The regulatory landscape for cybersecurity in Europe is undergoing one of its most significant overhauls in years. With the transition from the NIS Directive (NIS1) to the far-reaching NIS2 Directive, the European Union is fundamentally reshaping how organizations must approach cyber risk and operational resilience. What was once seen as a compliance checklist is now becoming a core component of corporate governance, with major implications for sectors ranging from energy and finance to digital infrastructure and healthcare.
This article examines the evolution from NIS1 to NIS2, highlighting the critical differences between the two frameworks, the new challenges organizations face, and the practical steps they can take to meet rising expectations.
Understanding the leap: what NIS1 covered and where it fell short
When the EU adopted the NIS Directive (Directive (EU) 2016/1148), it was a landmark step. For the first time, operators of essential services (like energy, transport, and banking) and digital service providers (like cloud computing providers) were legally required to adopt cybersecurity measures and report incidents.
But NIS1 had its cracks. It gave member states wide discretion in implementation, leading to uneven enforcement across the EU. Smaller digital service providers were often overlooked, and reporting thresholds for incidents were vague, allowing underreporting to persist. Organizations that technically complied could still be vulnerable, and regulators lacked teeth to hold them accountable.
To visualize the key differences in scope and enforcement between NIS1 and NIS2, take a look at the table below.
Comparing NIS1 and NIS2 at a glance
| Directive | Scope of entities | Enforcement power | Incident reporting | Governance requirements |
| NIS1 | Essential services, some digital service providers | National-level enforcement, often fragmented | Only major incidents, vague thresholds | General risk management duties |
| NIS2 | Essential and important entities across more sectors, including medium-sized enterprises | Stronger, harmonized enforcement with EU oversight | All significant incidents with defined thresholds | Detailed governance, accountability, and supply chain security |
This table underscores why NIS2 was needed: to expand coverage, sharpen requirements, and unify enforcement across Europe.
The NIS2 overhaul: new obligations and higher stakes
The NIS2 Directive, which came into force in January 2023, builds on the lessons of its predecessor with sweeping changes. It expands the list of sectors to cover providers like data centers, managed services, and public electronic communications networks. More importantly, it introduces “important entities” alongside “essential entities,” broadening its net to include medium-sized companies that were previously under the radar.
Another crucial shift is the clear focus on governance and accountability. Under NIS2, company boards and management bodies are explicitly responsible for ensuring compliance—a wake-up call for leaders who previously saw cybersecurity as an IT problem.
To highlight how accountability has evolved, consider the table below.
Shifting accountability under NIS2
| Area | NIS1 approach | NIS2 approach |
| Board involvement | Minimal, often delegated to IT or security teams | Mandatory, with explicit liability for top management |
| Supply chain | Limited requirements | Mandatory risk assessment and oversight of suppliers |
| Reporting | National discretion, loosely enforced | Strict EU-level thresholds, 24-hour incident notification |
The consequences for non-compliance have also intensified. National authorities can now impose administrative fines up to €10 million or 2% of global turnover, whichever is higher—a powerful motivator for boardrooms to take notice.
Challenges on the ground: where organizations are struggling
As I’ve spoken with compliance and ICT teams across sectors, a recurring theme has emerged: the shift from technical compliance to cultural change. Under NIS2, it’s not enough to have a firewall or an incident response plan on paper. Regulators want to see evidence of continuous risk management, tested procedures, and proactive board oversight.
Many organizations are grappling with the expanded supply chain security demands, especially when dealing with smaller vendors who may lack resources to meet NIS2 standards. Risk assessments that once focused inward now have to map the entire ecosystem, which can be overwhelming without the right tools and frameworks.
To illustrate where the most common struggles arise, here’s a summary table.
Common organizational challenges in meeting NIS2
| Challenge | Description |
| Supply chain oversight | Difficulty assessing and managing third-party cybersecurity risks |
| Board-level accountability | Limited cybersecurity expertise among leadership, leading to compliance gaps |
| Incident reporting | Struggles to meet tight timelines for notification and follow-up |
| Resource constraints | Mid-sized firms lack budget or staff to operationalize new requirements |
These challenges highlight why compliance leaders need to rethink their approach, moving from box-ticking exercises to embedded cybersecurity practices.
Moving forward: practical steps for compliance
Transitioning to NIS2 compliance requires a strategic approach, not just an operational one. Organizations must invest in governance structures that support cross-functional collaboration, ensuring that legal, IT, and executive teams are aligned.
Key steps include conducting comprehensive gap assessments, updating incident response and notification procedures, and—perhaps most critically—investing in board-level training. Without leadership buy-in, compliance efforts risk stalling or becoming superficial.
To help you focus efforts, here’s an overview of practical priorities.
Priority actions for NIS2 compliance
| Action | Why it matters |
| Conduct a gap analysis | Identifies where current controls fall short of NIS2 requirements |
| Update incident management plans | Ensures the organization can meet reporting timelines and expectations |
| Engage the board and management | Builds accountability and secures funding for necessary upgrades |
| Strengthen supplier management | Reduces risks introduced through third-party dependencies |
By focusing on these areas, companies can position themselves not just for compliance but for genuine resilience.
Looking ahead: will NIS2 set the global standard?
The EU’s push with NIS2 is part of a broader trend toward harmonized, enforceable cybersecurity frameworks worldwide. As other jurisdictions observe Europe’s approach, NIS2 could influence global norms and regulatory expectations.
For companies operating internationally, this raises an important question: are you ready to align with a future where cybersecurity compliance isn’t just a European requirement but a global business standard?
