The NIS2 Directive is one of the most important regulatory developments in the field of cybersecurity and GRC. Its goal is to significantly raise the level of cybersecurity across Europe and to place greater responsibility on organizations. However, shortly after key deadlines have passed, a clear picture is emerging: a large proportion of affected companies are not sufficiently prepared.
Many organizations underestimated the requirements, misjudged whether they are in scope, or started implementing measures too late. At the same time, pressure is increasing due to regulatory scrutiny, stricter enforcement and the risk of significant penalties.
The key question is no longer whether companies should address NIS2, but how they can now catch up in a structured and effective way.
Key Takeaways
- A large proportion of affected companies have missed the NIS2 deadlines.
- NIS2 significantly expands the scope of regulated organizations and tightens requirements.
- Cyber risks are becoming a central governance and management topic.
- Executive management carries direct responsibility and potential liability.
- Many organizations show gaps in risk management, documentation and accountability.
- The priority now is gap analysis, prioritization and structured implementation.
- NIS2 is not a one-time project but requires a sustainable GRC system.
Why So Many Companies Are Behind
The high number of unprepared organizations is not a coincidence. NIS2 introduces several structural challenges.
First, the scope has been significantly expanded. Unlike the original NIS Directive, NIS2 applies not only to critical infrastructure operators but also to a wide range of medium-sized and large companies across multiple sectors.
Second, many organizations are uncertain whether they are in scope. The criteria are complex and depend on sector, size and specific activities.
Third, the requirements are often underestimated. NIS2 is not just an IT security initiative but requires a comprehensive cybersecurity risk management framework.
Fourth, many companies lack integrated GRC structures to systematically implement regulatory requirements.
NIS2 as a Game Changer for GRC
NIS2 fundamentally changes the role of governance, risk and compliance.
Cybersecurity is no longer treated as a purely technical issue but as an integral part of corporate management. The directive requires, among other things:
- structured cybersecurity risk management
- clear responsibilities at management level
- documented security measures
- incident reporting obligations
- training for executive management
- supply chain and third-party security
This makes NIS2 a classic GRC topic that connects governance, risk and compliance.
The Role of Executive Management
A key aspect of NIS2 is the direct responsibility of senior leadership.
Executive management is not only indirectly responsible but must actively ensure:
- implementation of security measures
- monitoring of compliance
- adherence to reporting obligations
- establishment of an effective risk management system
In some cases, personal liability may arise if these obligations are not fulfilled.
Cyber risk is therefore clearly a board-level issue.
Typical Weaknesses in Organizations
The current situation reveals recurring weaknesses across many companies.
One common issue is lack of transparency. Many organizations do not have a clear overview of their critical systems, data or third-party dependencies.
Another problem is the lack of integration of cyber risks into enterprise risk management. Risks are often handled within IT but not embedded into overall governance structures.
Documentation is frequently insufficient. Without proper evidence, regulatory requirements cannot be met.
Finally, responsibilities are often unclear. Without defined ownership, implementation becomes fragmented and ineffective.
What Companies Must Do Now
After the deadlines, the focus shifts from preparation to catch-up.
A structured approach includes several steps.
First, companies must determine whether and to what extent they are affected by NIS2. This is followed by a gap analysis comparing the current state with regulatory requirements.
Based on this, measures should be prioritized. Not all requirements must be implemented at once, but critical gaps must be addressed quickly.
At the same time, governance structures must be established. This includes clear responsibilities, reporting lines and decision-making processes.
Another key step is the implementation or enhancement of an integrated GRC system. Only then can risks, controls and compliance requirements be managed sustainably.
NIS2 as an Opportunity, Not Just an Obligation
Despite regulatory pressure, NIS2 also offers opportunities.
A structured cybersecurity risk management framework improves not only compliance but also operational resilience. Security incidents can be detected and managed more effectively.
Transparency within the organization increases. Risks become visible, responsibilities clearer and decision-making more informed.
In addition, a strong cybersecurity posture enhances trust among customers, partners and investors.
Companies that take NIS2 seriously can turn compliance into a competitive advantage.
Conclusion
The NIS2 deadline has highlighted that many organizations are not yet sufficiently prepared. At the same time, pressure from regulators and cyber threats continues to grow.
NIS2 is not a short-term compliance project but a long-term transformation. Companies must integrate cyber risks into governance, strengthen risk management and continuously manage compliance.
Those who act now in a structured way can not only reduce regulatory risk but also significantly improve resilience and competitiveness.
FAQ
What is the main objective of NIS2?
To achieve a higher and more consistent level of cybersecurity across Europe and to increase organizational accountability for cyber risks.
Why are so many companies behind?
Because the scope has expanded, requirements are complex and many organizations lack integrated GRC structures.
Who is responsible within the organization?
Executive management is responsible for implementation, oversight and compliance.
What happens in case of non-compliance?
Organizations may face regulatory action, fines and potentially personal liability for management.
How should companies get started now?
By conducting a scope assessment, performing a gap analysis and building a structured GRC system to manage compliance requirements.
Related posts
Bank Mergers in the EU: How GRC shape the agenda
The European Union is currently increasing pressure on its member states to stop politically blocking cross-border bank mergers. The goal is a more integrated European banking sector that remains internationally competitive and better absorbs systemic risks. The debate surrounding planned mergers in Spain, Italy, and potentially Germany raises fundamental questions from a GRC perspective: Who<a href="https://zazoon.com/bank-mergers-in-the-eu-how-grc-shape-the-agenda/">Continue reading <span class="sr-only">"Bank Mergers in the EU: How GRC shape the agenda"</span></a>
EU Anti-Money Laundering Reform and AMLA: What Companies Need to Know and Do Now
The European Union is undergoing the most far-reaching reform of its anti-money laundering framework since the creation of the single market. With the new EU Anti-Money Laundering Package, consisting of the Anti-Money Laundering Regulation (AMLR), the 6th Anti-Money Laundering Directive (AMLD6) and the new supervisory authority AMLA, the EU is fundamentally reshaping how financial crime<a href="https://zazoon.com/eu-anti-money-laundering-reform-and-amla-what-companies-need-to-know-and-do-now/">Continue reading <span class="sr-only">"EU Anti-Money Laundering Reform and AMLA: What Companies Need to Know and Do Now"</span></a>