When a power outage paralyzed parts of Europe last year, the headlines focused on the immediate fallout — stranded trains, silent factories, and overwhelmed hospitals. But behind the scenes, what kept security leaders awake was not just the outage itself, but what it exposed: deep vulnerabilities in critical infrastructure and an urgent need to harden defenses.
This is the world that Directive (EU) 2022/2555, better known as NIS2, is stepping into. It’s no longer enough for critical infrastructure operators to install firewalls or patch systems on a schedule; they must now prove to regulators that they have robust, tested, and auditable cyber resilience programs in place. What’s at stake isn’t just uptime — it’s public trust, financial stability, and in some cases, national security.
Let’s break down the most essential steps to help you move beyond compliance checklists and build real operational resilience.
Confirm your legal status and board accountability
The first step in any NIS2 journey is understanding whether your organization falls under the scope of the directive. This isn’t a box-ticking exercise; it’s the foundation of your compliance strategy. Under Directive (EU) 2022/2555, essential entities — which typically include critical infrastructure like energy, transport, finance, and digital services — face proactive, on-site supervision and stiffer penalties.
Here’s a table summarizing how to verify your status:
| Step | Action | Reference |
| Check Annex I/II | Review Directive Annexes to see if you’re listed as an essential or important entity | EUR-Lex Annex I/II |
| Assess criticality | Evaluate whether you operate critical infrastructure in energy, transport, finance, water, or digital sectors | See above |
| Determine supervision level | Understand whether you are subject to proactive or reactive supervision and the associated fines | See above |
Once this is confirmed, Article 20 of the directive puts the board firmly in the driver’s seat. Senior management is personally responsible for approving cyber-risk programs and undergoing regular training. Every board decision must be recorded meticulously because negligence can result in fines or suspension.
Map baseline controls and align with operational realities
Mapping your current controls against NIS2’s requirements is where things get technical — but it’s also where you gain valuable insight into your gaps. Article 21(2) outlines 10 baseline cybersecurity measures, from risk analysis policies to incident handling and secure communication practices.
The table below captures these controls and their operational relevance:
| Control area | Focus |
| Risk analysis policies | Identify and evaluate internal and external risks |
| Incident handling | Define clear protocols for responding to security events |
| Business continuity / disaster recovery (BC/DR) | Ensure operations can continue during crises |
| Supply chain security | Assess and manage risks from third-party vendors |
| Secure development & vulnerability management | Integrate security in development pipelines and patch vulnerabilities |
| Effectiveness testing | Regularly test and validate security controls |
| Cyber hygiene & training | Promote best practices and provide ongoing employee training |
| Cryptography | Secure sensitive data in storage and transit |
| HR/access & asset control | Manage user privileges and protect critical assets |
| MFA & secure communications | Implement multi-factor authentication and encrypted communication channels |
To dive deeper, the Implementing Regulation 2024/2690 acts as a practical checklist, detailing everything from asset inventories to role definitions. It’s worth familiarizing yourself with it to prepare for audits.
Expand risk analysis to cover OT and IT environments
One common pitfall I see is organizations focusing only on IT, neglecting operational technology (OT) environments like industrial control systems. This is risky because attackers increasingly target OT to disrupt critical services.
Here’s a table outlining the key steps in an integrated risk analysis:
| Component | Description |
| Asset identification | Map critical IT and OT assets |
| Threat assessment | Analyze both internal and external threat landscapes |
| Prioritization | Rank assets and risks based on criticality |
| Security controls selection | Choose measures like segmentation, advanced monitoring, and intrusion detection |
Stress-test incident response and tighten supply chain controls
When a breach happens, the clock starts ticking. NIS2 mandates three tight deadlines: early warning within 24 hours, notification within 72 hours, and a final report within one month. Legal, communications, and OT teams need to rehearse together, not in silos.
At the same time, your supply chain contracts must include NIS2-specific clauses, from the right to audit to joint participation in incident simulations. This is no longer optional.
| Focus area | Requirements |
| Incident response deadlines | 24h early warning, 72h notification, 1-month final report (+progress reports) |
| Contractual safeguards | NIS2 clauses: right to audit, security by design, 24h notification window, joint tabletop exercises |
Build continuous monitoring and testing capabilities
Monitoring isn’t about collecting data for the sake of it — it’s about creating a resilient, evidence-backed security posture. Feeding OT telemetry into a SIEM/SOC system, deploying anomaly detection, and retaining logs for at least 12 months are essential.
You should also go beyond internal checks by running independent penetration tests and red-team exercises. Article 32 explicitly empowers regulators to order targeted audits, so it’s wise to stay ahead of the curve.
| Activity | Purpose |
| SIEM/SOC integration | Centralize log collection and detect anomalies, especially in OT environments |
| Penetration testing | Identify vulnerabilities across IT and OT systems |
| Red-team exercises | Simulate real-world attacks to assess and improve detection and response capabilities |
Create an audit-ready evidence library and track enforcement trends
Many organizations stumble at the documentation stage — but under NIS2, regulators can demand evidence at any time. Centralize policies, risk registers, supplier assessments, training records, and board minutes into an “audit-ready” library.
Moreover, understand the financial stakes: essential entities face fines up to €10 million or 2% of global turnover, while important entities face up to €7 million or 1.4%. To stay aligned and accelerate compliance, leverage frameworks like ISO/IEC 27001:2022, NIST CSF 2.0, or CIS Controls, which are referenced in the Implementing Regulation and ENISA guidance.
| Preparation area | Action |
| Evidence centralization | Maintain a comprehensive, organized evidence repository |
| Framework alignment | Map controls to ISO, NIST, or CIS frameworks for faster documentation |
| Enforcement tracking | Monitor fine trends and document compliance decisions to show diligence in case of incidents |
Finally, don’t overlook upcoming guidance: ENISA’s post-consultation technical guide, expected in 2025, will offer practical templates — subscribing to ENISA’s feed can help you stay one step ahead of auditors.
Are you ready to turn compliance into resilience?
NIS2 compliance isn’t just a legal requirement — it’s an opportunity to strengthen your organization’s resilience against cyber threats. By engaging your board, aligning OT and IT security, tightening supply chain oversight, and building a culture of continuous testing, you set the stage for operational excellence.
The question now is: will you treat compliance as a checkbox exercise, or as the foundation of a more secure future?
If you’d like, I can also draft a checklist version of this article — would you like me to prepare that?
