NIS2: What CISOs Need to Know

NIS2 represents a paradigm shift in EU cybersecurity regulation, mandating stronger security measures across critical sectors. For CISOs, it introduces personal accountability, stricter compliance requirements, and significant penalties for non-compliance, making cybersecurity a board-level priority.

The History

The Network and Information Systems Directive 2 (NIS2) evolved from its predecessor (NIS1) to address growing cyber threats across the EU. Adopted in 2023 and effective from October 2024, NIS2 was developed in response to the exponential rise in cyber risks targeting critical European infrastructures. The directive aims to harmonize cybersecurity standards across member states, as evidenced by a recent ENISA report highlighting compliance failures in six critical infrastructure divisions. With thirteen EU member states reportedly missing compliance deadlines, the urgency for implementation is clear.

From Protection to Resilience

NIS2 significantly expands the scope of regulated entities to cover 15 sectors and an estimated 160,000 organizations across Europe, including those outside the EU that provide services within it. The directive distinguishes between "essential" and "important" entities based on criticality, size, and impact, with corresponding obligations and penalties.

Key pillars of NIS2 include:

• Risk Management Framework: Organizations must implement systematic, documented approaches to cybersecurity risk management with proportionate technical and organizational measures.

  
  

• Incident Reporting: Mandatory notification protocols require reporting within 24 hours for preliminary notification, 72 hours for full notification, and one month for final incident reports.

  
  

• Supply Chain Security: Organizations must assess and monitor the security posture of vendors and service providers, addressing a common attack vector.

  
  

• Governance and Accountability:NIS2 mandates appointing a cybersecurity officer and establishes personal liability for executives, with potential criminal consequences for negligence.

  
  

• Enhanced Supervision: National competent authorities have extensive powers to conduct audits, assess compliance, and impose significant penalties of up to €10 million or 2% of global annual revenue.

  
  

Adopting NIS2

CISOs face significant challenges implementing NIS2, including resource constraints, technical complexity, and organizational resistance. Many IT leaders report spending up to 80% of their budgets on cybersecurity and compliance, with costs for NIS2 implementation ranging from €100,000 to €1 million for larger companies. The directive requires comprehensive documentation, regular risk assessments, and supply chain security measures that may necessitate renegotiating vendor contracts.

The bureaucratic burden is substantial, with one IT leader describing NIS2 as a "superstructure" requiring precise procedures that translate into "a lot of paper and money that could have been invested in real security" . Organizations must prepare for audits with only two weeks' notice, creating potential friction with engineering teams who need "pockets of silence" for implementation work.

However, organizations that have previously pursued ISO/IEC 27001:2022 certification report having "80% of the work done" toward NIS2 compliance, suggesting that a proactive approach to security standards can significantly reduce the compliance burden.

Rather than viewing NIS2 as merely a compliance exercise, organizations should embrace it as an opportunity to establish a stronger cybersecurity posture through continuous compliance. This means implementing foundational security measures that address NIS2 requirements while also enhancing overall resilience against cyber threats. The approach should integrate people, processes, and technology in a comprehensive strategy.

Key steps include:

• Conduct a Gap Analysis:Assess your current security posture against NIS2 requirements to identify vulnerabilities and prioritize remediation efforts.

• Establish Clear Governance:Appoint a dedicated cybersecurity officer with adequate resources and authority, ensuring board-level involvement in cybersecurity strategy.

• Implement Technical Solutions:Deploy required security technologies including multi-factor authentication, encryption, intrusion detection, and vulnerability management tools.

• Develop Incident Response Capabilities:Create formal incident response plans with clear roles and responsibilities, ensuring compliance with NIS2's strict reporting timelines.

• Address Supply Chain Security:Identify critical suppliers, evaluate their security posture, and include robust security clauses in contracts.

• Invest in Training and Awareness:Provide regular cybersecurity training for all employees, ensuring they understand their roles in maintaining compliance.

  
  

Conclusion

NIS2 represents a significant step toward creating a more secure digital ecosystem across Europe. While compliance requires substantial investment and organizational change, the benefits extend beyond regulatory compliance to enhanced protection of critical infrastructure, sensitive data, and ultimately, citizen safety. Organizations that embrace NIS2 as an opportunity rather than a burden will develop stronger security postures, build stakeholder trust, and contribute to collective resilience against cyber threats. As one CISO noted, NIS2 is "an opportunity because it offers prescriptions on security posture that should be the norm for any digital company".