Cybersecurity has become a strategic priority for organisations of all sizes. In response to the growing number of cyber threats and increasingly sophisticated attacks, the European Union introduced the NIS2 Directive to strengthen the resilience of businesses and public administrations.

Building on the original NIS Directive, NIS2 significantly expands the number of organisations concerned and introduces new requirements for governance, risk management and incident reporting.

With the first implementation deadlines approaching, one question remains: Is your organisation truly prepared?

In this article, we review the key obligations introduced by NIS2, identify which organisations are affected and outline the actions that should be taken today.

What is the NIS2 Directive?

The Network and Information Security Directive 2 (NIS2) is a European regulation designed to strengthen cybersecurity across all Member States.

Its objectives are twofold:

  • Improve organisations’ resilience against cyber threats.
  • Harmonise cybersecurity requirements throughout the European Union.

Unlike the original directive, NIS2 no longer applies solely to Operators of Essential Services. Its scope has been considerably broadened and now covers thousands of additional organisations.

Which organisations are affected?

The Directive distinguishes between two categories.

Essential entities

These include organisations operating in sectors such as:

  • Energy
  • Transport
  • Healthcare
  • Banking
  • Digital infrastructure
  • Public administration
  • Drinking water

Important entities

NIS2 also extends to many additional sectors, including:

  • Digital services
  • Cloud service providers
  • Data centres
  • Waste management
  • Manufacturing
  • Research
  • Postal services

Company size, turnover and the organisation’s role within the supply chain may also determine whether NIS2 applies.

As a result, many SMEs and mid-sized organisations are discovering that they fall within the scope of the Directive.

The key NIS2 requirements

Compliance goes far beyond implementing additional security tools.

It requires a comprehensive cybersecurity governance framework.

Organisations will be expected to:

Implement risk management measures

Cyber risks must be identified, assessed and monitored on an ongoing basis.

This includes:

  • Documented security policies
  • Risk assessments
  • Business continuity and disaster recovery plans
  • Backup management

Secure the supply chain

Supply chain attacks continue to increase.

NIS2 therefore requires organisations to assess and manage cybersecurity risks linked to suppliers, subcontractors and business partners.

Cybersecurity is no longer an individual responsibility—it is a collective one.

Strengthen governance

Senior management is now directly accountable.

Executives must:

  • Approve cybersecurity measures
  • Oversee their implementation
  • Receive appropriate cybersecurity training

Cybersecurity becomes a governance issue alongside financial and regulatory risks.

Report significant incidents

Major cybersecurity incidents must be reported to the relevant authorities within defined timeframes.

The objective is to improve coordination across Europe and reduce the impact of cyberattacks.

What are the risks of non-compliance?

Beyond potential financial penalties, failing to prepare may result in significant consequences, including:

  • Business disruption
  • Data loss
  • Reputational damage
  • Loss of customer and partner confidence
  • Increased management liability

NIS2 compliance should therefore be viewed as an investment in organisational resilience rather than a regulatory burden.

How can your organisation prepare?

Compliance cannot be achieved overnight.

The first steps generally include:

  • Determining whether your organisation falls within the scope of NIS2
  • Conducting a cybersecurity maturity assessment
  • Mapping cyber risks
  • Identifying compliance gaps
  • Defining a prioritised implementation roadmap

This structured approach helps organisations anticipate investments, engage stakeholders and progressively reduce cyber risks.

How Lùkla can help

At Lùkla, we support organisations in strengthening their cybersecurity posture.

Our experts provide assistance in areas including:

  • Security audits
  • Risk assessments
  • Cybersecurity governance
  • Cloud infrastructure security
  • Business continuity planning
  • Regulatory compliance support

Our approach combines technical expertise, business understanding and long-term support to deliver cybersecurity strategies tailored to each organisation’s needs.

Preparing today to secure tomorrow

The NIS2 Directive represents a significant shift in the way organisations approach cybersecurity.

More than a regulatory requirement, it offers an opportunity to strengthen information system resilience and foster a lasting cybersecurity culture.

Organisations that take action now will reduce their exposure to cyber risks, improve their security maturity and be better prepared for tomorrow’s evolving threat landscape.

Consent