The scope expansion you may have missed
The first version of NIS (2016) covered roughly seven sectors narrowly defined as "operators of essential services". NIS2 covers fifteen sectors — including digital infrastructure, public administration, postal and courier services, waste management, food production, and manufacturing of critical products — split into "essential" and "important" entity categories.
The practical implication for enterprises in our region: many organisations that did not consider themselves in-scope under the old regime are now essential or important entities under NIS2, with associated obligations around risk management, incident reporting, and supply-chain due diligence.
Most organisations we work with have not yet completed a formal scope assessment. If you are uncertain whether you are in scope, the answer is often "yes" — and the cost of finding out late is materially higher than the cost of finding out now.
The obligations that actually matter operationally
NIS2 imposes a dozen categories of obligation. Three are operationally significant enough to drive programme structure:
Cyber-risk management. Essential and important entities must implement appropriate technical and organisational measures — with risk assessment, policies, training, and management oversight. Regulators are increasingly asking "what is your risk, and how is it trending?" and expecting an evidenced answer in business terms.
Incident reporting. Significant cyber incidents must be reported to the national authority within 24 hours (early warning), 72 hours (incident notification), and one month (final report). Most organisations do not have incident-response runbooks structured around this timeline — and learn this the hard way during their first incident.
Supply-chain risk management. Operators are responsible for the cyber risk of their critical suppliers. That means maintaining a third-party register, conducting due diligence, and ensuring contract terms support your obligations. If your supplier is breached, that incident can become your incident in the regulator's view.
What "adequate" actually means
NIS2 does not prescribe specific technical controls — it requires "appropriate" and "proportionate" measures. In practice, regulators are converging on a subset of widely-accepted frameworks as the default:
• ISO 27001 — as the backbone of the management system
• IEC 62443 — for operators with OT environments
• Sector-specific frameworks (BCBS for banking, DORA for financial services more broadly, etc.)
Organisations that have already implemented ISO 27001 typically require 12-16 weeks of additional work to reach NIS2 readiness. Organisations starting from a less mature baseline require more — typically 6-9 months for essential entities.
The penalties are real
NIS2 introduces personal liability for senior management — management bodies can be held personally liable for failure to implement adequate measures. Corporate penalties reach €10 million or 2% of global turnover for essential entities, and €7 million or 1.4% for important entities.
More operationally significant: a non-compliant organisation can be ordered to cease non-compliant activities, which in practice means the regulator can order systems offline until remediation is complete. Most executive boards care more about this consequence than the financial one.