Find out how well your business is prepared for NIS2 – quickly, practically and free of charge.
NIS2 compliance: how to build it effectively
Clear processes are essential for establishing robust NIS2 compliance within organisations. Find out how organisations can minimise liability risks.
Contents
- Prioritisation
- The 3 most important immediate measures
- Meet reporting deadlines
- Liability cover for the management
- NIS2 compliance in the supply chain
- NIS2 compliance without certification
Key takeaways: NIS2 compliance
- Not a project with a finish line, but a continuous risk management process
- MFA, air-gapped backups and automated patching address the highest-impact vulnerabilities first
- Significant incidents trigger mandatory multi-stage reporting with deadlines defined by national law
- Senior management carries direct personal liability when oversight duties are breached
- Managing human risk across the supply chain requires a measurable, people-centered approach
Guide to your NIS2 strategy
These specialist articles cover the essentials of the NIS2 landscape and give you the practical grounding to move forward with confidence.
Prioritisation: NIS2 compliance as an ongoing process
NIS2 compliance is not a project with a finish line. Regulators are looking for evidence of ongoing risk management, not a one-time effort tied to a deadline. Anyone who believes they must present a completely impregnable fortress at the first regulatory audit is setting entirely the wrong priorities. The auditors expect something else. They want to see that an organisation has understood its real core risks and is actively managing them using appropriate measures. In practice, this means: the identification and management of risks must never stop. Every protective measure implemented must be continuously reviewed, and every change must be properly recorded. Our guide to the NIS2 directive covers the current state of implementation across the EU.
Our NIS2 Check provides an initial overview of your current status regarding NIS2 compliance:
NIS2 Check in 3 minutes
Go to the NIS2 assessment
The 3 most important immediate steps for NIS2 compliance
Trying to tackle every NIS2 requirement at the same time is a reliable way to make slow progress on all of them. A more effective approach is to focus first on the measures that reduce the most risk and hold up best under audit. The NIS2 directive does not just ask for documented policies – it requires technical controls that actually work. Three areas consistently hold up best under audit pressure and reduce the most risk.
Comprehensive multi-factor authentication (MFA)
Stolen credentials remain one of the most common entry points for attackers. A solid MFA strategy closes off that route effectively, but only if it covers more than just remote VPN access. Internal admin rights and cloud services need the same protection. Every user operating on the network should be able to verify their identity reliably — gaps here create vulnerabilities that are difficult to contain once exploited.
Robust backup and recovery plans
A ransomware attack will hit hard regardless of how prepared you are. What separates organisations that recover quickly from those that don’t is having tested, well-documented backup strategies in place before the incident happens. Immutable backups that are physically or logically isolated from the rest of the network are the foundation. Those plans also need a real stress test from time to time. Writing procedures down is not enough if nobody has ever actually run through them.
Automated patch management
Security vulnerabilities that sit unaddressed are an open invitation. With the number of patches released across operating systems and third-party tools each month, any team trying to keep up manually is fighting a losing battle. Automated patch management is simply how you stay on top of it. Critical updates go out fast, coverage stays consistent, and you’re not relying on someone remembering to check.
Technical measures only go so far. If your people can’t spot a phishing attempt or don’t know what to do when something looks off, the controls around them matter a lot less. That’s why cybersecurity awareness training and a human risk management platform belong in the same conversation as MFA and patch management. Need a full picture of what your NIS2 checklist should look like? We’ve mapped it all out.
Meeting reporting deadlines: robust response procedures in an emergency
NIS2 expects organisations to move quickly once a serious incident comes to light. In many cases, the first notice to the relevant authority is due within 24 hours. A more detailed update follows within 72 hours. The final report comes later, usually within a month.
That does not mean every technical alert becomes reportable straight away. A suspicious event on its own is not the same as a significant incident. The real question is whether operations are materially affected, whether essential services are disrupted or whether the impact is serious enough to require formal reporting. People need to know their role before anything goes wrong. Who needs to be told, who decides what happens next and how do you reach them? If those basics are unclear once an incident is under way, valuable time is lost.
For smaller organisations, that does not have to mean building a complex process from day one. Often it starts with a short list of practical questions. If ransomware hits overnight, someone needs to know who to call first. Those numbers should be available offline, not tucked away in a system that may already be down. It should also be settled in advance who can disconnect affected systems or cut internet access if needed. If those basics are clear, the first hours are usually easier to manage.
Management liability under NIS2
Senior leadership doesn’t get to sit this one out. The directive puts board members and executives directly in the frame if an organisation falls short. Three areas of accountability are non-negotiable:
- Security strategies need genuine leadership approval. That means actually engaging with what is being proposed, not just signing off a budget line.
- Approving a plan is only the starting point. Leaders are expected to stay close enough to implementation to know whether it is actually working.
- Cybersecurity awareness training is not something only employees need. Senior leaders can also become a source of risk, whether through weak handling of sensitive information or by failing to spot warning signs.
Ignoring those responsibilities can get expensive.
The directive gives national authorities the power to impose fines of up to €10 million or 2% of global annual turnover for essential entities, and some countries have gone further in national law. When a regulator does come knocking, it tends to be the boards that took NIS2 seriously from the top who have the cleaner answer.
Ensuring NIS2 compliance in the supply chain
Suppliers are not a separate risk category you manage once a year and then forget about. The moment a vendor gets access to your systems, your NIS2 compliance picture includes them. That access can range from occasional remote support to deep integration into core infrastructure, and the oversight you apply should reflect the actual exposure, not a default checklist. The starting point is knowing which suppliers fall into which category, and what security standards you actually expect from each of them. A written security policy that suppliers are required to acknowledge is more defensible than a verbal understanding, and a periodic review process is more defensible than a one-off check at onboarding.
What regulators want to see is that your NIS2 compliance extends to the organisations your business depends on, not just your own four walls. That doesn’t mean you need to audit every supplier from top to bottom. It does mean having a credible, documented process for identifying and managing third-party risk, and making sure that when something goes wrong with a supplier, your own incident response procedures cover that scenario too.
Demonstrating NIS2 compliance without certification
One of the most common misconceptions about NIS2 is that it requires a formal certification. It doesn’t. Unlike ISO/IEC 27001:2022, there is no NIS2 certification that organisations can obtain, and no official body that issues one. If you have come across services advertising NIS2 certification cost estimates or selling certification packages, treat those with caution.
What the directive actually requires is demonstrable compliance: documented risk management processes, evidence of implementation, and the ability to show regulators that your organisation takes its obligations seriously. That is more demanding than a certification audit in one specific way: there is no fixed list to work through and declare done.
An ISO 27001-certified organisation is not starting from scratch with NIS2. A lot of the core building blocks are already in place, including risk management processes, access controls and incident handling. NIS2 is more demanding when time is tight and decisions need backing from the top. A serious incident may have to be reported within 24 hours, and that kind of pressure quickly becomes a board issue, not just an IT one.
Note: This article is for general information only and is not legal advice. It cannot replace advice on your specific situation. If you need a definitive view of your obligations under NIS2, speak to qualified legal counsel or the relevant authority.
Scale your security
culture with ease
Reports 
Guides 
Blog 
Glossary 
Perks 
Customer stories 
Newsletter signup 
Webinars 
Replays 
Podcast 
All events 
Signal Security Summit 
Danger Lab 
Why SoSafe 
Careers 
News & press 
Contact 