Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
NIS2 Directive (I): Rethinking Cyber Security in a complex and hyperconnected context
Cyber Security is a key component of any organization's strategy. We navigate a highly complex cyber landscape, as cyber threats have become systemic, transnational, and increasingly sophisticated.
For this reason, the European Union (EU) has introduced the NIS2 Directive 2022/2555, which highlights the need for robust measures to strengthen cyber resilience capabilities. Cyberattacks targeting critical infrastructure, supply chains, and government institutions are not only increasing in frequency but also in impact, with financial, operational, and geopolitical consequences. Should organizations, then, rethink their entire approach to Cyber Security and cyber resilience?
Impact of the NIS2 Directive on governance and corporate Cyber Security
The NIS2 Directive is the EU’s updated Cyber Security framework, replacing the NIS1 Directive 2016/1148 to address cyber challenges and threats as well as regulatory gaps and inconsistencies in implementation across member states.
■ The NIS1 Directive laid the groundwork for Cyber Security governance, though it was significantly affected by fragmented national implementations, exposing vulnerabilities in critical sectors.
As a result, the NIS2 Directive broadens its scope to cover more sectors, reinforcing security requirements and introducing stricter control mechanisms, including higher fines and executive accountability—standing apart from NIS1 through its flexible application.
The new directive enforces a unified, risk-based approach to ensure greater cyber resilience across the EU. It significantly expands the scope of regulated entities, going beyond traditional critical infrastructure sectors like energy, transport, and healthcare to include digital service providers, public administration, waste management, and manufacturing industries.
The new directive enforces a unified, risk-based approach to ensure greater cyber resilience across the EU.
With this expansion, the EU acknowledges that modern cyber threats are not limited to traditional critical sectors but also affect interconnected or transnational supply chains and essential services.
Organizations are now categorized as 'essential' and 'important', and must comply with strict Cyber Security measures. This shifts the perception that Cyber Security is no longer just an IT issue, but a foundational pillar of business continuity, resilience, and risk management.
Measures and requirements to ensure cyber resilience
Accordingly, a set of minimum measures is introduced for cyber risk management that all in-scope entities must implement. These include identity and access management, encryption, strong authentication, supply chain security, and cyber incident response plans.
This also requires ongoing monitoring, regular security assessments, and crisis management strategies to ensure that organizations can detect, respond to, and recover from cyber incidents effectively. In addition, compliance must be demonstrable, with clear governance documentation, making Cyber Security a board-level responsibility rather than an operational concern.
Cyber Security is a foundational pillar of business continuity, resilience, and risk management.
A key aspect of this directive is its emphasis on supply chain security, recognizing that many cyber incidents stem from third- and fourth-party vendor vulnerabilities. Organizations are now required to assess and manage risks across their supply chain to ensure technical and regulatory Cyber Security compliance.
This shifts responsibility from merely protecting the technological infrastructure to actively overseeing the Cyber Security posture of third- and fourth-party vendors, transforming Cyber Security into a collective effort of capability and cooperation, rather than an isolated responsibility. However, enforcing security standards in complex global supply chains remains a significant challenge.
Penalties and executive accountability in Cyber Security
At the same time, stricter penalties are introduced to ensure compliance, with fines of up to €10 million or 2% of global annual turnover for entities classified as essential, and up to €7 million or 1.4% for important entities.
Moreover, executives and board members may be held professionally liable for Cyber Security matters. These penalties underscore the shift of Cyber Security from an IT issue to an executive-level priority, requiring organizations to embed security into their governance frameworks.
Governance, therefore, is no longer a technical or operational issue but a strategic and legal obligation across executive functions. Boards and executives must actively oversee cyber risk management, ensuring that decision-makers are informed about the corporate Cyber Security landscape, regardless of their current maturity and the potential impact of cyber threats.
Cyber Security has shifted from being an IT issue to an executive-level priority.
Training, notification, and Cyber Security strategy
Executives are required to undergo Cyber Security training and may be deemed “professionally liable” for any non-compliance. This reflects a broader shift toward integrating Cyber Security into business strategy, pushing organizations to prioritize proactive management over reactive compliance.
In addition, cyber incident notification requirements are very strict, compelling organizations to report significant cyber incidents.
■ It is essential not to view NIS2 as a burden. Organizations with a clear vision and mission in their strategies can use compliance with this regulation as a market differentiator.
Proactively adopting and exceeding the established requirements enhances corporate cyber resilience, builds customer trust, and positions companies as sector leaders committed to security.
Strong Cyber Security practices can become a compelling value proposition for companies seeking to attract partners and customers who value security. Moreover, organizations that incorporate NIS2 compliance into a risk management strategy will be better prepared to adapt to future regulatory changes and confront cyber threats.
Conclusion
Beyond mere compliance, a shift in corporate cyber strategies represents a key moment in the evolution of Cyber Security governance in Europe, as the focus moves from isolated technical controls to strategic cyber resilience across organizations.
It is important to emphasize that an organization's success with NIS2 will depend not only on compliance, but also on how well it adapts, innovates, and manages within an increasingly complex cyber environment.
NIS2 fosters a Cyber Security culture centered on cyber resilience, innovation, and proactive cyber risk management.
MORE FROM THIS SERIES
