NIS2: Strengthening Cyber Defences Through Regulation

Although NIS1 marked the first push for the EU to strengthen cyber resilience for essential services, it became clear that the evolving threat environment required more robust measures.

Where NIS1 mainly focused on critical sectors such as transport, energy and healthcare, NIS2 covers a broader range of industries such as manufacturing, digital services and food production. 

NIS2 also includes stricter incident reporting timelines, heavier penalties and greater accountability for senior management.  

Wider focus, deeper reach

More specifically, NIS2 introduces several obligations for organisations operating in EU member states. These organisations are classified into two main types of groups: ‘Essential Entities' and ‘Important Entities’.  

‘Essential Entities’ are considered critical elements to societal and economic functions, while ‘Important Entities’ are those that play a vital role in society’s overall functioning.

The range of sectors included in the new scope must comply with enhanced regulatory requirements, reflecting the complexity and interdependence of the things that drive our day-to-day lives.  

Corporate leadership liability 

The regulation takes a risk-based approach to cybersecurity, with organisations obliged to implement measures for incident handling, supply chain security, network defences and encryption.  

Corporate management must oversee and approve these security measures and ensure compliance through training and accountability. Leadership could be liable in case a breach occurs due to a failure to comply with NIS2; potential penalties include financial fines or even temporary bans from management roles.

Executives will need to be at the forefront of incident mitigation and incident response by ensuring the development, monitoring, and continuous improvement of cybersecurity strategies. These obligations reinforce the fundamental principle that cybersecurity is not just a technical issue but a boardroom priority.  

Tighter incident reporting requirements 

NIS2 mandates strict reporting obligations for significant cyber incidents, with organisations required to provide an ‘early warning’ within 24 hours of detection.  

Business continuity is another key focus, requiring robust plans for system recovery and crisis response in the event of a cyberattack. Baseline security measures — such as risk assessments, data encryption, incident reporting and multi-factor authentication — are also mandatory, reinforcing the EU's commitment to enhanced cybersecurity and greater awareness across sectors.

Non-compliance can result in severe penalties, including fines of up to EUR10mn or 2% of revenue for organisations considered an ‘Essential Entity’.  

Helping clients be compliant 

At CyXcel, we are supporting our clients to achieve NIS2 compliance through highest cybersecurity standards, safeguarding them from potential fines, reputational damage and personal liability. 

Cyber resilience 

Our expertise extends to developing and implementing robust cybersecurity strategies, digital transformation programmes and risk management practices. We have successfully assisted numerous clients in establishing comprehensive incident management and preparedness procedures, setting up their reporting obligations, and formulating effective response plans.  

Our meticulous business continuity, disaster recovery and crisis management planning ensure our clients can deliver their services even during cyber incidents.  

Leadership inclusion and accountability 

Recognising the importance of strong governance, we emphasise the onboarding of essential personnel and their inclusion in mandatory documentation, such as Directors and Officers (D&O) Liability insurance policies.  

Failure to reference accountable individuals in these documents can lead to serious consequences for the individuals and the organisation. It is also important to note that Chief Information Security Officers (CISOs) are not typically included under D&O, presenting a challenge, particularly with regulations like NIS2.  

Know your supply chain 

Our experts are global leaders in ensuring the security of corporate supply chains, including direct vendors and third parties. By mapping, mitigating and monitoring supplier and supply chain risks we ensure enduring business resilience and regulatory compliance. Additionally, we support the implementation of asset management practices to identify and protect critical information systems. 

By integrating expertise in technology, law, geopolitics and security, we have a unique capability to navigate the complex regulatory landscape.  

NIS2 reflects the interconnected nature of national economies, people and global communication channels. This new regulation is not just about avoiding fines; it is about building trust and safeguarding our critical infrastructure from sophisticated cyber criminals and hostile nation-state actors.  

Preparing for NIS2 also provides organisations with a strategic business opportunity: to ensure operational resilience and turn cybersecurity into a market differentiator and competitive advantage.