Back to blog
Compliance

How to prepare for the arrival of NIS2?

May 26, 2026- 7 min read

NIS2 replaces and extends the 2016 NIS directive, with a much broader scope: many sectors previously out of scope (healthcare, waste management, manufacturing, digital services) now fall within the directive, as soon as a company exceeds certain size thresholds. Penalties for non-compliance can reach amounts comparable to GDPR.

The directive imposes governance obligations (management's involvement in cyber risk management), risk management obligations (proportionate technical and organizational measures), incident management obligations (24-hour notification for significant incidents), and business continuity obligations.

To assess its readiness, an organization must first determine whether it falls within the scope of the directive (essential or important entity), then evaluate the gap between its current practices and the ten domains of minimum measures defined by the text: risk management, incident management, business continuity, supply chain security, and security in system acquisition and development, among others.

Unlike ISO 27001, NIS2 is a regulatory obligation and not a voluntary certification: it is better to objectively assess your level of readiness upfront, rather than discovering significant gaps under the pressure of an audit or an incident.

Ready to assess your organization?

Try for free