Home Content Hub NIS2 explained: what you need to know and how to prepare

NIS2 explained: what you need to know and how to prepare.

26 March 2026 5 min read Blog Post
Table of Contents
  1. What NIS2 is and why it matters now
  2. Why NIS2 is important: beyond compliance
  3. What happens if you don’t comply
  4. Which sectors must comply
  5. How Nordcloud supports your NIS2 journey
  6. Turning compliance into competitive advantage

As digital systems and services across Europe become increasingly interconnected, a disruption in one area can quickly trigger damaging effects in another. According to ENISA (European Union Agency for Cybersecurity), the most dominant threats currently facing the EU are DDoS attacks, ransomware and hacktivism. When looking at targeted sectors, the majority of cyberattacks are directed at the EU’s critical infrastructure – with public administration accounting for 38.2%, followed by transport (7.5%), digital infrastructure and services (4.8%), finance and manufacturing. More than half of the recorded incidents involved essential entities, according to the ENISA Threat Landscape 2025 report.

Meanwhile, the digital transformation of core services is accelerating rapidly, increasing the urgency to strengthen the security and resilience of systems that keep society running – from government and transportation networks to energy grids, healthcare and cloud infrastructure. The NIS2 Directive, in effect since October 2024, is the EU’s response to this growing need and represents its strongest regulatory effort to date to raise cybersecurity standards across these sectors.

This article breaks down what NIS2 means, why it matters now, what happens if organisations ignore it and how Nordcloud helps turn compliance into operational and strategic advantage.

What NIS2 is and why it matters now

The Network and Information Security Directive 2 (NIS2) replaces NIS1 and significantly expands its scope. It now covers 18 sectors and more than 180,000 companies across the EU with a clear message, that cyber incidents have the potential to disrupt not just organisations, but entire economies. To avoid the doomsday scenario, the EU created a baseline of security measures that organisations must adopt to reduce cyber risk and improve European cyber resilience.

NIS2 establishes a clear baseline for cybersecurity, introducing stricter expectations across:

  • governance and senior management accountability
  • cyber risk management
  • business continuity and crisis management
  • supply‑chain security
  • detection, handling and reporting of incidents
  • vulnerability and lifecycle management
  • security awareness, training and hygiene

To ensure adoption, NIS2 also introduces stronger enforcement, including regulatory supervision, audits and substantial financial penalties for organisations and in some cases, their executives.

What NIS2 requires: the core obligations

NIS2 sets clear obligations to organisations to boost resilience and reduce risk:

  • Organisations must show strong governance, with leadership approving and overseeing cybersecurity measures – and facing liability for failures
  • They must conduct structured risk analysis, implement appropriate controls, and assign a dedicated security officer
  • Continuity measures like backups, disaster recovery and crisis response must be tested regularly
  • Supply‑chain security requires assessing both direct and indirect suppliers
  • Severe incidents must be detected and reported quickly: 24 hours for early warning, 72 hours for notification and one month for the final report

Why NIS2 is important: beyond compliance

NIS2 is not only a regulatory requirement; it is a catalyst for strengthening business resilience, operational continuity, customer trust and market competitiveness.

1. Cyber resilience protects revenue and operations

Cyber incidents are costly, with organisations losing an average of €3.4 million per breach, according to the IBM Cost of a Data Breach Report 2023.
NIS2’s requirements for structured risk management, continuity planning and incident response significantly reduce the likelihood and impact of these disruptions.

2. Trust, reputation and market positioning improve

Cybersecurity maturity is now a prerequisite for doing business and NIS2 compliance is a clear signal of reliability to regulators, partners and customers. It leads to higher customer retention (5–10%, PwC 2023), creates an edge in regulated supply chains where NIS2‑aligned controls are becoming mandatory, and strengthens your position when competing for contracts.

3. Regulatory alignment reduces long‑term burden

NIS2 aligns organisations with evolving EU standards, reducing future compliance complexity. It also creates consistency across frameworks like DORA and the AI Act, meaning fewer fragmented initiatives and lower long‑term compliance spend.

4. Significant financial benefits

NIS2 compliance delivers clear financial gains, from reduced downtime to lower cyber insurance premiums (up to 30%) and access to revenue streams in regulated markets.
Non‑compliance, meanwhile, is costly – penalties reach €10M or 2% of global turnover for essential entities, and €7M or 1.4% for important ones.

5. Executive accountability elevates cybersecurity culture

For the first time, executives are directly responsible for cybersecurity. They are obliged to mandatory trainings and can face potential penalties for not complying.
This raises cybersecurity from a “technical topic” to a core leadership priority, aligning funding, governance and organisational culture around resilience.

What happens if you don’t comply

Non‑compliance has consequences far beyond fines:

  • Personal liability for management bodies
  • Regulatory supervision and audits
  • Possible temporary bans from management roles
  • Mandatory public incident disclosures

Commercially, failure to comply can disqualify organisations from key supply chains, especially in sectors where NIS2‑level cybersecurity is becoming a contractual requirement.

Which sectors must comply

NIS2 applies to organisations delivering services critical to society and the economy, including:

  • Energy (electricity, gas, oil, district heating and cooling)
  • Transport (air, rail, water and road)
  • Health (hospitals, medical device manufacturers, pharmaceutical companies)
  • Digital infrastructure (cloud computing, data centres, content delivery networks)
  • Public administration (central and local government)
  • Manufacturing of critical products (medical devices, chemicals, food production)

How Nordcloud supports your NIS2 journey

Nordcloud blends governance, risk and compliance (GRC) expertise with deep cloud‑native experience, making NIS2 compliance practical, fitting your ways of working and following cloud security best practices.

We can tailor our approach to your needs and depending on where you are in your NIS2 journey:

  • We help you translate regulatory requirements into cloud‑aligned, actionable implementations
  • We make compliance practical, tailored to your operating model and cloud environments
  • We support GAP analysis, maturity assessments, governance setup and cloud security frameworks
  • We provide you with continuous compliance monitoring and security awareness training

We also offer a sponsored NIS2 readiness assessment to help you determine your current posture and define a clear roadmap.

Our experts have delivered similar work across financial services, public sector, manufacturing and other regulated industries, including DORA, ISO27K and local cybersecurity legislations.

Turning compliance into competitive advantage

NIS2 is reshaping how European organisations approach cybersecurity, resilience and operational governance. Those who move early will not only reduce regulatory risk, but most of all they will strengthen trust, improve business continuity and enhance their competitive positioning.

Get in touch to discuss how we can help you plan for NIS2 and improve your digital resilience.

Sander NieuwenhuisLinkedInGRC Advisory Global Lead
Henning BüschLinkedInSenior GRC Cloud Advisor
Related topics
Security
Related content
Share

Related content.

Why having a Plan B is more important than ever
Blog • 6 min read

Why having a Plan B is more important than ever

As data centres become targets, outages carry financial and reputational risk. This blog explains how to build a resilient BCDR strategy giving current threats.

More details
EU AI Act demystified: Essential compliance insights
Blog • 6 min read

EU AI Act demystified: Essential compliance insights

See what the EU AI Act means, with clear compliance steps, risk management tips and practical guidance for responsible AI use.

More details
From policy to practice: Turning digital sovereignty into strategic advantage
Blog • 5 min read

From policy to practice: Turning digital sovereignty into strategic advantage

Discover how European organisations can turn cloud sovereignty into a strategic advantage, balancing innovation, compliance and resilience in a rapidly shifting landscape.

More details
What we learned from piloting AWS European Sovereign Cloud
Blog • 6 min read

What we learned from piloting AWS European Sovereign Cloud

Nordcloud conducted an early test of AWS’ European Sovereign Cloud offering. Here's what we learned.

More details
AWS European Sovereign Cloud launches, with Nordcloud as launch partner
Blog • 3 min read

AWS European Sovereign Cloud launches, with Nordcloud as launch partner

Nordcloud, an IBM company, is a launch partner for the AWS European Sovereign Cloud, a new independent cloud for Europe.

More details
Resilience by design
Infographic • 1 min read

Resilience by design

This infographic sets out the case for integrating business continuity and disaster recovery.

More details
Scroll to top