Navigating NIS 2 compliance [Q&A]
As the European Union updated the Network and Information Security (NIS 2) Directive in October last year, many companies were asking: what does it take to comply with this sweeping new regulation? Designed to tighten cybersecurity across critical industries, NIS 2 goes beyond the original directive’s framework, bringing strict rules, wider sectoral reach, and substantial penalties.
We spoke to Sam Peters, chief product officer at isms.online, to find out what businesses need to know to ensure compliance and understand the directive's impact on both operations and reputation.
BN: What sets NIS 2 apart from its predecessor, and why is compliance so challenging?
SP: NIS 2 builds on the original 2017 directive, which many argue fell short of protecting Europe's infrastructure against a rising wave of cyberattacks. While the first NIS regulation was intended as a collaborative measure, NIS 2 is far more demanding, introducing mandatory compliance with tough penalties for organizations that fall short.
Organizations will be held accountable not just for their internal security but also for the security of their partners and suppliers, making NIS 2 compliance a multi-layered challenge that affects nearly every aspect of a business’s digital operations.
BN: Who must comply with NIS 2, and what organisational changes will it demand?
SP: NIS 2 broadens the scope of regulated industries from seven to 15, covering sectors as diverse as healthcare, energy, digital service providers, finance, waste management, and postal services. For organizations in these industries, compliance will require substantial organizational change. This includes a comprehensive approach to risk assessment, incident response, and the systematic management of third-party relationships. Unlike its predecessor, NIS 2 extends these requirements to managed service providers and IT outsourcing firms, emphasizing the role of the entire supply chain in safeguarding essential services. This expanded scope means that organizations will need to reassess their cybersecurity posture from top to bottom, as well as monitor and secure external relationships in ways they may not have before.
BN: With fines matching GDPR, what are the repercussions for failing to comply with NIS 2?
SP: For companies that fail to meet NIS 2 requirements, the financial penalties are steep, matching the EU's General Data Protection Regulation (GDPR) with fines of up to €10 million or two percent of global turnover -- whichever is greater. However, these fines represent only a fraction of the potential fallout. Non-compliance can also result in forced security audits and mandated adherence to regulatory recommendations, disrupting business operations and damaging reputations. With the EU emphasizing the directive's role in protecting essential infrastructure, NIS 2 is positioned as non-negotiable, signaling to companies that cybersecurity deserves the same attention as data privacy under GDPR.
BN: How does NIS 2 compare to GDPR in terms of business impact, and what lessons can companies draw from GDPR’s implementation?
SP: NIS 2 and GDPR share similarities in both structure and enforcement. Both regulations set stringent requirements backed by significant penalties for non-compliance, motioning the EU’s commitment to high standards in data and cybersecurity. But while GDPR was primarily focused on protecting personal data, NIS 2 broadens the EU's regulatory scope to include the security of the networks and systems that power essential services.
For companies, the compliance journey for NIS 2 may feel familiar if they have already navigated GDPR. Many of the lessons learned from GDPR’s rollout -- such as the importance of cross-departmental collaboration, the need for clear documentation, and the value of third-party compliance support -- will be useful in adapting to NIS 2. Companies that proactively approached GDPR as a strategic initiative rather than a regulatory burden saw benefits in operational efficiency and trust, outcomes that NIS 2 can also foster if handled strategically.
BN: What specific steps should businesses take to get on top of NIS 2 compliance?
SP: With the October 17, deadline now passed, companies should prioritize a series of strategic actions to ensure they are meeting the requirements. First, conducting a thorough gap analysis will help identify areas where existing cybersecurity measures fall short of NIS 2 standards. Many companies will find that while they may have general security measures in place, they need to implement more rigorous controls, especially around incident response, third-party risk management, and supply chain security.
Another critical step is strengthening risk management practices. NIS 2 calls for a proactive approach, not only within an organization, but also across its entire ecosystem of suppliers and partners. This requires regular risk assessments and continuous monitoring to detect vulnerabilities before they become liabilities.
Establishing clear protocols for incident response and recovery is equally essential. NIS 2 mandates rapid response times for reporting incidents, with an initial report required within 24 hours and a full report within 72 hours. Implementing a detailed incident response plan will enable companies to meet this tight reporting deadline, minimizing disruption and helping them recover swiftly from incidents.
Finally, companies must reassess their third-party relationships to meet NIS 2's stringent supply chain security requirements. This means evaluating vendor cybersecurity standards, strengthening service level agreements (SLAs), and ensuring that each partner or supplier upholds the same level of security diligence. By embedding these requirements into SLAs, companies can ensure that cybersecurity is a shared responsibility across their supply chain.
BN: How does ISO 27001 factor into NIS 2 compliance, and why is it considered the 'gold standard' for preparation?
SP: ISO 27001 is widely regarded as a critical framework for information security management, and it’s no coincidence that it aligns closely with NIS 2 requirements. The ISO 27001 standard provides a comprehensive structure for managing information security risk, which is essential for companies seeking NIS 2 compliance. It addresses many of NIS 2’s requirements, including rigorous risk management, incident response, supply chain security, and clear documentation.
By obtaining ISO 27001 certification, companies can show that they have already met many of NIS 2’s security benchmarks. This standard is internationally recognized and demonstrates to clients, regulators, and partners that a company is committed to best practices in cybersecurity. Furthermore, ISO 27001’s structured approach ensures that cybersecurity is not a one-time effort but an ongoing process that includes regular audits, reviews, and improvements. In this way, ISO 27001 does more than meet compliance -- it creates a culture of security that can adapt to future regulations and threats.
BN: What competitive advantages can ISO 27001 certification offer beyond NIS 2 compliance?
SP: While ISO 27001 certification is an effective tool for NIS 2 compliance, its benefits extend far beyond regulatory needs. In an era when data breaches and cyberattacks are rampant, ISO 27001 certification serves as a mark of trust and accountability. It signals to clients, partners, and regulators that a company not only complies with industry standards but is actively invested in protecting sensitive information. This can provide a significant competitive advantage, as customers are increasingly aware of cybersecurity issues and prefer to work with organizations that prioritize security.
Moreover, ISO 27001 certification can improve internal operations by standardizing cybersecurity practices, reducing inefficiencies, and making it easier to respond to emerging threats. By building security into the company’s DNA, ISO 27001 ensures that cybersecurity is not a separate function but a core part of every decision and process, ultimately enhancing resilience in a rapidly changing digital landscape.
BN: How can businesses use NIS 2 as a cyber security driver?
SP: With the NIS 2 compliance deadline now in the past, companies that have yet to align with the directive are facing significant risks.
Beyond the immediate threat of regulatory fines, non-compliant organizations are increasingly vulnerable to cyber incidents, which could lead to operational shutdowns, reputational damage, and the erosion of customer trust. Without the structured cybersecurity practices required by NIS 2, these organizations may find themselves more susceptible to data breaches, service disruptions, and other cyber threats that the directive was designed to mitigate.
By implementing frameworks like ISO 27001, organizations can establish robust information security protocols that not only bring them in line with NIS 2 but also support long-term cybersecurity resilience. ISO 27001 provides a structured approach to risk management, incident response, and supply chain security -- elements critical to both NIS 2 compliance and effective cybersecurity.
While NIS 2 compliance is mandatory, it also represents an opportunity to build a more secure, resilient digital infrastructure. Organizations that prioritize these standards not only meet regulatory obligations but also enhance their operational resilience, reputation, and market competitiveness in an increasingly security-conscious landscape.
Image credit: lucadp/depositphotos.com