MDR · 5 MIN READ · PIERRE NOEL · NOV 19, 2025 · TAGS: Guidance
TL;DR
- The Network and Information Security Directive (NIS2) is a new comprehensive cybersecurity standard for essential services in the European Union
- Any third-party organisations working with these businesses will also be required to comply
- Instead of taking the “wait and see” approach to these regulations, get ready with help from Expel now to avoid future fines and penalties
Reports of cyber attacks are a mainstay in newsrooms around the globe. In the past year, large incidents have impacted the likes of Marks & Spencer, Co-op, and Qantas. But what happens when essential national infrastructure goes down?
From crippling ransomware that grinds hospitals to a halt to digital saboteurs targeting power grids and water treatment facilities, threat actors aren’t just after your credit card number anymore. They’re aiming their crosshairs at bigger, more disruptive targets: the organisations that keep society running.
Unfortunately, attackers have plenty of vectors for entry. They often gain access to important infrastructure by exploiting the third parties responsible for delivering services to critical organisations.
The ripple effect of just a single breach on government, healthcare, or energy providers is felt far and wide. This new reality has been a wake-up call for the European Union—and in response to the escalating threat, regulators have introduced the Network and Information Security Directive 2 (NIS2) to bolster cybersecurity for essential services.
For those of you concerned, intimidated, or altogether perplexed by the looming threat of new EU cybersecurity regulations, let’s discuss what NIS2 is and how it will affect your organisation.
What is the NIS2 directive?
The Network and Information Security Directive 2 (NIS2) is a European Union directive succeeding the original Network and Information Security Directive (NIS).
If you’re unfamiliar, here’s the lowdown: NIS aimed to establish strong cybersecurity standards for critical infrastructure in the EU, such as energy and healthcare. Organisations in these sectors had to make operational changes to their security measures and reporting behaviour to protect systems from disruption.
NIS2 casts a much wider net, broadening the directive’s scope to all “significantly important” infrastructure. In practice, that means organisations in industries such as water treatment, food production, internet providers, and waste management will need to comply with regulatory requirements too.
NIS2 entered into force on January 16, 2023, and EU member states were required to transpose it into national law by October 17, 2024.
The foundational principles of NIS2 are consistent across the EU. They include:
- Risk management: The directive mandates that organisations implement appropriate technical and operational measures to protect their information and communication technology (ICT) systems, including measures for supply chain security, access control, and incident handling.
- Corporate accountability: The regulation makes cybersecurity a senior-level management responsibility, holding leadership directly accountable for instances of non-compliance.
- Incident reporting: Strict deadlines are imposed for organisations to provide notification and full reports on significant cybersecurity incidents to the relevant authorities.
However, some countries take more stringent approaches to implementation than others. Germany, for example, mandates stricter reporting timelines in the event of a significant incident.
Which organisations need to be NIS2 compliant?
The expanded scope of NIS2 means many organisations categorised as “essential” or “important” entities must comply with regulations. This includes, but is not limited to, companies operating in sectors such as:
- Energy: Electricity, oil, and gas
- Transport: Air, rail, water, and road
- Financial services: Banking and financial market infrastructures
- Health: Healthcare providers and pharmaceutical manufacturers
- Drinking water and wastewater: Treatment and supply
- Digital infrastructure: Telecoms, DNS service providers, and data centres
- ICT service management: Managed service providers and security service providers
- Public administration: Central and regional government bodies
And perhaps most notably, the companies that provide services to organisations within these categories must also become compliant.
How are businesses affected?
NIS2 demands a fundamental shift in how organisations in these sectors approach cybersecurity. For example, it mandates that senior management must approve any cybersecurity risk management measures and oversee their implementation within the business. At the board level, a designated individual, such as a Chief Information Security Officer (CISO), must be responsible for driving compliance efforts.
Rigorous incident reporting is also expected. Organisations must provide an early warning of a significant incident within 24 hours of becoming aware of it. Then, a more detailed incident notification report must be submitted within 72 hours. Lastly, a final assessment should be submitted within a month, detailing the cause of the incident, the impact, and strategies taken for risk mitigation.
Beyond reporting, businesses must also show robust incident handling capabilities. Well-defined processes, fast-moving response teams, and regular tabletop exercises for senior executives can demonstrate that leaders know how to react and communicate effectively during a cyber crisis.
24×7 monitoring is non-negotiable. While smaller organisations might rely on typical 9am-5pm monitoring or on-call staff, this is not acceptable under NIS2. Businesses must deploy appropriate technologies and controls to achieve continuous visibility in their environments. After all, cyber criminals aren’t clocking out at 5pm.
Even for companies that don’t regularly work with confidential data, the NIS2 ripple effect is massive. Third-party vendors will need to conduct due diligence and demonstrate their compliance in order to renew contracts with large NIS2-regulated entities.
So if you’re a vendor to a hospital, airport, or energy provider, you will be expected to demonstrate NIS2 compliance. The directive’s influence extends far down the supply chain, ensuring a comprehensive approach to cybersecurity across all important services in the EU.
Will organisations be penalised?
The discerning among you will notice the deadline for transposing NIS2 into law has already passed. But at the time of writing, many countries are still in the process of drafting their laws. The European Commission has started infringement procedures against some member states for the delays.
The understanding is clear that NIS2 is in force—and its impact is being felt across the EU. But the buck doesn’t stop at a country level. Organisations themselves must adhere to NIS2 regulations, and if they don’t, regulators have the power to impose financial, administrative, or even criminal penalties against them.
Companies can face “effective, proportionate, and dissuasive” fines for non-compliance, scaled in accordance with their classification as “essential” (e.g. energy, transport, health) or “important” entities (e.g. postal, waste, food).
The fines for essential entities can be substantial, reaching up to €10 million or 2% of the company’s total worldwide annual turnover—depending on which is higher. For important entities, the maximum fine is €7 million, or 1.4% of worldwide annual turnover. NIS2 also introduces the possibility of personal liability for senior executives who fail to take appropriate measures.
So, are sanctions being handed out left, right, and centre?
Not quite. Regulators have yet to fine-tune their approach and interpretation of the NIS2 text. As a result, there haven’t been any significant fines for non-compliance, leading some companies to take a “wait and see” approach to NIS2 action.
We think the landscape will shift dramatically the day a board director is personally held accountable for a cyber incident. That would compel a far more proactive and serious approach to cybersecurity across all levels of an organisation.
And once local regulators start penalising businesses, you don’t want to get caught in the firing line. There’s a high chance they could hand out hefty fines to inspire other parties to pay attention to NIS2.
The best course of action is to get compliant now.
How to get NIS2 compliant
NIS2 compliance requires businesses to take a proactive approach to building robust cyber defences. Leaders can prepare by:
- Conducting risk assessments: Identifying existing ICT vulnerabilities and developing a cybersecurity strategy to fill the gaps supports NIS2 compliance.
- Perfecting your incident response: Response planning, managed detection and response (MDR), and updating reporting policies are vital. A retainer agreement with an incident response partner can protect businesses when they require rapid intervention and specialised expertise. Tabletop exercises can help leaders develop the skills and knowledge to respond effectively to real threats.
- Implementing secure access control: Introducing identity and access management policies, including protocols like multi-factor authentication (MFA), is essential.
- Appointing security officers: NIS2 requires businesses to select a dedicated CISO or other staff member to oversee compliance.
These measures can help identify potential hazards—such as cyber threats, data leaks, and system outages—and reduce their likelihood and potential impact.
How Expel can help
Partnering with an experienced cybersecurity provider can help your organisation understand the complexities of NIS2 and turn compliance into your competitive edge—even while other organisations struggle to keep up.
Expel supports NIS2 compliance by providing continuous, 24×7 environment monitoring and enhanced visibility for organisations. As a third-party service provider to affected entities, Expel has also prepared contractual supplements that align with the relevant tiered requirements under NIS2.
Find out more about our managed detection and response services and get started on your journey to NIS2 compliance.
