Experiencing a breach?
Select Language
Request demo
Languages
Request demo
Back to Home

Partners

Partner offeringPartner success services
Back to Home

Resources

Resources Hub Resources
Back to Resources

Resources Hub

See all
Contact us
Back to Resources

Resources

Success storiesWebinarsEventsPodcastsPressroomBlogW/Labs
Contact us
Back to Home

About

About WithSecureLeadershipCompany contacts & officesCareers at WithSecureMuseum of Malware ArtAchievements & certificationsSustainabilityCompare UsVulnerability reward program
Contact us
Back to Home

Platform

Elements Cloud Elements capabilities
Back to Platform

Elements Cloud

See overview
Back to Platform

Elements capabilities

Exposure ManagementExtended Detection & ResponseCo-Security Services
Back to Home

Solutions

Industry Use case
Back to Solutions

Industry

Solution industry page linkSolution industry page linkSolution industry page link
Back to Solutions

Use case

ComplianceSolution use case page linkAI threatsSolution use case page linkSOC transformationSolution use case page link
Back to Home

Login

Back to Home

Languages

English Finnish French German Japanese

NIS2 and the Compliance vs Security question: which side are you on?

MSP Proactive security 01 April, 2026

Why regulation should be your security launchpad, not your finish line.

There is a recurring tension in cybersecurity regulation. On one side, you have the organizations that genuinely use compliance as a driver for security improvement – working through NIS2 requirements and asking, “What does this actually mean for our business continuity?” On the other, you have organizations that treat regulation as a checklist: satisfy the auditor, file the paperwork, move on.

The uncomfortable truth, as WithSecure CISO Christine Bejerasco noted at our February 2026 Cyber Morning, is that you can achieve full NIS2 compliance on paper without having any meaningful security uplift in reality. You can keep auditors satisfied and still be as exposed as you were before.

With NIS2 now in force across EU member states, this distinction matters more than it ever has.

Compliance as a Launchpad, Not a Finish Line

Many organizations – particularly those who know they fall under NIS2 – are approaching the regulation more constructively than the tick-box caricature suggests. As Niko Isotalo, WithSecure’s Regional VP, North, observed: in conversations with NIS2-covered organizations across Finland and the Nordics, “the discussion is about how we can ensure business continuity. The compliance tick happens as a result of that – not the other way around.”

This is the right framing. NIS2 is not a destination; it is a structure. What it requires – risk assessment, incident detection capability, response planning, supply chain security, business continuity measures – are exactly the things organizations should be doing regardless of whether a regulator asks for them. The regulation provides a mandate for having these conversations at board level, securing budget, and prioritizing work that might otherwise be deprioritized by daily business demands.

The GDPR analogy is instructive here: even though it was painful for many companies when it was introduced, hyperscalers now use it as a global standard for privacy. The same trajectory is possible for NIS2. Done well, European cybersecurity regulation can set a standard that lifts the baseline across the continent – and influences how security-conscious organizations everywhere approach these questions.

A recent survey* of ICT decision-makers reinforces why this uplift is needed. 70% of respondents said they are worried about cybersecurity. Yet despite that widespread concern, only around a quarter of companies practice cyber crisis scenarios and business recovery exercises, and just over half have a formal preparedness plan – up from 47% the prior year, but still leaving nearly half of organizations without one.

The Real Security Test: Can You Detect, Respond, and Recover?

The practical test of whether NIS2 compliance has translated into real security is not whether your documentation is in order. It is whether your organization can actually do three things:

1. Detect.

Do you have visibility into what is happening across your environment? Can you identify anomalous behavior – a credential being used at an unusual time, a device communicating with an unknown external address, a process executing that should not be running? Basic EPP products, still widely deployed across mid-market organizations, were not designed to provide this visibility. Detection capability requires telemetry, tooling, and human or AI-assisted analysis. NIS2 explicitly requires continuous monitoring of networks and information systems to detect and respond to threats in real time – and that is a bar that basic antivirus simply does not meet.

2. Respond.

When your detection capability fires, does someone act on it? And do they act quickly? Time is critical in a breach scenario. The sooner you can interrupt an attacker’s lateral movement, the less damage they can cause. This is why tabletop exercises and simulation drills matter – not to box-tick a training requirement, but because when a real incident happens, the shock factor shortens and people can respond much faster. Organizations that have rehearsed the scenario can operate almost on autopilot in the first critical hours.

3. Recover.

Do you know where your data is? Do you have tested backups? What is your recovery time objective, and have you ever measured whether you can actually hit it? Many organizations discover the answers to these questions for the first time during an actual incident – by which point the cost of not knowing is already compounding.

These three capabilities – detect, respond, recover – are what NIS2 is ultimately trying to create. Organizations that genuinely build them are both compliant and more secure. Organizations that complete the paperwork without building them are compliant on paper and no safer than they were before.

The Board Conversation Has Changed

One of the more encouraging observations from the Cyber Morning panel was how significantly the C-suite conversation around cybersecurity has shifted. Fifteen years ago, it was handled by a small technical team largely invisible to organizational leadership. Today it sits on the board agenda at most serious organizations, and NIS2 formally assigns accountability for cybersecurity to senior leadership – making it a personal liability question for executives, not just an IT department concern.

The frame that resonates most with business leaders, the panelists agreed, is availability. Confidentiality and integrity are important, but they can feel abstract. The question “what happens to our business if our systems go down for 24 hours?” is concrete and immediately legible to anyone running an organization. DDoS attacks, ransomware, identity service outages – all of these manifest first as availability problems, and that is the language in which security conversations with boards land most effectively.

CFOs are increasingly engaged in these conversations alongside CIOs. Security is a financial risk, a continuity risk, and – under NIS2 – a compliance and liability risk. The audience for these conversations has expanded, and the framing needs to match.

The MSP Role: From Compliance Support to Proactive Security Partner

For Managed Service Providers, NIS2 creates both a significant service opportunity and a clear responsibility.

The opportunity: many mid-market organizations that now fall under NIS2 do not have the internal expertise to interpret what the regulation actually requires of them operationally, as opposed to on paper. They need guidance on what detection capability looks like in practice, how to structure an incident response plan that will actually work, how to run a tabletop exercise, and how to document evidence of continuous monitoring in a way that satisfies regulatory audit. NIS2 also requires an initial incident report within 24 hours and a full notification within 72 hours – a timeline that demands pre-built workflows, not improvisation.

MSPs that back this guidance up with managed detection and response services – making the detect, respond, and recover capability real rather than theoretical – are offering genuine security uplift. The organizations that need this most are precisely the mid-market companies that cannot build a 24/7 security operations capability in-house: the same organizations for which NIS2 has raised the compliance bar highest. WithSecure MDR, for example, is specifically designed for this segment, delivering continuous expert-driven monitoring and response without the overhead of an in-house SOC.

The responsibility is equally clear. An MSP that helps a customer complete the NIS2 paperwork without actually improving their security posture has not served their customer well. The standard to aim for is not compliance documentation – it is the genuine capability to detect, respond, and recover. That is what your customers’ boards, CFOs, and regulators will ultimately judge you on.

As the Cyber Morning panel’s closing lightning round put it, moving from reactive to proactive security in 90 days starts with: understand your risks; build the capabilities and find the right partners; follow the threat landscape; and know your external exposures. For most mid-market organizations, finding the right partner is the step that makes all the others achievable.

*Source: Telenor Nordic Digital Security Report 2025: telenor.com

Share this story