By Hani Mebar | Äctvli Responsible Consulting
I was talking to a friend who works in a mid-sized company. He told me how they get a letter from their legal team, because a vendor sent a security questionnaire due to the NIS2 compliance requirements in EU. So they set a meeting and they realized they need start “figuring it out.” Now its been weeks later, and nothing has moved because nobody is quite sure what they’re actually required to do.
Asking further I realized that the NIS 2 Directive had been explained poorly. Mid-sized companies in the 50–500 employee range are left with jargon, checklists they don’t understand, and a vague anxiety that they’re probably not compliant.
If this sounds like something you also have experience, let me help.
What Is the NIS 2 Directive?
The NIS 2 Directive (Network and Information Security Directive 2) is the EU’s updated cybersecurity regulation, which came into force in October 2024. It replaces the original NIS Directive from 2016 and significantly expands both the organisations it applies to and what those organisations must do.
NIS 2 covers roughly 160,000 entities across Europe. The original NIS Directive covered around 10,000. The scope expansion is enormous — and most of that growth comes from mid-sized companies who were previously exempt.
Who Does NIS 2 Apply To?
NIS 2 applies to “essential” and “important” entities across 18 sectors, including:
- Manufacturing (medical devices, machinery, vehicles, electronics)
- Digital infrastructure and managed services
- Food production and distribution
- Postal and courier services
- Chemicals
- Waste management
- Healthcare
- Transport and logistics
If your company has 50+ employees and €10M+ in annual turnover, and operates in one of these sectors anywhere in the EU, you are very likely in scope.
The key shift from NIS 1 is that mid-sized companies are no longer automatically exempt. You don’t have to be a critical national infrastructure operator to have obligations under NIS 2.
NIS 2 Requirements: What You Actually Have to Do
Stripped of the legal language, NIS 2 compliance requires you to do five things well:
1. Ongoing Risk Management
You need a documented, repeatable process for identifying and managing cybersecurity risks. Not a one-time audit — an ongoing process with a named owner and regular reviews.
2. Incident Reporting
If you suffer a significant cyber incident, you must notify your national authority within 24 hours (early warning) and submit a full report within 72 hours. This requires knowing what counts as “significant” before an incident happens.
3. Supply Chain Security
This is the requirement most companies miss. You are responsible for the security posture of your key suppliers and service providers. If a vendor gets breached and it affects your systems, that’s your problem under NIS 2.
4. Business Continuity
You need documented plans for how you keep operating during and after a cyber incident — backup systems, recovery procedures, tested regularly.
5. Management Accountability
Senior management must approve your cybersecurity measures and can be held personally liable for non-compliance. This is not something you can delegate entirely to IT.
What Mid-sized Companies need support with
After working with organisations across manufacturing, technology, and logistics, I see the similar mistakes repeatedly.
Treating it as an IT project. NIS 2 is not an IT audit. It’s a governance framework. Management accountability is in the directive precisely because security kept being handed to the IT team and forgotten. If your CEO doesn’t know what your incident response plan says, you have a gap.
Buying tools instead of building processes. A company will spend €50,000 on a SIEM platform and still have no documented process for what to do when it triggers an alert at 11pm on a Friday. Tools without process are expensive theatre.
Waiting for perfect information. I’ve seen organisations delay for a year waiting for national implementation guidance or for someone more senior to make a decision. The directive is live. Regulators are staffing up. The companies penalised first will be the ones who did nothing.
Misunderstanding the supplier requirement. If you use cloud services, managed IT providers, or critical SaaS tools, you have a supply chain security obligation. You need to assess your key suppliers and manage that risk systematically. Most mid-sized companies have never asked their SaaS providers a single security question.
A Practical NIS 2 Implementation Roadmap
If you’re in scope and haven’t started, here’s a realistic starting point:
Weeks 1–2: Map your scope. What systems, services, and data are in scope? Who are your critical suppliers? Who in leadership owns this?
Weeks 3–4: Gap assessment. Compare where you are against the five requirement areas above. A gap you’ve identified is a gap you can close.
Months 2–3: Build the frameworks. Document your risk management process, incident response plan, and business continuity procedures. These don’t need to be 100-page documents — they need to be accurate and usable.
Months 3–6: Embed and test. Run a tabletop incident exercise. Review supplier contracts. Brief your senior leadership. Begin the cycle of continuous improvement.
The Underlying Point
NIS 2 isn’t fundamentally different from good security practice — it’s good security practice with teeth. The organisations that will find compliance straightforward are the ones that have already been running information security as a business function rather than an IT function.
If you haven’t, this is an uncomfortable but genuinely useful forcing function. The alternative — a breach, a fine, or a customer audit that reveals gaps — is far more expensive.
Frequently Asked Questions About NIS 2
What is the difference between NIS 1 and NIS 2?
NIS 2 significantly expands the scope of organisations covered (from ~10,000 to ~160,000 entities), introduces stricter security requirements, adds personal liability for senior management, and strengthens enforcement powers for national authorities.
What are the penalties for NIS 2 non-compliance?
For “essential” entities: fines of up to €10 million or 2% of global annual turnover (whichever is higher). For “important” entities: up to €7 million or 1.4% of global annual turnover.
Does NIS 2 apply to companies outside the EU?
If your organisation provides services to EU-based entities or operates infrastructure within the EU, you may be in scope regardless of where you are headquartered.
When did NIS 2 come into force?
EU member states were required to transpose NIS 2 into national law by October 17, 2024. Enforcement timelines vary by country, but the directive is legally in effect.
Do I need ISO 27001 certification to comply with NIS 2?
ISO 27001 is not mandated by NIS 2, but implementing an ISMS aligned with ISO 27001 is one of the most effective ways to meet NIS 2’s risk management and documentation requirements.
Äctvli Custodia is our information security and ISMS service. We help mid-sized companies build NIS 2-ready security frameworks that work in practice — from gap assessment through to certification readiness. Talk to us about where you stand.