NIS2 is the EU’s new directive on cybersecurity – and it affects significantly more businesses than before. The goal? To strengthen the protection of critical services in society by increasing resilience to cyber threats, incidents and inadequate risk management. But for many companies, it also means a new reality: responsibilities, requirements and obligations that must be understood, documented – and followed up on.
Background: from NIS to NIS2
The first version of the NIS Directive (Network and Information Security) came into force in 2018. It focused primarily on security requirements for a number of designated sectors such as energy, transport and digital infrastructure.
But reality has changed rapidly. Cyber attacks are more sophisticated, more industries are dependent on digital flows – and the definition of what counts as "critical infrastructure" has broadened.
Therefore, the old directive is now being replaced by NIS2, which sets higher and more uniform requirements for technology, management and documentation.
Who is covered by NIS2?
One of the biggest changes with NIS2 is how much broader the directive is compared to its predecessor. It no longer applies only to a few critical infrastructure operators – now it includes a wide range of activities, both in the public and private sectors.
If your organisation offers digital services or infrastructure in areas such as IT, municipal services, property management, customer service, HR-related functions or the manufacturing and logistics sector, there is a good chance that you are covered by NIS2. This also applies to operators acting as subcontractors in any of these sectors – even there, risks in the supply chain must be managed in accordance with the directive.
For many, this means thinking more proactively about structures for case management, security incidents and roles and responsibilities. A unified case management system – supporting both technical and non-technical departments – becomes a central part of meeting traceability and documentation requirements.
Companies that already work according to frameworks such as ITIL incident management or Enterprise Service Management (ESM) often have a head start. They already have established processes for handling incidents, following up on cases and documenting measures. But even there, NIS2 may require that the systematisation be broadened and that management be more directly involved.
There are two main criteria that determine this:
- Industry/sector – are you on the list of critical or essential businesses?
- Size – do you have more than 50 employees or an annual turnover exceeding €10 million?
If you meet both criteria, there is a good chance that you are covered. In that case, it will soon be a legal requirement to comply with the directive’s rules.
This is what NIS2 requires of you
It’s not just about installing firewalls. NIS2 has a broader scope:
Management responsibility: The board and management bear ultimate responsibility for ensuring that security work is carried out in accordance with requirements.
Risk management and action plans: You must identify risks, prevent incidents and have procedures in place to deal with them if they occur.
Incident reporting: Security incidents must be reported within 24 hours.
Supply chain: You are also responsible for external actors that affect your digital security.
Continuous documentation: You should be able to demonstrate how you work with compliance and improvement.
It is therefore a question of technology, processes and culture.
From demands to concrete action
Many organisations are now facing the same questions: Where should we start? What do we need to do? Do we already have some elements in place?
The first step is to understand your current situation. Do you have control over which systems and flows are critical? Are there procedures in place for incident management? Is security work documented and supported by management?
The next step is to identify the gaps and develop a concrete action plan. A structured case management system can play an important role here, particularly in terms of incident reporting, traceability, responsibility allocation and follow-up.
NIS2 is not just a set of rules – it is an opportunity
Sure, NIS2 may feel like an administrative requirement. But it is also an opportunity to strengthen your business’s resilience – and build a more secure foundation for your operations. By actively working with cyber security, you not only get happier customers and partners – you also reduce the risk of downtime, data breaches or costly disruptions.
And perhaps most importantly, you demonstrate that you take responsibility for the digital trust that modern businesses rely on.
