All resources
Blog 7 min read

NIS2: what actually changed, and the awkward question for your board

C1The Compliance One team18 February 2026

NIS2 is one of those regulations that arrived without much fanfare and then turned out to matter to a lot more companies than expected. If you operate in the EU, there's a real chance you're now in scope even if the original NIS directive never touched you — and the obligations have teeth.

More sectors, fewer exemptions

The directive widened its net considerably: energy, transport, health, digital infrastructure, manufacturing, waste, food, and a range of digital service providers. If you assumed "that's for critical national infrastructure, not us," it's worth checking again, because "us" got a lot bigger.

The awkward part: management is on the hook

Here's the change that makes NIS2 different. It puts responsibility for cyber-risk oversight on the management body — and expects them to be trained on it. Cybersecurity is no longer something the board can nod at and delegate entirely. It's a leadership duty, with real consequences for getting it wrong. That tends to focus minds.

The 24-hour clock

Significant incidents require an early warning to authorities within 24 hours, followed by staged reporting. Twenty-four hours is not a lot of time to figure out your process from scratch while also fighting a fire. Having incident workflows ready in advance is the difference between a controlled, credible response and a very public scramble.

What to do about it

  • Confirm whether you're an essential or important entity — the net is wider than most assume.
  • Implement the baseline risk-management measures and, crucially, be able to evidence them.
  • Stand up incident workflows that can hit the 24-hour warning without heroics.
  • Get leadership genuinely engaged — it's now their legal responsibility, not just IT's.

The upshot

NIS2 is less a new burden than a formalisation of what mature companies already do — with the volume turned up and the board in the room. Compliance One maps its requirements to an implementable control set, keeps your evidence audit-ready, and gives leadership the reporting they now need to answer for. Getting ahead of it beats explaining to a regulator why you didn't.

See it on your own frameworks

Book a 30-minute walkthrough and we'll map Compliance One to your environment.