Are You NIS 2 Ready? Compliance Essentials for 2025

The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's revamped cybersecurity framework, designed to address evolving threats and improve cyber resilience across all Member States. As of 18 October 2024, all EU countries are expected to enforce national laws aligning with NIS2, ushering in a new era of stringent NIS2 cybersecurity obligations.

With NIS2 now in effect, NIS2 essential entities face new responsibilities, stricter reporting obligations, and possible penalties for non-compliance. But how does NIS2 differ from other cybersecurity legislation like DORA, the Cyber Resilience Act, or the recently introduced Cyber Solidarity Act? And what should businesses do to prepare?

What is NIS2?

Replacing the original 2016 NIS Directive, NIS2 enhances the EU's ability to prevent, detect, and respond to cyber incidents. The NIS 2 regulation broadens the NIS2 scope to include critical sectors such as:

• Cloud computing service providers

• Managed service and security service providers

• Data centres

• Online marketplaces

• DNS service providers and TLD registries

• Social media platforms and online search engines

• Trust service providers
  

Entities falling under these categories must now comply with uniform NIS2 requirements covering risk management, incident reporting, and governance.

Key Requirements Under the NIS2 Regulation

Organisations classified as “essential” or “important” must implement technical, operational, and organisational measures to mitigate cybersecurity risks. Core NIS2 requirements include:

• Risk analysis and information system security policies

• Incident handling procedures and mandatory reporting timelines

• Business continuity and crisis management plans

• NIS2 supply chain security measures for vendors and subcontractors

• Encryption, multi-factor authentication, and access controls

• Policies and procedures for evaluating effectiveness and evidence retention
  
  

The Commission Implementing Regulation (EU) 2024/2690 provides detailed rules on how entities should meet these obligations.

NIS2 Directive Timeline: Key Milestones

Understanding the NIS2 directive timeline is essential for organisations preparing for compliance:

• 17 October 2024: Deadline for Member States to transpose NIS2 into national law

• 18 October 2024: Enforcement begins across the EU

• 7 November 2024: ENISA launches public consultation on technical guidance

• 2025: Full implementation, compliance checks, and national audits begin
  

Many countries experienced delays in transposition, creating potential unevenness in readiness across sectors.

Why a NIS2 Gap Analysis Matters

Because the NIS2 scope is broader than the original directive, organisations should conduct an NIS2 gap analysis to identify compliance shortfalls. A good gap analysis evaluates:

• Current cybersecurity posture vs. NIS2 framework expectations

• Incident response maturity and reporting workflows

• Resource, staffing, and tooling adequacy for sustained NIS2 compliance

• Third-party and supply-chain controls for NIS2 supply chain security

• Interactions with other regulations like DORA, CRA, or the Cyber Solidarity Act
  

A targeted NIS2 gap analysis helps prioritise remediation work and align policies to the regulation’s specific requirements.

NIS2 vs. Other EU Cybersecurity Regulations

NIS2 vs. Cyber Solidarity Act -  NIS2 focuses on organisational preparedness and reporting, while the Cyber Solidarity Act establishes EU-level emergency mechanisms for cross-border incident response.

NIS2 vs. DORA - DORA is sector-specific (financial services) and functions as lex specialis for that sector; NIS2 applies broadly across essential sectors. Entities in the financial sector may need to comply with both DORA and NIS2 cybersecurity obligations.

NIS2 vs. Cyber Resilience Act - CRA targets product security requirements for hardware and software; NIS2 is operational and governance-focused. Together, these form a layered NIS2 framework for resilience.

ENISA’s Technical Guidance & Practical Steps

ENISA’s draft guidance clarifies definitions, evidence requirements, and mappings to standards like ISO/IEC 27001. Key recommended actions for businesses:

1. Determine whether you are an NIS2 essential entity or an “important” entity under the NIS2 scope.

2. Conduct a comprehensive NIS2 gap analysis.

3. Update incident reporting processes to meet strict timelines.

4. Implement NIS2 supply chain security checks and contractual clauses.

5. Strengthen logging, monitoring, and business-continuity processes in line with the NIS2 framework.
   
   
   Next Steps for Businesses

To stay compliant in 2025, organisations should:

• Identify if they fall under NIS2 essential entities or important entities.

• Perform a formal NIS2 gap analysis and remediation roadmap.

• Align internal policies with ENISA guidance and the NIS 2 regulation.

• Establish incident reporting and response playbooks to meet regulatory timelines.

• Integrate NIS2 compliance efforts with related frameworks (DORA, CRA) where applicable.
  

Failing to comply can lead to administrative fines, reputational damage, and restrictions—so early, focused action is critical.

Final Thoughts

The NIS2 Directive marks a major shift in EU cybersecurity policy. By expanding scope, tightening NIS2 requirements, and emphasising supply-chain resilience, it raises the bar for organisational security and accountability. Through a structured NIS2 gap analysis, alignment with the NIS2 framework, and implementation of robust NIS2 cybersecurity practices, organisations can proactively strengthen resilience and meet the demands of 2025 and beyond.