Skip to content

NIS2 Compliance: Requirements and Implementation Risks

In a nutshell: NIS2 requires critical infrastructures and large digital service providers to implement comprehensive security management with strict deadlines and liability risks for executives.

The NIS2 Directive presents companies with significant compliance requirements, whose implementation still proves challenging for many organizations. EY analyzes the essential requirements, typical risks and practical implementation approaches.

The Network and Information Security Directive NIS2 obliges operators of critical infrastructures and important digital services to adhere to elevated security standards. Unlike its predecessor directive NIS1, the scope of application expands considerably and now also covers larger enterprises from sectors such as energy, transport, water, health, finance and digital infrastructure.

For CISOs and IT security managers, concrete requirements emerge in the areas of risk management, incident reporting, cybersecurity training, access control and technical measures against outages and tampering. A particular feature: NIS2 also requires monitoring of supply chains and third-party providers. Implementation deadlines have already been adjusted or are approaching in many EU countries.

The greatest practical risks arise from incomplete asset inventories, lack of prioritization and insufficient budgeting. Organizations that approach compliance as merely a checkbox exercise jeopardize their actual security posture. A systematic asset inventory, clear governance and regular reviews form the foundation for sustainable compliance.


Source: news.google.com · Published 9 July 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: