NIS2 - a step forward in Cyber Security

The objective of the NIS2 directive

The objective is to raise the level of Cyber Security in the EU. How? By:

• Increasing cyber resilience across multiple sectors
• Mandating the implementation of cybersecurity measures
• Imposing stricter incident reporting obligations
• Harmonizing cybersecurity rules across EU member states
• Strengthening cross-border cooperation between member states

So what's new?

Scope - NIS2 introduces several significant changes compared to its predecessor; its scope applies to more sectors labeled as “essential” or “important,” including their suppliers, it also includes medium-sized and small organizations and NIS2 introduces stricter rules for “strategic entities,” such as public authorities, the defence and energy sector. Organizations are also required to address cybersecurity risks within their supply chains.

Reporting obligations and penalties - A broader range of security incidents must now be reported, and within shorter timeframes. Organizations that fail to comply face significantly higher penalties than before — up to €10 million or 2% of global annual turnover — and executive liability may apply.

Requirements and obligations - The NIS2 Directive obliges organizations to assess and manage the cybersecurity risks associated with their ICT systems. This includes both identifying and mitigating risks, and reporting incidents. There are three core concepts involved: duty of care, reporting obligation, and regulatory supervision.

Duty of care - Organizations must conduct their own risk assessments. Based on those results, they are expected to take appropriate measures to ensure service continuity and to protect sensitive information.

Reporting obligation - Significant incidents must be reported to the supervisory authority within 24 hours. This applies to incidents that could seriously disrupt the delivery of essential services. In the case of a cyber incident, the organization must also report it to the Computer Security Incident Response Team (CSIRT), which can then provide support and assistance. Factors that may determine whether an incident must be reported include:

• The number of people affected
• The duration of the disruption
• Potential financial losses

Supervision - Entities covered by the directive will automatically come under regulatory supervision. Authorities will monitor compliance with obligations such as risk assessments and incident reporting.

The Challenges

I understand the critical role IT plays within organizations so it's a lot to deal with. You might recognize some other these challenges;

Keeping up with evolving cybersecurity threats while navigating the demands of new regulations like the NIS2 Directive can feel overwhelming. The pressure to secure digital infrastructure, respond quickly to incidents, and ensure ongoing compliance is a real and growing challenge.

One of the biggest concerns is having the right security measures in place. With increasingly sophisticated cyberattacks, basic defenses are no longer enough. Organizations need to rely on advanced technologies—from firewalls and intrusion detection systems to constantly updated malware protection—to stay ahead.

Another common challenge is responding effectively when something does go wrong. Having a clear, well-rehearsed incident response plan is critical to minimizing damage and restoring operations quickly. This includes not only technical procedures but also communication strategies to keep all stakeholders informed.

Cybersecurity isn’t just a technical issue—it’s a human one too. Employees are often the first line of defense, and raising awareness about threats and best practices can significantly reduce risk. However, creating a culture of security takes time, resources, and consistent training.

Meeting compliance requirements is also a heavy lift. Organizations need to align with international standards, keep detailed records, and undergo regular audits to demonstrate that they’re taking security seriously.

Finally, many teams struggle to keep up with the pace of change on their own. That’s why collaboration—sharing knowledge, staying informed, and working closely with trusted partners—is more important than ever.

What can you do now?

This is how you can start to prepare:

1. Determine whether your organization falls under the scope of the NIS2 Directive:
   If the answer is yes, you are required to register. This will help build a comprehensive overview of all entities subject to NIS2 across Europe.
2. Conduct a risk assessment of your organization’s digital threats:
   Based on this analysis, appropriate cybersecurity measures must be taken to ensure service continuity and protect information assets.
3. Establish your incident reporting process:
   Incidents must be reported to the supervisory authority within 24 hours if they could significantly disrupt essential services. Cyber incidents must also be reported to the CSIRT. Criteria for whether an incident is reportable include the number of individuals affected, duration of disruption, and potential financial damage.

Learn more about NIS2

We're happy to help!

At Yuma we speak human. And Data. We're ready to help you define, develop, and implement the right measures for your organization.

Enjoyed this insight?
Share it to your network.