Insights into the NIS2 Directive

Reading time: 10 min


  • 27/02/2024

WithSecure Intelligence

NIS2 expands the scope of its predecessor, bringing critical sectors like supply chains, food production, and public administration under its protective wing. It introduces standardized incident reporting, ensuring that threats are managed and monitored proactively. 

The digital landscape is evolving rapidly, and the complexity and volume of cybersecurity threats are rising. Recognizing the critical need for enhanced security measures, the European Union took a pioneering step six years ago by introducing the first Network and Information Security (NIS) Directive, the first EU-wide regulation on cybersecurity. This landmark legislation was a foundational framework, establishing baseline security protocols across various industries. Fast forward to today, the landscape has transformed, necessitating a more robust and comprehensive approach to cybersecurity - enter NIS2.

What is NIS2?

Building on the groundwork laid by its predecessor, NIS2 is not just an update; it's a significant expansion of scope and ambition to address the evolving cyber threat landscape. One of the key enhancements is the inclusion of supply chains, a critical area of vulnerability in today's interconnected digital ecosystem. Moreover, NIS2 sets out to standardize incident reporting, creating a uniform framework that enhances nationwide visibility into cyberattacks and their impact across different sectors.

A notable shift in NIS2 is its proactive stance towards security monitoring. The directive mandates active surveillance of IT environments to detect anomalies and potential threats, moving beyond passive defense mechanisms. Additionally, it brings company management into the fold of cybersecurity, establishing accountability and integrating cybersecurity management into the broader corporate governance structure.

The Implications of NIS2

For organizations, the transition to NIS2 brings a host of new responsibilities and challenges. The directive encompasses a broader range of sectors, including previously overlooked areas such as public information networks, food production, and public administration. Moreover, it introduces stringent reporting requirements, with the first notification of incidents required within 24 hours and a detailed analysis and action plan due within a month.

NIS2 also emphasizes the importance of supply chain security, recognizing the cascading effects that vulnerabilities in one part of the supply chain can have on others. This holistic approach extends to IT best practices, requiring organizations to adopt a comprehensive security posture that covers everything from asset management to encryption and human resources.

Preparing for NIS2

With the implementation deadline looming and no transition period offered, organizations must act swiftly to align their security practices with NIS2 requirements. This involves conducting thorough risk analyses, establishing incident management capabilities, and ensuring all technical measures, from patch management to multi-factor authentication, are in place.

Collaboration and shared expertise will be vital to navigating this transition. For instance, leveraging existing cybersecurity frameworks such as ISO 27001 or the NIST Cybersecurity Framework can provide a solid foundation for meeting NIS2 requirements. Furthermore, ongoing staff training and awareness programs are essential to foster a culture of security and preparedness across all levels of the organization.


NIS2 represents a significant step in the EU's efforts to bolster cybersecurity defenses. By expanding the scope of regulation, standardizing reporting, and emphasizing proactive security monitoring, NIS2 aims to create a more resilient digital infrastructure capable of withstanding the threats of the modern world. For organizations, the journey towards compliance may be challenging, but it is a critical investment in the security and reliability of their operations and, by extension, the broader digital ecosystem.

As the deadline approaches, the message is clear: the time to act is now. By embracing the spirit of NIS2, organizations can comply with the new directive and strengthen their defenses against the ever-evolving threats of the digital age.

Discover more

WithSecure™ Co-Monitoring Service

24/7 protection and access to the world's-best threat hunters at an affordable price.

Read more

Let's discuss!

Book a complimentary 60-Minute Cybersecurity Clinic to discuss your supply chain risks or NIS2 requirements.

Book now