NIS2: what actually changed, and the awkward question for your board
NIS2 is one of those regulations that arrived without much fanfare and then turned out to matter to a lot more companies than expected. If you operate in the EU, there's a real chance you're now in scope even if the original NIS directive never touched you — and the obligations have teeth.
More sectors, fewer exemptions
The directive widened its net considerably: energy, transport, health, digital infrastructure, manufacturing, waste, food, and a range of digital service providers. If you assumed "that's for critical national infrastructure, not us," it's worth checking again, because "us" got a lot bigger.
The awkward part: management is on the hook
Here's the change that makes NIS2 different. It puts responsibility for cyber-risk oversight on the management body — and expects them to be trained on it. Cybersecurity is no longer something the board can nod at and delegate entirely. It's a leadership duty, with real consequences for getting it wrong. That tends to focus minds.
The 24-hour clock
Significant incidents require an early warning to authorities within 24 hours, followed by staged reporting. Twenty-four hours is not a lot of time to figure out your process from scratch while also fighting a fire. Having incident workflows ready in advance is the difference between a controlled, credible response and a very public scramble.
What to do about it
- Confirm whether you're an essential or important entity — the net is wider than most assume.
- Implement the baseline risk-management measures and, crucially, be able to evidence them.
- Stand up incident workflows that can hit the 24-hour warning without heroics.
- Get leadership genuinely engaged — it's now their legal responsibility, not just IT's.
The upshot
NIS2 is less a new burden than a formalisation of what mature companies already do — with the volume turned up and the board in the room. Compliance One maps its requirements to an implementable control set, keeps your evidence audit-ready, and gives leadership the reporting they now need to answer for. Getting ahead of it beats explaining to a regulator why you didn't.
See it on your own frameworks
Book a 30-minute walkthrough and we'll map Compliance One to your environment.