Many organisations still approach Directive (EU) 2022/2555 ("NIS2")(1) as a regulatory formality – another compliance exercise to be handled by legal and IT teams and run somewhere in the background. However, once an organisation falls within scope, NIS2 compliance becomes a matter of regulatory exposure, governance accountability, and operational resilience. The risks associated with non-compliance therefore go far beyond administrative penalties.
For organisations falling within the scope of the NIS2 framework, cybersecurity governance is rapidly becoming a board-level issue with direct operational consequences.
Under the previous EU cybersecurity regime, regulatory focus was often centred on whether appropriate security measures had formally been implemented. NIS2 significantly broadens this approach by requiring the cybersecurity governance to be genuinely embedded within the organisation’s operational and decision-making structures.
As a result, organisations that underestimate their cybersecurity obligations under NIS2 may face risk exposure on multiple levels simultaneously.
(1) NIS2 is a directive and therefore requires national implementation. While it sets the EU-level framework, many practical details (including certain enforcement mechanisms, procedures and sanctions) will depend on the laws adopted in individual Member States.
Regulatory exposure goes well beyond fines
The most discussed aspect of NIS2 enforcement concerns administrative fines. While these fines are significant, focusing exclusively on fines often creates a misleading picture of the actual enforcement landscape.
For essential entities (2), administrative fines may reach up to EUR 10 million or 2% of the organisation’s total worldwide annual turnover from the preceding financial year. Important entities may face fines of up to EUR 7 million or 1.4% of the total annual turnover from the preceding financial year. These are the headline thresholds under NIS2, while national implementing laws may provide for additional sanctions.
However, financial penalties represent only one part of the broader supervisory and enforcement framework. National competent authorities, when exercising their supervisory tasks, may also:
- conduct audits and inspections (on-site and off-site),
- request extensive information and documentation, including documented cybersecurity policies, including evidence of their implementation,
- order remediation measures,
- issue warnings and adopt binding instructions,
- order to cease conduct that infringes NIS2, or
- impose temporary bans affecting management functions.
Importantly, supervisory scrutiny may intensify after a cyber incident becomes public. An organisation suffering a breach may suddenly need to demonstrate not only what happened, but whether its governance framework was adequate before the incident occurred.
(2) NIS2 distinguishes between “essential entities” and “important entities”, with classification depending primarily on the relevant sector, size and specific criteria set out in NIS2 and national implementing laws. For more on NIS2 scope and qualification criteria, see our previous article: “NIS2 – are you really out of scope? A practical look at key criteria and common misconceptions”.
The operational impact of non-compliance may exceed the regulatory risk
In many cases, the most immediate consequences of weak NIS2 readiness are operational rather than regulatory. A serious cyber incident can disrupt core business functions, interrupt supply chains, delay service delivery and affect relationships with customers and partners. For example, a ransomware attack affecting a key IT service provider may not only disrupt that provider’s own operations, but also delay services delivered to multiple customers relying on its systems. For organisations operating in highly interconnected sectors, even a relatively localised incident may quickly escalate into broader operational disruption.
NIS2 reflects this reality by placing strong emphasis on:
- risk-management measures,
- incident detection,
- business continuity,
- supply-chain security,
- crisis management, and
- recovery capabilities.
Many organisations still focus primarily on technical cybersecurity controls, while giving less attention to organisational preparedness, internal decision-making processes and coordinated incident response capabilities. In practice, even where technical tools are in place, an incident may escalate if decision-making responsibilities are unclear, legal and compliance teams are involved too late, management does not receive timely information, suppliers are not properly coordinated or regulatory notification processes are not ready to operate under time pressure.
Yet from a practical perspective, regulatory scrutiny after an incident will focus on questions such as:
1. Was the organisation able to identify the incident quickly?
2. Were reporting obligations fulfilled within the required deadlines?
3. Did management receive appropriate visibility into cyber risks?
4. Were suppliers appropriately assessed?
5. Did the organisation maintain adequate business continuity procedures?
Supply-chain risks are becoming increasingly important
One of the most commercially significant aspects of NIS2 is its impact on business relationships. As organisations implement NIS2 compliance programmes, many are reassessing contractual obligations imposed on suppliers, service providers and technology partners. NIS2 requires essential and important entities to address supply-chain security, including security-related aspects of relationships with their direct suppliers and service providers. As a result, even organisations that are not directly subject to NIS2 may increasingly be expected to meet certain cybersecurity standards as part of their customers’ or business partners’ compliance processes.
This creates a cascading effect across the market. Even organisations that are not directly subject to NIS2 may increasingly encounter:
- need to fill in cybersecurity questionnaires during procurement processes,
- enhanced security clauses in procurement contracts,
- enhanced security audit rights,
- mandatory incident notification obligations within shorter deadlines,
- vendor due diligence requirements, or
- requests for evidence of cybersecurity governance.
In practice, inability to demonstrate cybersecurity maturity may gradually evolve from a legal issue into a commercial disadvantage. For some organisations, the greatest risk may therefore not be a regulatory investigation, but exclusion from business opportunities or strategic partnerships.
Management accountability is no longer theoretical
governance. Unlike earlier regulatory approaches that often treated cybersecurity primarily as a technical function, NIS2 explicitly recognises cyber risk as a governance issue.
Management bodies are expected, in particular, to:
- approve cybersecurity risk-management measures,
- oversee implementation,
- receive appropriate training, and
- maintain sufficient awareness of cyber risks affecting the organisation.
Importantly, NIS2 also requires Member States to ensure that management bodies can be held liable for infringements of cybersecurity risk-management obligations. The precise form of such liability depends on national legal frameworks.
For many organisations, this requires not only technical improvements, but also a clearer governance model, documented oversight and regular engagement at management level. This shift is important because cybersecurity can no longer be fully delegated without full management oversight.
NIS2 readiness should be viewed as a strategic resilience issue
One of the most common misconceptions surrounding NIS2 is the assumption that compliance can be addressed through isolated technical remediation projects. In reality, effective NIS2 readiness usually requires cross-functional coordination involving more than IT department, but also legal and compliance, risk management, procurement, HR, and senior management.
NIS2 does not prescribe one universal compliance model. Instead, organisations are expected to adopt measures appropriate to their size, exposure, operational context and risk profile. As a result, the most effective approach is often a pragmatic, risk-based assessment focused on identifying material gaps and prioritising remediation efforts.
How can we help?
We advise businesses on mapping and implementing obligations arising under NIS2 (on EU-wide level). We support our clients in particular in:
- assessing whether NIS2 applies to your organisation,
- identifying the specific regulatory requirements,
- implementing cybersecurity policies, procedures and documentation,
- advising on the legal aspects of cybersecurity incident management and reporting,
- reviewing agreements with ICT product and service providers,
- delivering training for management boards and IT teams on the new regulatory requirements.
We have also developed a preliminary NIS2 assessment tool to help organisations carry out an initial evaluation of whether they may fall within the scope of the NIS2 framework. The tool is intended as a practical first-step assessment and should be followed by a legal analysis of the relevant national implementing rules.
