NIS 2: how to prepare for the new European cybersecurity directive and strengthen your organisation’s resilience

Cybersecurity has become a critical stake for every organisation, big or small. With cyberattacks rising, governments are moving to protect essential infrastructure. The new NIS 2 directive, adopted by the European Union, strengthens cybersecurity requirements. It requires companies to follow strict rules to protect themselves and their ecosystems against cyber threats.

In this article we explain in detail what NIS 2 is, how it affects your company and how you can prepare for full compliance.

What is NIS 2?

Definition and context

NIS 2 (Network and Information Systems 2) is the new version of the 2016 NIS directive, designed to strengthen the security of networks and information systems within the European Union in response to evolving digital threats.

NIS 2 aims to protect critical European infrastructure essential to society. It imposes strict rules on companies operating in key sectors, ensuring they deploy robust security measures to defend against cyberattacks.

This directive responds to weaknesses observed in the first version and the significant rise in cyberattacks. It also strengthens cooperation between member states.

Which sectors are concerned?

NIS 2 extends the scope of the first directive by including many more essential sectors. It distinguishes two categories: essential entities and important entities, based on economic weight and societal role.

• Essential entities: operate in critical sectors like energy, financial services, health and digital infrastructure.
• Important entities: less critical but playing a major economic role.

Companies in these sectors must comply with the new security standards imposed by NIS 2 to avoid major disruptions and heavy penalties. Sectors concerned include:

• Energy
• Transport
• Health
• Banking services
• Telecom infrastructure
• Digital infrastructure
• Drinking water
• Postal services
• Public services and certain public administrations

What are NIS 2’s new goals and requirements?

Strengthen critical-infrastructure resilience

A key NIS 2 goal is strengthening the resilience of critical infrastructure against cyber threats. Companies must deploy appropriate security measures guaranteeing optimal protection of critical systems and networks — adapted to company size, sector and risk level.

Companies must prevent incidents AND be able to respond quickly and effectively. Resilience requires business-continuity plans.

Incident management and reporting obligations

Incident management is a key NIS 2 element. For major incidents, companies must quickly notify competent national authorities (such as ANSSI in France) within precise deadlines. The report must include detailed incident information and response measures.

Non-compliance triggers severe penalties, so companies must deploy clear internal processes.

Leadership liability and security governance

NIS 2 emphasises leadership liability. Company leaders are now directly responsible for cybersecurity implementation. They must ensure actions taken are enough to protect the company.

This reinforces the need for solid governance with established decision-making and active leadership involvement.

NIS 2 and cyber risk management: impacts for companies

Risk management under NIS 2

Risk management is at the heart of NIS 2. Every affected company must deploy specific risk-management policies to identify, evaluate and mitigate cyber risks.

The goal is to ensure an adequate security level. Risk management must be proactive and include regular audits. Companies must adapt policies to threat evolution — continuous monitoring.

How to adapt your cyber strategy to NIS 2

To comply, adapt your cyber strategy to the new requirements — specific action plans to ensure network security and critical-system protection. These plans must include:

• Advanced security solutions (firewalls, IDS, monitoring tools)
• Employee training on cybersecurity best practices
• Incident-response processes to limit cyberattack impact

Adapting also means regular review of measures in place.

NIS 2 and third-party collaboration

NIS 2 also imposes greater vigilance on third-party risk management. Companies must ensure partners and subcontractors also meet strict security standards — a supply-chain gap could affect the whole organisation.

Essential steps:

• Evaluate supplier risks.
• Run regular security audits on partners.
• Sign contracts specifying cybersecurity responsibilities.

NIS 2 compliance: how to prepare?

Key steps to get NIS 2 compliant

Preparing for NIS 2 is a methodical process requiring a structured, rigorous approach.

Initial security audit

The first step: run a complete audit of your information systems. This audit must:

• Map critical systems and digital assets.
• Identify vulnerabilities and potential entry points.
• Evaluate the company’s security maturity.

Deploy adapted security measures

Once risks are identified, deploy appropriate security measures matching company size, sector and specific risks:

• Firewalls, intrusion-detection systems (IDS) and anti-malware.
• Data encryption for sensitive-information confidentiality.
• Real-time monitoring tools.
• Strict access policies (access control, admin rights management).

Develop an incident-response plan

NIS 2 compliance requires incident management:

• Documented incident-response plan with precise steps during a cyberattack.
• Defined roles and responsibilities.
• Incident scenario simulations.
• Fast remediation processes.

Incident-notification procedures

NIS 2 imposes strict rules on incident notification:

• Clear protocols to report major incidents within the allowed deadlines. In France, notification to ANSSI.
• Detailed reports on incident nature, affected systems and remediation.
• Internal communication tools to ensure fast information sharing.

Cybersecurity team training

A frequent cybersecurity gap comes from human factors. Train your teams to:

• Identify potential threats (phishing, malware, security gaps).
• Follow strict procedures for IT use, password management, sensitive-data access.
• React quickly during an incident.

Continuous monitoring and regular audits

Once measures are deployed, ensure continuous monitoring:

• Monitoring tools tracking real-time behaviour.
• Regular security audits verifying policies are respected.
• Penetration tests to evaluate robustness.

Tools and solutions for NIS 2 compliance

Technology solutions — especially SaaS tools — are valuable allies. Solutions like Make IT Safe offer a centralised platform to:

• Track security audits in real time.
• Coordinate corrective actions.
• Manage third-party risks.
• Supervise compliance across entities.

Internal team training and awareness

Team training is fundamental. Raise employee awareness on cybersecurity stakes.

Employees must be trained on:

• Cyber risks and identification.
• Incident procedures.
• Digital best practices: strong passwords, access management, phishing detection.

NIS 2, GDPR, ISO 27001 and DORA: what synergy for cybersecurity?

Complementarity between NIS 2 and GDPR

NIS 2 and GDPR share several security goals. GDPR focuses on personal-data protection and privacy; NIS 2 extends this to critical-system security.

There is a natural synergy. Companies compliant with GDPR have already deployed some of the security measures needed, easing the path to NIS 2. However, NIS 2 goes further on infrastructure and network protection.

Integrating NIS 2 in a global compliance framework (ISO 27001, DORA)

ISO 27001 is often used as a base to structure information-security management. NIS 2 integrates naturally into an ISMS as defined by ISO 27001.

DORA applies specifically to financial sectors and complements NIS 2 by strengthening digital resilience for financial companies.

Integrating NIS 2 in a global framework enables a holistic cybersecurity approach that streamlines compliance efforts.

Penalties for non-compliance

What penalties does the directive set?

NIS 2 sets strict penalties for non-compliant companies:

• Financial fines: up to several million euros depending on severity.
• Corrective measures: authorities can impose immediate corrective actions.
• Leadership liability: personal responsibility for executives in case of negligence.

How to avoid penalties

• Anticipate requirements with regular security audits.
• Collaborate with authorities — maintain open dialogue with national competent authorities like ANSSI.
• Deploy action plans — fast corrective plans and document every step.
• Train teams — regular training reduces human-error risks.

Why adopt a SaaS solution to steer NIS 2 compliance?

Benefits of a SaaS solution

A SaaS solution for NIS 2 compliance offers several benefits:

• Centralise risk and corrective-action management.
• Ease collaboration between stakeholders.
• Automate data collection for compliance audits.
• Effectively manage security incidents.

How your SaaS solution helps manage NIS 2 compliance

The Make IT Safe solution offers a complete range of features to help CISOs and DPOs steer cybersecurity and guarantee NIS 2 compliance. Through an intuitive interface, track audits, manage third-party risks, coordinate actions with internal and external teams and ensure full compliance follow-up.