Read Time: 7 minutes

What Is the NIS2 Directive? 

NIS2, or the Network and Information Systems Directive 2, is an EU law aiming to improve cybersecurity across the EU by setting mandatory cybersecurity requirements for a wider range of sectors and entities. Organizations must comply with NIS2 by implementing security measures, reporting incidents, and ensuring their management is accountable for compliance. Non-compliance can lead to significant penalties.

The NIS2 Directive expands and strengthens the original NIS Directive issued in 2016. Its aim is to achieve a higher common level of cybersecurity across the EU by addressing gaps and weaknesses exposed in previous frameworks. 

NIS2 ensures that both private and public organizations operating critical and important services implement stringent risk management, reporting, and technical controls. It places particular emphasis on sectors such as energy, healthcare, transportation, digital infrastructure, as well as other essential and important entities.

Key Compliance Requirements Under NIS2 

Governance and Corporate Accountability

NIS2 raises the expectations on organizational leadership. Senior executives and boards must actively direct and monitor cybersecurity activities. This includes approving security policies, allocating resources for risk management, and ensuring security is integrated into core business planning. 

Leaders are expected to have sufficient knowledge of cyber risks to make informed decisions, and they must document how these decisions are made. Regular reports on cybersecurity posture should be reviewed at the board level. If an organization suffers a breach due to negligence in governance, individuals in leadership positions can face personal consequences, including financial penalties and temporary bans from managerial roles.

Risk Management Policies and Procedures

Under NIS2, risk management must be proactive and continuous. Organizations must maintain a risk register that catalogs threats, vulnerabilities, and associated impacts. These assessments should go beyond IT systems to include operational technology, cloud services, and third-party dependencies. 

Supply chain risks are a particular focus, with an expectation to evaluate vendors’ security practices and include contractual requirements for incident reporting and remediation. Policies should define security baselines, access control standards, encryption requirements, and network monitoring practices. Risk assessments must be reviewed at least annually, or after significant incidents, to reflect changes in the threat environment.

Incident Response and Crisis Management

The directive imposes strict timelines for reporting significant cybersecurity incidents: an initial notification within 24 hours of detection, a detailed incident report within 72 hours, and a final assessment within one month. Incident response plans must clearly define incident categories, response priorities, and decision-making authority. 

Plans should include technical procedures for containment and recovery, as well as public relations and legal considerations. Testing these plans through tabletop exercises and simulated attacks is mandatory to ensure staff can act quickly and effectively under pressure. Organizations must also coordinate with national computer security incident response teams (CSIRTs) or other designated authorities during major incidents.

Business Continuity and Disaster Recovery Planning

NIS2 requires that business continuity and disaster recovery plans are not static documents but living processes. Plans should include detailed recovery time objectives (RTOs) and recovery point objectives (RPOs) for all critical services. Backup systems must be tested regularly, with secure, offline storage for essential data. 

Continuity strategies should account for both cyber-specific disruptions, such as ransomware, and non-cyber events, such as natural disasters. Periodic drills should involve both IT teams and business units to ensure coordinated response. Post-incident reviews are required to update and improve recovery capabilities.

Use of Recognized Frameworks

Adopting a recognized cybersecurity framework is encouraged because it provides a structured approach to compliance. ISO/IEC 27001 offers an information security management system (ISMS) model, while the NIST cybersecurity framework provides guidelines for identifying, protecting, detecting, responding, and recovering from cyber incidents. 

CIS controls offer prioritized steps for improving security posture. Organizations can integrate these frameworks into their internal controls to ensure consistent implementation and easier audit preparation. Cross-referencing NIS2 requirements with chosen frameworks also enables reporting to regulators.

Training and HR Controls

A compliant training program must be role-specific—general awareness for all staff, technical security training for IT and operational teams, and governance-focused sessions for executives. Training should be frequent enough to reflect emerging threats, using methods such as phishing simulations, interactive modules, and scenario-based exercises. 

HR controls must support security by enforcing pre-employment background checks where legally permissible, applying the principle of least privilege in access assignments, and implementing automated processes to revoke access rights when roles change or employment ends. Employee contracts should explicitly state security responsibilities, and compliance should be monitored and documented.

 

Lanir Shacham
CEO, Faddom

Lanir specializes in founding new tech companies for Enterprise Software: Assemble and nurture a great team, Early stage funding to growth late stage, One design partner to hundreds of enterprise customers, MVP to Enterprise grade product, Low level kernel engineering to AI/ML and BigData, One advisory board to a long list of shareholders and board members of the worlds largest VCs

Linkedin

Tips from the Expert

In my experience, here are tips that can help you better achieve and sustain NIS2 compliance beyond the standard controls.

  1. Map obligations to business risk appetite

    Instead of treating NIS2 as a checklist, align each control to the organization’s defined risk tolerance so leadership can prioritize investments that meaningfully reduce exposure.

  2. Establish a compliance “kill chain” model

    Visualize how a potential incident could progress through the environment and link each NIS2 requirement to specific breakpoints where the organization can disrupt that chain.

  3. Embed compliance triggers in CI/CD pipelines

    Integrate NIS2-related checks—such as dependency vulnerability scanning or access reviews—directly into DevOps workflows to prevent violations before code reaches production.

  4. Correlate NIS2 metrics with business KPIs

    Show executives how incident response times, patch latency, or supplier security scores directly affect uptime, revenue, or customer trust to maintain funding and engagement.

  5. Use cross-border incident playbooks

    For multinational operations, prepare templates that account for varying national CSIRT processes and reporting formats so compliance deadlines are met in every jurisdiction.

Best Practices for Implementing NIS2 Compliance 

Organizations can improve their NIS2 compliance by following these practices.

1. Gap Analysis and Scoping

A thorough gap analysis begins with mapping NIS2 requirements against existing security controls, governance processes, and incident response capabilities. This should be done in collaboration between IT, security, compliance, and operational teams to ensure no domain is overlooked. 

Break the directive’s obligations into measurable criteria—such as reporting timelines, supply chain risk checks, and management accountability measures—and assess the organization’s current maturity in each area.

Use established assessment tools or checklists where possible to avoid subjective evaluation. Clearly define the scope, including subsidiaries, joint ventures, and cross-border operations that fall under the directive. For complex organizations, a phased approach can help address high-risk areas first while planning longer-term remediation for lower-priority items. 

2. Maintain an Updated Asset Inventory

Asset management under NIS2 should be dynamic, not static. This means implementing tools that can automatically discover new devices, applications, and services as they appear on the network. The inventory should include technical details (IP addresses, MAC addresses, firmware versions) and business context (owner, criticality rating, dependency mapping). 

Tag assets based on their role in critical or important services as defined under NIS2. This classification enables targeted security controls for high-value assets and ensures they are included in business continuity and disaster recovery plans.

Incorporating vulnerability management into the inventory process ensures assets are linked to patch status and known security issues. Periodically reconcile automated asset lists with physical and software license inventories to detect unauthorized devices or applications. 

3. Implement Regular Security Awareness Training

Effective security training must address both human error and intentional misuse. Begin with a baseline assessment of employee security knowledge to tailor the curriculum. For example, administrative staff may need more focus on phishing and document handling, while developers need secure coding practices. 

Integrate training into the onboarding process and ensure updates occur at least quarterly to reflect evolving threat trends such as AI-enabled phishing, deepfake voice scams, or new ransomware tactics.

Incorporate simulated attack exercises—such as mock spear-phishing campaigns or USB drop tests—to measure real-world behavior, not just theoretical knowledge. All training should be documented, with completion records tied to employee files for audit purposes. Include escalation pathways in training, so staff know exactly how to report suspicious activity.

4. Enforce Strong Identity and Access Management

Robust IAM under NIS2 involves more than adding MFA—it requires a full lifecycle approach to user access. Implement automated provisioning systems that tie into HR databases, ensuring accounts are created, modified, and disabled in sync with employment changes. Audit privileged accounts regularly, removing unused ones and rotating credentials for active ones. 

Apply conditional access policies that factor in device health, location, and risk signals before granting access. Limit administrative privileges to dedicated admin accounts used solely for privileged tasks, with separate accounts for day-to-day work. Leverage security controls like passwordless authentication or hardware security keys where feasible. 

Log and monitor all access events, particularly for sensitive systems, and set alerts for unusual patterns such as after-hours logins or geographic anomalies. For external partners, use federated identity systems that allow fine-grained control without exposing core directories.

5. Perform Routine Penetration Testing

Penetration testing should simulate realistic threat scenarios, not just theoretical vulnerabilities. Scope tests to include physical access where relevant, such as attempts to enter secure facilities or connect rogue devices to internal networks. Include tests of web applications, APIs, and remote access systems, as these are common entry points for attackers. 

Ensure testers have up-to-date threat intelligence so that attack methods reflect current adversary tactics, techniques, and procedures (TTPs). Following each engagement, prioritize remediation based on exploitability and potential impact, and assign deadlines for fixes. 

Integrate penetration testing results into the broader risk management process so they inform future security investments and control adjustments. Maintain records of testing scope, findings, remediation actions, and retest results to satisfy both internal governance and regulatory inquiries.

6. Monitor and Secure the Supply Chain

Supply chain monitoring under NIS2 extends beyond initial vendor vetting—it requires continuous oversight. Maintain a registry of all suppliers, contractors, and service providers with access to systems, data, or critical operational processes. Use a risk-based approach to categorize suppliers and determine the level of security assurance required. 

For high-risk suppliers, require regular security attestations, independent audit reports, or penetration testing results. Implement network segmentation and access restrictions to limit supplier exposure to only what is necessary. Monitor vendor accounts for unusual activity and enforce MFA for all external access. 

In contracts, mandate timely notification of security incidents and cooperation during incident investigations. Consider supply chain mapping to identify indirect dependencies, which can reveal hidden risks in sub-suppliers that may not be immediately obvious but could still disrupt operations.

7. Establish Continuous Compliance Monitoring

Continuous compliance requires integrating regulatory obligations into everyday security operations. Deploy centralized monitoring platforms that aggregate logs from firewalls, endpoint protection, identity systems, and other controls. Use automated compliance dashboards to track key metrics, such as incident response times, patching status, and training completion rates. 

Regularly cross-check these metrics against NIS2 requirements to detect compliance drift. Implement alerting systems for policy violations, such as unauthorized software installation or unapproved configuration changes. Schedule internal audits at set intervals and adjust controls based on findings. 

Ensure monitoring data is retained for the legally required period to support investigations and regulatory reviews. Documenting the results of compliance monitoring—along with corrective actions taken—demonstrates proactive governance, which can reduce penalties if incidents occur.

Related content: Read our guide to NIS2 checklist

NIS2 Compliance with Faddom

Meeting the NIS2 requirements begins with achieving visibility, which is a challenge for many organizations. Faddom provides IT and security teams with a comprehensive, real-time map of every server, business application, and dependency across on-premises, cloud, and hybrid environments. This level of transparency enables you to identify risks, document assets, and continuously track changes—all essential components of NIS2 compliance. 

In addition to visibility, Faddom enhances compliance by improving risk management and governance. It uncovers hidden connections, detects shadow IT, and identifies unusual traffic patterns that may signal a security breach. This allows leadership to demonstrate due diligence, maintain accurate records, and meet the directive’s stringent accountability standards. By streamlining asset discovery, dependency mapping, and tracking processes, Faddom reduces blind spots and helps organizations remain resilient under NIS2. 

Book a demo today to learn how Faddom can help your organization achieve and maintain NIS2 compliance!