NIS2 is now in force. What does this mean for companies in practice?

NIS2 is now in force. The biggest challenges are only just beginning

The law implementing the NIS2 Directive has been signed and is now effective.
For many organizations, this is the moment when a natural question comes up:

are we compliant?

But from a practical perspective, that’s not the right first question.

A much more important one is:
would the organization be able to handle a real cyberattack today?

Because NIS2 does not change reality.
It only formalizes it.

Webinar on March 10: what do conversations with the market really show?

During the webinar held on March 10, we focused not on regulations, but on what cybersecurity looks like in practice.

The key takeaway?

Most organizations don’t lose to attacks because they lack technology.
They lose because of:

  • lack of decision-making,

  • lack of clear accountability,

  • lack of operational readiness.

These are exactly the areas NIS2 emphasizes today.

NIS2 is not a regulatory project. It is an organizational stress test

One of the biggest changes introduced by NIS2 is a shift in focus:

from technology → to risk management
from IT → to the executive level
from documentation → to execution capability

Regulators are no longer asking only:
“do you have a policy?”

They are starting to ask:

  • who makes decisions during an incident,

  • whether the organization knows what is critical,

  • whether it can operate under time pressure.

The most common question: is cybersecurity a cost?

This topic came through very clearly during the Q&A.

In many organizations, cybersecurity is still treated as an IT infrastructure cost.

The problem is that:
an attacker does not see it as a cost, but as an entry point.

For executives, the consequences are much easier to understand:

  • production downtime,

  • system unavailability,

  • revenue loss,

  • regulatory liability.

And that is the right language for the conversation.

Not “we are buying solution X,” but: we are reducing a specific business risk.

Proportionality in practice: where theory ends and reality begins

One of the most practical threads was the discussion on proportionality.

NIS2 clearly states:
organizations should manage risk in proportion to their scale and operations.

It sounds good — but in practice, the question is: what does “in proportion” actually mean?

Example: a freelancer with OT access

Does a sole trader have to meet the same full security requirements as a large organization?
No.

But they must meet a minimum that genuinely reduces risk:

  • access limited only to a specific scope,

  • MFA,

  • a controlled access channel (e.g., VPN),

  • clearly defined security requirements in the contract,

  • the ability to verify compliance (audit).

The key is not “is everything implemented,” but: is risk being consciously controlled.

B2B and sole proprietors (JDG) – the biggest real NIS2 challenge

This was one of the most frequently discussed topics during the webinar.

On one hand:
organizations want to require exactly the same level of security from B2B contractors as internally.

On the other:
a sole proprietor is not able to implement a full security system.

The result?
An attempt to impose requirements that are:

  • not cost-justified,

  • operationally unfeasible,

  • often ignored in practice.

A sensible approach looks different:

  • define minimum security requirements,

  • align them with the level of access,

  • review periodically,

  • in critical cases — provide equipment by the organization.

This is exactly what proportionality means in practice.

Technology is not security

During the Q&A, tools also came up — for example, implementing SIEM systems (such as Wazuh).

This is a very good example of the mindset NIS2 is trying to change.

Collecting logs does not solve the problem if:

  • no one analyzes them,

  • there is no response process,

  • there is no accountability.

One real-world example: the attacker was present in the environment, but took no action until the SOC shift ended.

Why?
Because they knew no one would respond.

This shows very clearly:
security is not about tools — it is about an organization’s ability to act.

NIS2 as a consequence of reality, not an “EU project”

If we look at NIS2 from a distance, one thing is clear: this regulation does not introduce anything “artificial.”

It describes:

  • how an attack works,

  • where organizations have the biggest gaps,

  • and what should be in place to counteract it.

That’s why organizations that focus only on documentation will build compliance.

But not resilience.

What next?

The biggest mistake you can make today is trying to do everything at once.

A much better approach is:

  1. assess current readiness,

  2. identify the biggest risks,

  3. organize accountability and processes,

  4. and only then — documentation.

Would you like to check where you stand today?

During the March 10 webinar, we showed how to approach this in practice — without fear tactics and without “compliance for compliance’s sake.”

If, after reading this article, the question is:
“what does this look like in our organization?”

the best first step is neither a tool nor a formal audit.

It is a calm conversation and a readiness assessment.

Get in touch with us - we start by understanding your situation, not by making an offer.

‹ When form logic becomes an RCE vector

The First 6–12 Months After Implementing NIS2 – A Step-by-Step Guide›