Skip to content
Home

10 June 2025 | 3 min

NIS2: What companies now need to do for their GRC systems

The new EU directive NIS2 (Network and Information Security Directive 2) brings significant requirements for companies across the EU. The goal is to comprehensively improve cybersecurity in critical and important sectors. But what exactly does that mean for governance, risk, and compliance management (GRC) in your organization?

What is NIS2?

NIS2 replaces the previous NIS directive and significantly expands its scope. It no longer only affects critical infrastructure, but also many medium and large enterprises in sectors such as:

  • Energy, transportation, healthcare, drinking water
  • IT services, digital infrastructure
  • Public administration, space, research

New requirements:

  • Risk management for cyber and information security
  • Incident reporting within 24 hours
  • Company-wide security strategy
  • Responsibility at management level
  • Obligation to perform audits and provide evidence

What does NIS2 mean for your GRC system?

A modern GRC system is key to meeting the new requirements. Only with a systematic approach can risks, controls, reporting obligations, and responsibilities be documented and managed efficiently.

Specifically, this means:

  • Risk Management: Integration of IT and cyber risks into the central risk register
  • Compliance Monitoring: Tracking of obligations and deadlines according to NIS2
  • Action Management: Assignment and tracking of protective and response measures
  • Audit Trail & Documentation: Complete traceability for audits

Immediate actions to prepare for NIS2

  1. Clarify whether you are affected: Is your company directly or indirectly subject to NIS2?
  2. Conduct a gap analysis: What gaps exist in your current security and GRC structure?
  3. Define responsibilities: Who is responsible for cybersecurity and reporting?
  4. Upgrade GRC systems: Can your system integrate NIS2 requirements?
  5. Train and raise awareness: Prepare management and key personnel

Conclusion: Action is needed now

NIS2 not only brings new regulatory obligations, but also offers a chance to embed cyber resilience strategically. Companies that already use a powerful GRC system—or upgrade now—gain a real competitive edge. Important: don’t wait for national legislation—the time to prepare is now.

FAQ on NIS2 and GRC

When does NIS2 take effect?

The EU directive has been in force since January 2023. National implementation must occur by October 2024. Companies should begin preparing now.

Which companies are affected?

All medium and large companies in certain critical and important sectors. This includes IT, energy, healthcare, transportation, and digital services.

What happens in case of non-compliance?

Severe fines and reputational damage. Liability may extend to the company’s management.

How does a GRC system help with NIS2?

It enables structured management of risks, actions, reporting obligations, and compliance requirements in a single integrated system.

How does NIS2 differ from ISO 27001?

NIS2 is a legal obligation; ISO 27001 is a voluntary standard. However, both complement each other: an ISMS in accordance with ISO 27001 can cover many NIS2 requirements.

Share

Related posts

EU Cyber Resilience Act (CRA): A New Era for Governance, Risk & Compliance in Cybersecurity
22 April 2025 | 4 min

EU Cyber Resilience Act (CRA): A New Era for Governance, Risk & Compliance in Cybersecurity

 Introduction: The Cyber Resilience Act Transforms GRC and Cybersecurity In today’s digital landscape, cyberattacks are no longer exceptions — they’re part of everyday business risks. With the introduction of the EU Cyber Resilience Act (CRA), the European Union is setting a groundbreaking global standard for the security of digital products and software. Companies now face<a href="https://zazoon.com/eu-cyber-resilience-act-cra-a-new-era-for-governance-risk-compliance-in-cybersecurity/">Continue reading <span class="sr-only">"EU Cyber Resilience Act (CRA): A New Era for Governance, Risk & Compliance in Cybersecurity"</span></a>
Read more
European Data Act Explained
14 January 2022 | 4 min

European Data Act Explained

 Data is a non-rival good. They can be consumed many times without the fear that the supply can be dwindled. The volume of data is growing perennially. It was estimated that 33 zettabytes of data were generated in the year of 2018, and it is expected to reach around 175 zettabytes in 2025. It is<a href="https://zazoon.com/governance-framework/">Continue reading <span class="sr-only">"European Data Act Explained"</span></a>
Read more
Different privacy values between European Union & United States
21 December 2021 | 5 min

Different privacy values between European Union & United States

 GDPR and the EU view on privacy The enactment of the EU General Data Protection Regulation (GDPR) has elevated the significance of personal data protection for institutions operating in the European Union (EU) and beyond. Global tech companies like Meta Platforms Inc. (Meta), Google, and Microsoft have faced heightened scrutiny in this regard. Meta and<a href="https://zazoon.com/fishtext-is-used-by-designers-planners/">Continue reading <span class="sr-only">"Different privacy values between European Union & United States"</span></a>
Read more