Last Updated on June 1, 2026 by Satyendra
Are companies genuinely aware of the changes brought by the NIS2 directive, or are they just relying on the current level of cybersecurity controls being adequate?
A lot of businesses consider themselves relatively safe if they are equipped with firewalls, endpoints are covered with protective measures, and security policies are documented.
However, the NIS2 requirements will cause a drastic increase in the level of security controls. In fact, with the enforcement getting stronger in 2026, companies might be compelled to expose their cybersecurity capabilities not only to the regulators but also to the customers and partners. Because of this, security is not only an IT issue anymore but also a business continuity and governance issue.
As enforcement strengthens in 2026, organizations may be required to demonstrate their cybersecurity capabilities not only to regulators but also to customers, partners, and stakeholders. Cybersecurity is no longer just an IT concern – it has become a core business continuity and governance issue.
What is the NIS2 Compliance Directive and who must comply?
The NIS2 Compliance Directive is the European Union’s updated cybersecurity legislation that expands and strengthens the original Network and Information Systems (Directive). It seeks to establish a more uniform security baseline among EU member states while strengthening the cybersecurity resilience of vital and significant industries.
By October 17, 2024, EU members had to incorporate NIS2 into their national legislation. If an organization meets the relevant size and operational standards, it may be compelled to comply with the following sectors:
- Energy
- Healthcare
- Banking and Financial Services
- Transportation
- Digital Infrastructure
- Public Administration
- Manufacturing
- Telecommunications
- Food Production and Distribution
- Cloud and managed service providers
- Data Centers
- Water and Waste Management
Key NIS2 Compliance Requirements
The European Union’s NIS2 compliance will impose more rigorous cybersecurity and compliance requirements on organizations that operate in critical and major sectors. The directive aims to enhance cyber resilience, lower the risks of disruptions, and ensure a rapid response to security incidents in the EU.
NIS2 places direct responsibility to oversee cybersecurity measures and ensure compliance. It includes:
- Cybersecurity Risk Management Measures
- Incident Detection and Reporting
- Supply Chain Security Controls
- Vulnerability Management
- Continuous Monitoring and Logging
- Governance Oversight and Executive Accountability
Why Organizations Struggle with NIS2 Compliance
Although NIS2 compliance has already come into force, many organizations are still struggling to comply. The organization thinks that NIS2 compliance is mainly a matter of data protection and for that reason, they make big investments in encryption, data masking, classification, and data protection tools.
Even though these measures are a part of the solution, they tend to miss a much larger issue – the question of who accessed sensitive information, and the way their permission has been used across the entire environment.
In most organizations, data security tools operate separately from identity systems such as Active Directory, where user permissions, privilege escalation, and access rights are managed.
That’s why security teams these days call such situations as “identity-data disconnect“, a gap between who has access (identity) and what they can access (data), whether they have any excessive permissions, or how risky behaviour develops over time.
This gap becomes more dangerous under NIS2 as the regulation focuses on operational resilience, accountability, incident response readiness, and continuous risk management, not merely data discovery.
Still many organisations consider their compliance to be just a one-time process. With hybrid infrastructures spreading over cloud platforms. SaaS applications, file servers, and AI-enabled environments, the security team’s main challenge is to keep a unified visibility of identity permissions, sensitive data exposures, and insider activities.
To bridge this gap, companies need to integrate their data-centric security controls with identity intelligence, access governance, behavioural monitoring and continuous auditing to become fully compliant with NIS2.
Essential Vs. Important Entities: Determining Your Compliance Scope
The first action step in NIS2 Directive Compliance is to determine if your organization has been categorized as an essential or important entity. This categorization is important as it affects the extent of regulatory supervision, audit requirements, enforcement measures, and incident reporting duties that the organization has to comply with.
Essential Entities
Essential entities are connected to extremely critical sectors where even minor disruptions can have a major impact on public safety, national security, economic stability, or the provision of essential services.
Such organizations must undergo strict monitoring, regular auditing, and the implementation of robust enforcement measures due to NIS2. Energy providers, hospitals, banking institutions, water utilities, transport operators, and digital infrastructure providers fall into this category.
Important Entities
Important entities are usually involved in the operation of critical sectors but overall, they are less intensively regulated than essential entities.
Of course, they must still meet NIS2 cybersecurity and reporting requirements, but supervisory actions are more reactive to incidents than a prevention measure. Manufacturing companies, food suppliers, postal and courier services, research organizations, digital providers, and some ICT service providers are examples.
NIS2 Compliance Checklist: Requirements by Category
Achieving NIS2 Compliance requires organizations to make operational, technical, and governance adjustments. Here is a detailed checklist, categorized by types of requirements.
1. Governance and Executive Accountability
With NIS2, the accountability for cybersecurity is directly assigned to the senior leadership and management teams. Organizations must set up their governance structures and make sure that cybersecurity is a part of the overall enterprise decision making.
Checklist
- Establish Cybersecurity governance structures
- Define roles and responsibilities for compliance
- Carry out executive cybersecurity reporting procedures
- Include Cyber risks in the enterprise risk management setup
- Keep records of cybersecurity decision-making processes
Recommended Strategies
Set up a specially appointed cybersecurity steering committee that takes charge of compliance initiatives, risk management activities, and ensures regulatory readiness.
2. Risk Management and Security Assessments
Organizations today are required to implement a cybersecurity approach that ensures risk-based controls are aligned not only with operational threats but also with business priorities.
Checklist
- Conduct enterprise-wide cybersecurity risk assessments
- Identify critical assets and systems
- Map sensitive and regulated data
- Perform threat-modeling exercises
- Prioritize risks based on business impact
- Review and update risk assessments regularly
Recommended Areas to Access
- Cloud Environments
- Active Directory Infrastructure
- Endpoints and Servers
- Privileged Accounts
- Remote access systems
3. Identity and Access Management
Proper identity and security controls at the core can not only help in stopping unauthorized access but also in reducing insider threats and credential misuse.
Checklist
- Requires use of multiple factors for authentication (MFA)
- Set access rights based on the principle of least privilege
- Track activities of privileged accounts
- Remove dormant and inactive accounts
- Implement role-based access controls (RBAC)
- Conduct periodic access reviews
Recommended Technologies
The technologies recommended for IAM:
- Privileged Access Management (PAM)
- Single Sign-On (SSO)
- Conditional access solutions
- Identity Governance and Administration (IGA)
4. Security Monitoring and Threat Detection
NIS2 demands continuous monitoring and rapid identification of threats to reduce the impact of cyber incidents as much as possible.
Checklist
- Collect security logs in a centralized location
- Use SIEM solution for continuous monitoring
- Identify suspicious user login activity
- Record attempts to gain higher privileges
- Recognize unauthorized configuration changes
- Monitor cloud activities and movements
- Store logs securely for audits and investigations
Recommended systems to monitor
The systems to monitor would include Domain Controllers, File servers, databases, SaaS applications, and cloud workloads.
5. Incident Response and Reporting
Organizations are required to set up documented incident response processes and meet the strict reporting deadlines specified by NIS2.
Checklist
- Create an incident response plan
- Develop escalation workflows
- Set up forensic investigation procedures
- Identify incident classification criteria
- Keep internal and external communication plans
NIS2 Reporting Obligations Include
- Early warning notifications within 24 hours
- Incident notifications within 72 hours
- Final reporting after incident resolution
6. Supply-Chain and Third-Party Risk Management
NIS2 emphasizes on ensuring the security of vendors, suppliers, and third-party service providers who might expose organizations to cyber threats.
Checklist
- Keep an up-to-date record of all vendors
- Verify the cybersecurity measures of third parties
- Examine security-related clauses in contracts
- Control and regularly check vendor access permissions
- Define clear procedures for suppliers’ incident notifications
- Periodically perform vendor risk evaluation
Recommended Vendor Categories
- Cloud providers
- SaaS vendors
- Managed Service Providers (MSPs)
- Software suppliers
7. Business Continuity and Disaster Recovery
Operational resilience is at the heart of the NIS2 directive. Ensuring your critical services are still up and running in times of cybersecurity breaches or other types of operational disruptions is essential for demonstrating operational resilience.
Checklist
- Maintain a plan for business continuity in place
- Keep secure offline backups
- Regularly check if the recovery procedures work
- Set Your Desired Recovery Time and Recovery Point
- Define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)
- Conduct disaster recovery drills
- Maintain a crisis communication plan
Recommended Approach
To verify resilience and recovery capabilities, conduct ransomware recovery simulations at least once a year.
8. Vulnerability and Patch Management
The ability to detect, evaluate, and fix security vulnerabilities before they are exploited by attackers continues to be a foundational control for any security program.
Checklist
- Conduct vulnerability scans regularly
- Develop official patch management procedures
- Monitor remediation deadlines
- Prioritize high-risk vulnerabilities
- Identify obsolete or legacy systems
- Perform security update tests before rollout
Recommended Approach
The recommended approach would include weekly vulnerability scanning, Monthly patch review, and quarterly penetration testing.
9. Security Awareness and Workforce Training
Human error is still the major factor in cybersecurity breaches, which makes employee awareness training a very important compliance requirement.
Checklist
- Provide phishing awareness training
- Teach employees how to report incidents
- Educate users about keeping credentials safe
- Use role-based cybersecurity training
- Conduct simulated phishing campaigns
- Train executives on cyber risk governance
Recommended Approach
Developing a security culture throughout the company helps in lowering the risk as well as enhancing the overall compliance readiness per NIS2.
What Documentation and Evidence are required for NIS2 audits
NIS2 controls must be fully documented in the audit trail in addition to being implemented. Documentation is essential to the compliance process.
- Policies and Procedures Documentation: Organizations need to have and update security policies and operational procedures that establish how security risks are handled in the organization. This can include:
- Information security policies
- Access control policy procedures
- Incident response procedures
- Backup and recovery procedures
- Vendor risk management policies
- Risk Assessment and Remediation Records: NIS2 mandates that companies continually identify and manage risks tied to cyberspace. Organizations should document:
- Information surrounding risk assessments
- Threat evaluations
- Identification of vulnerabilities
- Mitigation procedures
- Audit Monitoring and Security Evidence: Organizations should review operational security logs to ensure tools to monitor and detect security violations. This can include maintaining:
- Security logs
- Incident alerts
- Privileged user activity logs
- Access review logs
- Incident investigation reports.
- Security Awareness and Training Records: Employee cybersecurity awareness is a key aspect of NIS2 compliance. Organizations should maintain records of:
- Security awareness programs
- Executive cybersecurity training
- Phishing simulation exercises
- Role-based training activities
- Compliance Reporting and Governance Evidence: Regulators might also look for evidence of governance oversight and compliance reporting. Examples include:
- Internal audit reports
- Cybersecurity dashboards
- Regulatory submissions
- Security metrics
- Key performance indicators (KPIs)
- Audit Readiness Best Practices: Maintaining this documentation supports ongoing compliance, executive attention, and risk visibility. Organizations might establish:
- Standards documentation policies
- Centralize compliance records
- Eliminate duplicate document versions
Common NIS2 Compliance Gaps and How to Address Them
Several organizations encounter the same challenges throughout their NIS2 Compliance assessment. Addressing these gaps the first time around limits their effect on compliance.
1. Lack of Asset Visibility
Problem: Most organizations lack comprehensive visibility into users’ devices, cloud resources and privileged accounts, resulting in security blind spots.
Solution: Employ centralised asset discovery and identity visibility tools that keep an up-to-date record of all assets.
2. Weak Privileged Access Controls
Problem: Excessive permissions and unmanaged admin accounts increase the risk of unauthorized access and breaches.
Solution: Implement Privileged Access Management (PAM) tools and enforce least privilege access policies.
3. Inadequate Monitoring and Logging
Problem: Without centralized monitoring, organizations may fail to detect suspicious activity.
Solution: Deploy SIEM platforms with real-time monitoring, alerting and log analysis capabilities.
4. Limited Supply Chain Overweight
Problem: Organizations often fail to adequately monitor cybersecurity risks associated with third-party vendors.
Solutions: Develop a vendor risk management program and access supplier security requirements on a regular basis.
5. Inconsistent Incident Response Procedures
Problem: Many organizations lack clearly well-established processes for escalating, responding to or reporting incidents.
Solution: Create formal incident response playbooks and conduct regular testing exercises.
6. Manual Compliance Tracking
Problem: Managing spreadsheets through spreadsheets is an inefficient way of doing compliance and raises audit risk.
Solution: Automate compliance monitoring, reporting, and evidence collection.
Lepide’s Framework for Getting Started with NIS2 Compliance
Many organizations begin with their NIS2 journey by focusing on isolated security controls such as endpoint protection, data classification, or compliance documentation.
However, to meet the new directive, organizations need to exhibit continuous cyber resilience, visibility, and accountability, and must also be able to quickly respond to incidents in hybrid environments.
Lepide’s framework approaches NIS2 readiness from an identity-first security model, recognizing that identities, permissions, and access pathways are often the primary attack surface exploited in modern breaches.
Here is where Lepide believes organizations need to focus first:
- Real-Time Security Monitoring: Organizations should implement near real-time monitoring of core business systems and environments that enable them to identify malicious activity or threats without delay. This should include:
- Active Directory
- Core data stores
- Exchange
- Microsoft Copilot
- Other core business applications
- Compliance Dashboards: Security and executive teams should have a consolidated dashboard that provides visibility into the organization’s cybersecurity posture. This should be tracked:
- Risk scores
- Incident trends
- Vulnerability status
- MFA adoption
- Privileged account visibility
- Automated Alerting: Automated alerting is believed to be of critical importance in identifying security events that demand escalation. Organizations need to establish alerts for:
- Access violations
- Suspicious logins
- Unauthorized access
- Escalation of privilege
- Violation of policy
- Critical system changes
- Reporting and Analytics: Organizations should have powerful reporting and analytics facilities. The system should support executive reporting on:
- Compliance statistics
- Audit logs
- Risk per trend
- Incident metrics
- Access review reports
These reports can be used to demonstrate regulatory compliance, to support internal governance, and to give useful insight into security.
Key Metrics CISOs Should Monitor
Continuous oversight should be maintained by CISOs for critical security metrics
- MTTD (Mean Time to Detect)
- MTTR (Mean Time to Respond)
- Patch compliance rate
- MFA adoption rates
- Vendor risk assessment status
- Incident closed rate
- Failed login rate
Monitoring these metrics helps organizations identify weaknesses, enhance the efficiency of their security operations, and strengthen cyber resilience.
Frequently Asked Questions
NIS2 establishes stringent cybersecurity standards, enhances incident reporting requirements, broadens the range of businesses covered, and increases senior management accountability.
Additionally, it introduces enforcement strategies that are more uniform among EU members.
Yes. If non-EU organizations operate in key domains specified by the regulation, such as managed service providers, cloud providers, SaaS vendors, and digital infrastructure providers, or offer services within the EU, they may still be subject to NIS2.
Senior management is directly accountable under NIS2 for overseeing cybersecurity risk management. Because leadership teams can be held responsible for non-compliance, executive involvement is crucial for security strategy, governance, and policy enforcement.
