformly across the EU, NIS2 is a directive, meaning it allows each Member State to craft its own laws whilst adhering to the minimum standards outlined by NIS2. As a result, compliance requirements may vary across countries in their local laws—some aligning with the baseline set by the directive, while others enforce stricter cyber security measures.
Executives can be personally liable for cyber security failures. This means C-level managers could face legal consequences if their organisation doesn't comply’’
Superceeding its predecessor, the original NIS directive, NIS2 expands its scope considerably. It applies to more industries, promotes better cross-border cooperation, enforces stricter reporting timelines, and holds top management accountable for compliance. It also emphasises securing supply chains—a growing vulnerability in today’s interconnected world. By October 18, 2024, all EU Member States were required to integrate these principles into national law.
With thousands of organisations affected across sectors such as energy, health, digital infrastructure, and public administration, NIS2 reshapes Europe’s cyber security landscape. Its requirements are based on three criteria: location, size, and industry—categorising organisations as either “essential entities” or “important entities.”
What does NIS2 require of organisations?
At the heart of NIS2 are the obligations for organisations outlined in Chapter IV, “Cyber security risk-management measures and reporting obligations.” This chapter specifies what essential and important entities must do to achieve compliance, forming the backbone of the directive for organisations safeguarding Europe’s critical infrastructure.
These obligations primarily focus on two areas: risk management and incident reporting. Organisations must implement strong cyber security risk management measures to protect their operations. They are also required to notify a designated Computer Security Incident Response Team (CSIRT) or competent authority about significant incidents, as well as inform recipients of their services who may be affected.
The reporting process is multi-staged, involving an early warning, an incident notification, intermediate updates, a final report, and progress updates. For incidents that cross borders and impact multiple Member States, relevant authorities must coordinate their response with ENISA (the European Union Agency for Cyber security ) and notify other affected Member States.
Non-compliance with NIS2 carries serious consequences. Essential entities face fines of up to €10 million or 2% of their total annual turnover, while important entities can be fined up to €7 million or 1.4% of turnover. Beyond monetary penalties, top management is under heightened scrutiny. Article 20 mandates that leadership approves cyber security risk management measures and ensures their proper implementation. Furthermore, personal liability for top management is introduced if compliance measures fall short or do not meet standards.
The state of NIS2 transposition across the EU
Transposing the NIS2 Directive into national law is a critical step for EU Member States to ensure compliance. Each country had until October 17, 2024, to adopt local legislation — a process known as "transposition," where EU directives are adapted into enforceable national laws. While some countries acted quickly, others are still navigating this legislative challenge.
Several Member States have finalised or are close to finalising their transpositions. For example, Belgium adopted an Act on April 18, 2024, set to take effect on October 18, 2024. Croatia took an early lead with its Cyber security Act, effective since February 15, 2024. Latvia followed suit, approving its National Cyber Security Law on the 20th of June 2024, with an effective date of September 1, 2024, pending final approvals. Meanwhile, Italy has also completed its transposition efforts through its Legislative Decree 138/2024.
The result? A fragmented regulatory landscape where the rules of the game can change from one country to the next.’’
However, the majority of Member States missed the October 17 deadline. Countries such as France, Germany and the Netherlands, are still drafting or approving their transposition laws. In the Netherlands, for instance, NIS2 will be implemented through a new Cybersecurity Act (Cyberbeveiligingswet), which will replace the existing Network and Information Systems Security Act (Wet beveiliging netwerk- en informatiesystemen).
This uneven progress highlights the complexities of aligning national priorities with the directive's demanding requirements. For organisations, this creates uncertainty, as compliance measures may differ or remain unclear until local laws are finalised. The delays also underscore the need for organisations to adopt flexible compliance strategies that can adapt to varying national implementations.
Leveraging other frameworks to enhance NIS2 compliance
NIS2’s uneven rollout across the EU has left organisations grappling with a confusing patchwork of compliance rules. With high fines and personal liability on the line, many are understandably searching for the most efficient way to ensure compliance. One answer? Leveraging established frameworks such as ISO 27001. These frameworks offer a practical roadmap to meet NIS2 requirements.
Why start from scratch when existing frameworks can provide a head start?’’
Established frameworks such as ISO 27001 and the NIST Cybersecurity Framework are already widely adopted and provide structured methodologies that align closely with NIS2’s requirements. By integrating these frameworks into their compliance strategies, organisations can expedite their efforts while embedding industry best practices. This approach not only simplifies compliance but also strengthens overall resilience against cyber threats.
Interestingly, while NIS2 doesn’t require organisations to adopt ISO 27001, it does explicitly reference the ISO/IEC 27000 series as a recommended way to implement cyber security risk management measures. ISO 27001 can serve as a solid foundation for addressing many of NIS2’s requirements, making it a practical choice for organisations looking to streamline their compliance efforts. Take Belgium for example, where an ISO 27001 certificate has been one acceptable way to demonstrate compliance with NIS requirements since the first version, which was in place since May 2019. This acceptance of ISO 27001 remains valid for NIS2 compliance in Belgium. That said, ISO 27001 has its limitations. For instance, crisis management—a critical component of NIS2 compliance—is not addressed within its scope. Similarly, the reporting obligations outlined in Article 23 of NIS2, including detailed multi-stage reporting processes, require supplementary measures or additional frameworks to fully comply.
Waiting for full clarity in national laws could lead to costly delays and increased risk exposure.’’
Beyond ISO 27001, the NIST Cybersecurity Framework provides a flexible and comprehensive approach to managing cyber security risks. Its emphasis on identifying, protecting, detecting, responding to, and recovering from threats makes it a valuable resource for organisations working to comply with NIS2 and provide a no regret move to prepare for NIS2 compliance.
Other EU regulations, such as GDPR and DORA, can complement compliance efforts, though they have distinct focuses—GDPR on personal data protection and DORA on financial institutions’ operational resilience. Together with ISO 27001 and other frameworks, they provide a strong foundation for meeting NIS2 requirements regarding cyber security measures while building a broader cyber security strategy.
Conclusion
NIS2 represents a significant milestone in advancing cyber security across the EU, but its uneven national transposition and complex requirements present challenges for organisations. Organisations can use their current cyber security posture and leveraging established frameworks like ISO 27001 and NIST to move forward towards NIS2 compliance without regret.
Waiting for full clarity in national laws could lead to delays in achieving compliance. Instead, organisations can already focus on identifying gaps, aligning with best practices, and preparing for the evolving regulatory landscape.
The time to act is now. Starting with an internal cyber maturity assessment or by using the organisation’s already existing frameworks and mapping a clear strategy will help organisations meet NIS2 requirements and position themselves as leaders in cyber security resilience.