Key point: Starting in 2026, approximately 29,000 companies across Europe must conduct and submit formal risk analyses as part of NIS2 implementation.
The NIS2 Directive requires approximately 29,000 companies to conduct and document risk analyses from 2026 onwards. This affects additional sectors beyond existing critical infrastructures.
The National Information Security Directive 2 (NIS2) significantly expands the circle of obligated organisations. While its predecessor NIS1 primarily targeted critical infrastructure operators, NIS2 additionally covers large enterprises from sectors such as manufacturing, transport, banking and digital services. In total, approximately 29,000 companies are affected.
From 18 October 2026, these organisations must conduct a risk analysis, document it and present it to the competent authorities. The analysis must account for the current threat landscape and identify vulnerabilities in IT and OT environments (Operational Technology). This is a prerequisite for meeting further NIS2 requirements such as implementing appropriate technical and organisational measures.
For compliance officers, this means in concrete terms: risk analyses must not be treated as one-time activities, but must be regularly reviewed and updated. Documentation must be demonstrable and withstand audits. Companies should begin mapping their risk landscape now in order to invest in the required measures in good time.
Source: news.google.com · Published 6 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.