NIS2 compliance in 2025
European organizations face a growing threat of cyber attacks due to an increased level of sophistication in attack techniques, growing dependency on digital services, geopolitical tensions, and frontier technologies like Generative AI.
Against this backdrop, the regulatory landscape is also shifting, forcing organizations to keep pace with evolving requirements. While well-intended and designed to provide a framework for defense, the compliance treadmill can feel a bit exhausting for many organizations.
Directive 2022/2555, commonly referred to as the Network and Information Systems Directive (NIS2), is the latest obstacle, representing a substantial update from the original 2016 NIS Directive.
Aimed at improving cyber security resilience across the EU, NIS2 expands its scope to a broader range of sectors and types of entities deemed critical to economic and societal stability within the EU. Its requirements will strengthen reporting obligations, enhance cooperation amongst EU member states, and harmonize regulations, ensuring a more coordinated approach to cyber security in Europe.
In early March 2025, the European Union Agency for Cybersecurity (ENISA) released its inaugural NIS360 report, assessing the maturity and criticality of sectors covered by the NIS2 Directive. While some progress has been made, particularly in electricity, telecoms, banking, and digital infrastructures, all sectors still face challenges in meeting NIS2 requirements.
NIS2: A pivotal shift in leadership responsibility
Perhaps even more critical, NIS2 marks a major shift in how organizations approach cyber security, emphasizing risk management, supply chain security, incident reporting, and senior management accountability. By expanding its scope and holding senior management personally liable for infringements, NIS2 reinforces the need for a unified, proactive approach to cyber security across leadership, IT, and operational environments.
As highlighted within NCC Group's latest edition of the Global Cyber Policy Radar, NIS2 enables authorities to force regulated entities to take remediation or preventative actions if their cyber resilience is deemed inadequate. Failure to do so can result in revocation of the entity's license to operate or suspension of senior management.
Of course, organizations that stay ahead of the game and build resiliency will be best equipped to comply with any new regulations. But it's not always easy when teams are already stretched thin, and the rules seem so complex. Understandably, it's hard to know where to start.
NCC Group's team of PECB Certified NIS2 Directive Implementers offers unmatched expertise, fact-based insights, and trusted guidance to help any organization navigate NIS2 compliance.
Let's start by cutting through the confusion with the key things you should know about NIS2 compliance:
The timeline:
The deadline was set to October 17, 2024, for all EU member states to transpose the NIS2 Directive into national law. Yet, only a few countries, such as Belgium, Croatia, Hungary, Italy, Latvia, and Lithuania, had completed the process.
The European Commission has since initiated infringement procedures against 23 Member States that missed the deadline. We will undoubtedly see a surge of NIS2 adoption into law as 2025 rolls on, which means the time is now to begin the compliance process.
The framework:
For NIS2 compliance, organizations can leverage several cyber security frameworks to align their security measures with the Directive's requirements. The most relevant frameworks include ISO/IEC 27001:2022/NIST Cyber Security Framework, CIS Critical Security Controls, or ENISA's Implementing Guidance.
As the NIS2 Directive is transposed into local law, each EU member state will adopt a national cyber security strategy and appoint competent authorities and single points of contact who may provide additional guidance on recommended frameworks organizations can align to.
The leadership focus:
Unlike previous standards, NIS2 holds senior management personally liable for infringements and imposes a legal obligation on executives to oversee and approve cyber security risk management measures.
That means the C-suite and Board of Directors can no longer delegate cyber security concerns to IT, and they must become more proactive and involved in risk management, decision making, and implementation or else face personal consequences.
The scope:
NIS2 covers a much broader scope beyond the traditional critical national infrastructure sectors such as energy, transport, and healthcare to include sectors such as food production, postal services, manufacturing, space, and public administration, along with their vendors. It categorizes entities as either "essential" or "important," with varying degrees of supervision, enforcement, and penalties required for each.
The business imperative:
Many organizations may view NIS2 as yet another regulatory requirement to meet. That's the wrong attitude. Compliance isn't just a regulatory necessity; it's a business imperative—a crucial step toward safeguarding critical services against evolving cyber threats.
In today's hyper-connected business environment, a cyber incident can have sweeping societal impacts beyond just your product and service delivery. Operational downtime can affect the food supply, energy, financial, and healthcare infrastructure, potentially putting lives at risk. This isn't just a mandate. It's essential for resilience, business continuity, economic and societal stability.
A playbook for NIS2 compliance
Now that we've established the key tenets of compliance, the next obvious question is, "How can we get there?" Don't fret. We've got you covered. Here are eight practical steps to achieving compliance based on NCC Group's experience and best practices for NIS2 implementation and adherence:
1) Know your scope.
Dig into the Directive and find out how your industry and your business are affected. Are you considered essential or important? The level of implementation, enforcement, reporting obligations and penalties vary, so you don't want to miss the mark by not investing enough. Likewise, over-achieving may not be cost effective, although it never hurts to be proactive about cyber security.
2) Secure board-level and executive buy-in.
Only half of organizations say their leadership currently participates in dedicated cyber security training, and in several of the new in-scope sectors, nonparticipation rates exceed 70%.
For cyber security professionals, NIS2 may be the siren that finally helps you get leadership's attention and investment. It's concerning that, right now, 14% of organizations say they will not be able to ask for additional budget, which will make compliance difficult without proper resources. IT and security leaders must emphasize personal liability and leaders' new responsibility, along with the need to align a cyber plan with business goals and how a robust cyber security program can be an enabler for the business. You'll need to secure their buy-in for policy, adequate resource allocation, and setting the tone for a positive cyber security culture across the organization.
3) Conduct a gap analysis against NIS2 requirements.
Identify the key actions required for achieving NIS2 readiness and measure your current state against those benchmarks. Be sure to cover all the provisions of NIS2 and conduct an honest, genuine assessment—don't sugarcoat reality.
Because the analysis can be daunting and time-consuming, this can be an excellent time to enlist the help of a third party to conduct an objective assessment. Even for larger organizations, it can pay to have an expert like NCC Group, who knows cyber security and the Directive inside and out, conduct a gap assessment. Our certified specialists can help make quick work of the audit.
4) Build a risk management program.
Leverage your internal analysis and threat intelligence to identify risks and build a framework for risk assessment. Define your organization's risk appetite and tolerance to balance risk against the cost and complexity of security measures. This should be tailored to specific risks based on your size, industry, criticality of assets, and/or social or economic impacts of an incident within your organization or supply chain.
Once you've identified current gaps, prioritize the most vulnerable areas and develop a plan to address them. Some of the biggest challenges organizations report include implementing encryption and multi-factor authentication and vulnerability handling, but securing legacy systems, asset inventory and adopting an overall culture of making cyber security a priority are also key issues.
5) Map your supply chain.
Over 30% of organizations say supply chain risk management is the most challenging requirement of NIS2, and it's no wonder: almost half say they simply rely on vendor credentials, and at least 20% of entities in newly regulated sectors admit to foregoing vendor assessments and blindly trusting their supply chain. Under NIS2, that's no longer an option.
Going forward, regulated entities will need to create supplier assurance frameworks and conduct supply chain mapping to identify vulnerabilities, track certifications, and streamline incident response processes. In addition to maintaining a supplier register and conducting periodic recertification, consider ranking suppliers in tiers (critical/medium/low) and identifying alternatives for contingency planning.
6) Address interoperability between IT and OT.
Operational technology (OT) can be more at risk than IT, particularly in manufacturing and utilities. That's especially true for legacy systems, and those that don't have a direct external connection often fly under the radar.
Even more concerning, that ENISA report states that just 2 out of 5 manufacturing organizations are aware of NIS2 requirements—one of the lowest levels of any industry. For these entities, connecting the dots and bridging the gap between IT and OT will be essential for achieving NIS2 compliance.
7) Create incident response plans.
Above all, NIS2 demands that organizations shift from a reactive to a proactive approach to security, focusing on risk management and incident preparedness. That means creating incident response plans based on an informed understanding of the security risks faced by the organization and developing comprehensive response plans that are routinely tested and subject to continuous improvements.
Continuous improvement should be part of the feedback loop, including post-event washup meetings, regular tabletop exercises, and document reviews. Adopt an approach that documents, communicates, tests, and improves it.
8) Conduct regular testing and improvement.
NIS2 compliance is not a one-and-done project. It requires continuous certification, and the threat landscape is constantly changing. Every new addition, update, or configuration change to your environment introduces new risks.
As you diversify, you'll want to ask yourself routinely, "Is what we're doing still the best fit?" That's why 34% of organizations plan to permanently increase their budget to maintain NIS2 compliance, and to be frank, those who don't may be putting themselves at a disadvantage
" Under NIS2, cyber security becomes a strategic priority. Organizations are expected to adopt a risk-based approach, with strong governance, proportionate controls, and effective incident response. These capabilities are now fundamental to ensuring operational resilience in a dynamic threat landscape."
Final thoughts
On a broader scale, the March 2025 ENISA report recommends stronger collaboration within and across sectors and the development of sector-specific guidance for implementing cyber risk management measures.
It also recognizes the critical importance of upskilling and reskilling national authorities to harmonize NIS2 implementation, as well as initiating cross-border cyber security exercises to enhance crisis response and help mitigate the cascading effects of cyber incidents—all of which will hopefully come to fruition as NIS2 compliance expands.
While NIS2 compliance might feel daunting, especially for entities newly under the scope of inclusion, it doesn't have to be overwhelming. NCC Group has the certified experts, experience, and resources to guide you through achieving compliance—including the supporting services you need to maintain it.
Find expert support for all of your NIS2 compliance challenges.
Our team can take you through it step by step. Prepare, assess, achieve, and maintain compliance while improving your organization's cyber resilience.