What is NIS2 and what does it mean for you?

In January 2026, the new NIS2 directive comes into force. It introduces stricter cybersecurity requirements for both private and public organizations. For many, cybersecurity will no longer be optional, but driven by concrete technical and organizational obligations.

What is NIS2?

NIS2 is the EU’s new cybersecurity directive, replacing the original NIS directive from 2016. Its purpose is to strengthen the resilience of critical services and sectors across the union.

The directive requires more organizations to implement clear, measurable security controls, manage cyber risks proactively, and report serious incidents to the relevant authority.

NIS2 applies to a wider range of sectors, including:

• Energy

• Transport

• Financial services

• Healthcare

• Digital infrastructure

• Public administration

• Waste management

• Manufacturing of critical products (e.g. pharmaceuticals, electronics)

What is required from organizations in scope?

NIS2 sets both strategic and operational demands. Basic protection like firewalls or antivirus is no longer enough. To comply, your security work needs to be structured, risk-based and documented. You must assess risks continuously, maintain clear routines, and integrate security across your systems, processes and organization.

The directive requires you to:

• Conduct ongoing risk assessments and maintain incident response routines

• Ensure business continuity during disruptions or breaches

• Implement vulnerability management and secure your entire supply chain

• Train employees in cybersecurity

• Report serious incidents quickly to the supervisory authority

These requirements apply to both technical controls and organizational responsibility. Under NIS2, senior management carries direct and personal accountability for cybersecurity.

What happens if you fail to comply with NIS2?

Non-compliance can lead to significant consequences. Management is personally responsible for ensuring that the organization meets the directive. Cybersecurity can no longer be delegated away or ignored, and shortcomings may result in legal liability for responsible individuals.

The reporting requirements are also strict.

• An initial notification must be submitted within 24 hours of discovering a serious incident

• A detailed follow-up report is required within 72 hours

Failure to comply can result in sanctions, including fines of up to 10 million euros or 2 percent of global annual turnover, whichever is higher.

Checklist: Are you ready for NIS2?

To make NIS2 compliance as straightforward as possible, we’ve created a practical checklist to assess your current state, identify gaps, and clarify where action is needed.  

1. Are you in scope?

• Have you confirmed whether your organization is classified as “essential” or “important”?

• Do you meet the size thresholds?

• Are there specific reasons why you may still fall under NIS2, even if you’re outside the designated sectors?

2. Is responsibility anchored in management?

• Do the board and leadership team understand their legal obligations?

• Has management approved your security strategy and operating model?

• Is there continuous training or competence development at leadership level?

3. What does your cybersecurity look like in practice?

• Do you have an updated risk analysis and a defined process for assessing threats?

• Are there established plans for incident response, backup and recovery?

• Have you identified and addressed supply chain vulnerabilities?

• Do you follow essential security practices such as patching, hardening and vulnerability scanning?

• Do you use MFA and apply least privilege principles?

• Is data encrypted both at rest and in transit?

4. Are you ready to report incidents?

• Have you defined what constitutes a notifiable incident?

• Do you have a responsible contact and a clear process for reporting to the correct authority?

• Can you technically and organizationally report within 24 hours?

We help you meet the requirements

At Cyloq, we work with organizations that want to move from basic protection to measurable risk reduction. Through offensive testing, strategic guidance and continuous security assessment, we help you not only comply with NIS2, but build long-term resilience in an evolving threat landscape.

Do you need support understanding what NIS2 means for your organization – and how to meet the requirements in practice?