NIS2 The EU’s Biggest Security Crackdown Since GDPR

Back in 2018, the General Data Protection Regulation arrived like a storm. Overnight, companies had to rethink how they collected, stored, and shared personal data. Privacy notices popped up on every website, executives scrambled to understand their new obligations, and many organizations realized too late how unprepared they really were.

Now, history is repeating itself. The European Union introduced NIS2, a directive that raises the stakes for digital security across the continent. If GDPR was about protecting the rights of individuals, NIS2 is about protecting the resilience of our digital society. And just like GDPR, it will separate those who act early from those who scramble under pressure.

Why NIS2 matters

Unlike the first NIS Directive, which had limited reach, NIS2 significantly broadens the scope. Medium and large organizations across 18 sectors are included, from energy and healthcare to finance, transport, and digital providers. For many companies that never considered themselves “critical infrastructure,” this will be a wake-up call.

The most striking shift is that leadership is now personally accountable. Executives must oversee cybersecurity measures, approve risk management plans, and ensure their organizations can withstand incidents. Failure to do so can result in hefty fines, but more importantly, reputational damage that is difficult to repair.

NIS2 also enforces some of the tightest incident reporting deadlines we have ever seen. A first warning must be sent within 24 hours, a detailed incident notification within 72 hours, and a final report within one month. Compare that with GDPR’s 72-hour reporting window for data breaches and you can see how much higher the bar has been set.

The identity connection

One of the key lessons of the last decade is that most security incidents begin with a compromised identity. Whether it is a stolen password, an abused administrator account, or an insecure third-party integration, identity has become the primary attack vector.

GDPR forced organizations to think about who owns personal data. NIS2 forces us to think about who has access to the systems that keep our businesses running. The directive explicitly mentions multi-factor authentication and access control as mandatory measures. In practice, this means organizations that have not yet enforced strong identity security are already behind.

A practical identity-first approach to NIS2 looks like this:

• Multi-factor authentication everywhere, preferably phishing-resistant methods like FIDO2 or Passkeys.

• Conditional access policies that enforce device compliance, block risky sign-ins, and eliminate legacy authentication.

• Privileged Identity Management so no administrator account has standing rights.

• Regular access reviews that catch dormant accounts and unnecessary permissions.

Lessons from GDPR

GDPR was often reduced to paperwork. Privacy policies were rewritten, cookie banners were deployed, and compliance binders were created. But for many, it was more about looking compliant than being truly privacy-conscious.

NIS2 is different. Paperwork alone will not be enough. The emphasis is on operational readiness. Regulators expect you to prove that your systems can withstand and recover from cyber incidents. That means evidence packs with policies and logs, but also drills, playbooks, and tested procedures.

In other words, while GDPR reshaped corporate communication, NIS2 will reshape corporate operations.

The supply chain challenge

Just as GDPR extended accountability to processors and subcontractors, NIS2 extends accountability into the supply chain. If your managed service provider, your cloud vendor, or your software supplier fails, you remain responsible.

This makes supplier risk management essential. Contracts must include security requirements, audits must be carried out, and you should demand tangible evidence from critical suppliers. In practice, this means verifying secure development practices, patch management, and the ability to cooperate in forensic investigations.

Building resilience in 90 days

Waiting for national legislation is a mistake. The EU directive is already binding, and the expectations are clear. If GDPR taught us anything, it is that deadlines arrive quickly and excuses do not protect you.

Here is how to make progress in 90 days:

First month: Define whether your organization falls under NIS2, brief executives on their personal responsibilities, and run a gap assessment against the directive.

Second month: Achieve complete MFA coverage, roll out baseline conditional access, and implement privileged identity management for administrator roles. Finalize your incident response playbooks and confirm contact points with regulators.

Third month: Review critical suppliers, add contractual security clauses, and start collecting evidence of compliance. Deliver cybersecurity training to executives and record it as proof of governance.

Common mistakes to avoid

Some organizations are tempted to wait for national guidance. That is risky. The EU’s requirements are already public and they will not disappear. Others focus too much on technology without building a proper audit trail. Evidence is essential. Still others implement weak forms of multi-factor authentication or rely solely on supplier self-attestations. None of that will satisfy regulators in the long run.

The bigger picture

NIS2 is not just another compliance project. It is the next stage in Europe’s push to build digital trust. GDPR reshaped how we handle personal data. NIS2 will reshape how we secure identities, systems, and supply chains.

The organizations that thrive will not be those that treat NIS2 as a burden. They will be the ones that embrace it as a chance to modernize security practices, strengthen resilience, and demonstrate trustworthiness to customers and regulators alike.

In the end, NIS2 is about more than avoiding fines. It is about proving that your business can take a hit and keep going. And in today’s threat landscape, that is not just compliance. That is survival.