NIS2 Is Here. And Most Companies Are Not Ready for It.

Let me give you a number that should make every executive in Europe uncomfortable.

84% of companies that fall under NIS2 are not compliant. That's not from some random blog. That's from CyberSmart's April 2026 survey of 670 business leaders across eight EU countries. And that number hasn't moved in six months.

So yeah. The regulation is live. Enforcement is active. And the vast majority of companies are still scrambling.

Let me break down what's actually happening, why it matters, and what you should do about it.

---

What Is NIS2, and Why Should You Care?

NIS2 stands for the Network and Information Security Directive 2. It's the EU's updated cybersecurity law, and it replaces the original NIS Directive from 2016.

The old rules were limited. A handful of sectors, vague requirements, inconsistent enforcement across countries. NIS2 fixes all of that by expanding the scope massively and adding real consequences.

The directive was supposed to be transposed into national law by October 17, 2024. Some countries hit that deadline. A lot didn't. The European Commission sent formal notices to 23 member states in late 2024 for dragging their feet, and escalated to reasoned opinions for 19 countries in May 2025.

But as of 2026, 22 out of 27 member states have completed transposition. Germany's implementation act went live on December 6, 2025. Belgium set its first conformity assessment deadline on April 18, 2026. The Netherlands is in active enforcement.

The message from the EU is clear: the grace period is over.

---

Who Does NIS2 Apply To?

This is where a lot of companies get surprised. NIS2 doesn't just cover tech companies or critical infrastructure in the traditional sense. The scope is massive.

Essential entities include sectors like energy, transport, healthcare, banking, digital infrastructure, and public administration.

Important entities cover manufacturing, food production, waste management, postal services, chemical production, and more.

The general threshold: if your company has 50+ employees or €10 million+ in annual revenue, and you operate in one of these sectors, you're likely in scope. In Germany alone, roughly 30,000 to 40,000 companies are affected. And here's the kicker: about 80% of them don't even know it yet.

And the thing is, even if your company isn't directly in scope, you might still be affected through the supply chain. More on that in a second.

---

The Deadlines You Need to Know

A lot of companies are confused about the timeline because every country implemented NIS2 slightly differently. But here are the key dates that matter right now:

This is not a future problem. This is a right-now problem.

---

What NIS2 Actually Requires

Let's get into the specifics. NIS2 isn't just a checkbox exercise. It demands real, operational changes across your entire organization.

Risk Management

You need a structured, documented approach to cybersecurity risk management. That includes regular risk assessments, policies for handling identified risks, and corrective action plans. Not a PDF you wrote two years ago that sits on a shared drive. Living, breathing processes.

Incident Reporting

This is the one that catches a lot of companies off guard. If you experience a significant cyber incident, you have 24 hours to submit an early warning to your national authority. Not a week. Not when you've figured out what happened. 24 hours.

After that, you need to provide a full incident notification within 72 hours and a detailed final report within one month. This requires incident response capabilities that most mid-sized companies simply don't have in place.

NIS2 Incident Reporting Timeline
─────────────────────────────────────────────────

 Incident          24h              72h             1 month
    ●───────────────●────────────────●────────────────●
    │               │                │                │
 Detected    Early Warning     Full Notification  Final Report
             to authority      with impact &      with root cause,
                               initial assessment  remediation &
                                                   lessons learned

Supply Chain Security

Article 21(2)(d) of NIS2 requires regulated companies to ensure the security of their entire supply chain. That means you're not just responsible for your own systems. You have to prove that your vendors and suppliers meet certain security standards too.

Here's a real-world example: A stamping company with 40 employees and €8 million in revenue doesn't fall directly under NIS2. But they supply components to a large automobile manufacturer that does. That manufacturer now needs to verify their suppliers aren't security weak points. So the small supplier gets new contract terms requiring NIS2-level compliance anyway.

NIS2 acts like a ripple effect. Millions of organizations within and outside the EU will need to comply as suppliers, even if they're not directly regulated.

Business Continuity

You need documented business continuity and disaster recovery plans. And they need to be tested. Regularly. Not just on paper.

Governance and Training

Management must approve and oversee cybersecurity risk management measures. And there's a mandatory cybersecurity training requirement for executives. You can't delegate this to IT and forget about it.

---

Personal Liability for Executives

This is the part that should get every CEO, CTO, and board member's attention.

Under NIS2, senior executives can be held personally liable for failures to implement adequate cybersecurity measures. Not the company. You personally.

In cases of gross negligence, regulators can impose administrative fines on individual executives, take legal action, or even temporarily ban them from management functions.

This is the single biggest shift in NIS2 compared to the old directive. Cybersecurity is no longer an IT department problem. It's a boardroom problem.

If something goes wrong and you can't prove you took it seriously, your personal career is on the line.

---

The Penalties

Let's talk numbers.

For essential entities, fines can go up to €10 million or 2% of global annual turnover, whichever is higher. For important entities, it's up to €7 million or 1.4% of global annual turnover.

And it's not just fines. Supervisory authorities can issue binding instructions, mandate audits, and publicly disclose violations. The reputational damage can be worse than the fine itself.

For companies operating in both the EU and the UK, there's a double layer of complexity. The UK's Cyber Security and Resilience Bill introduces even steeper penalties: up to £17 million or 4% of global turnover for serious failures, plus daily fines of up to £100,000 for ongoing non-compliance.

Maximum Penalty Comparison
──────────────────────────────────────────

NIS2 (Essential)    ████████████████████  €10M / 2%
NIS2 (Important)    ██████████████        €7M  / 1.4%
UK CSR Bill         ████████████████████████████  £17M / 4%
GDPR                ████████████████████████████  €20M / 4%

---

Why 84% of Companies Are Still Not Ready

The number from the CyberSmart survey is striking, but it's not surprising when you look at the reasons.

Complexity across borders. Every EU member state implemented NIS2 slightly differently. If you operate in multiple countries, you're dealing with multiple interpretations, timelines, and registration processes. That's a compliance headache for any organization.

Underestimating the scope. A lot of companies assumed NIS2 was for banks and energy providers. They didn't realize it now covers manufacturing, food, waste management, and digital services. By the time they figured out they were in scope, they'd already lost months.

It's not just a tech problem. NIS2 compliance requires coordination across IT, security, legal, compliance, procurement, and executive leadership. Most organizations don't have a clear owner for that cross-functional effort.

Waiting for clarity. Some companies adopted a "wait and see" approach, hoping national regulators would provide more guidance before enforcement started. That strategy backfired. Enforcement is happening now, and the guidance that exists is basically: comply or face consequences.

---

What You Should Do Right Now

If you're reading this and thinking "we're not ready," here's a practical starting point. No fluff, just the steps that matter.

1. Figure out if you're in scope. Check your sector, employee count, and revenue against the NIS2 thresholds. Don't forget the supply chain angle. Even if you're not directly covered, your customers might require you to comply.

2. Register with your national authority. In most countries, registration should already be complete. If you haven't done it, do it now. In Germany, that's the BSI. Check your country's NIS2 implementation for specifics.

3. Run a gap analysis. Compare your current cybersecurity posture against NIS2 requirements. Where are the holes? Focus on risk management processes, incident response capabilities, supply chain oversight, and governance structures.

4. Get leadership involved. This can't be an IT-only initiative. Brief your board and executive team on their personal liability under NIS2. That tends to get attention fast.

5. Build your incident response capability. The 24-hour reporting window is non-negotiable. You need processes, contacts, and templates ready before an incident happens. Scrambling after a breach is too late.

6. Address supply chain risk. Start conversations with your key suppliers about their security posture. Document everything. If they can't demonstrate adequate security, you need a plan for that.

7. Prepare for the June 2026 audit. If you're classified as an essential entity, the first formal compliance audit target is June 30, 2026. That's weeks away. If you haven't started preparing, you need to move fast.

NIS2 Compliance Checklist
─────────────────────────────────────────

[ ] Determine if your organization is in scope
[ ] Register with national authority (e.g. BSI)
[ ] Complete cybersecurity risk assessment
[ ] Document risk management policies
[ ] Establish 24h incident reporting process
[ ] Audit supply chain security posture
[ ] Create business continuity & DR plans
[ ] Conduct executive cybersecurity training
[ ] Assign cross-functional compliance owner
[ ] Schedule first formal compliance audit

---

The Bottom Line

NIS2 is not another regulation you can quietly ignore until someone forces your hand. Enforcement is live in Germany, France, the Netherlands, and Belgium. Audits are happening. Fines are being applied.

And the scope is wider than most people realize. Even companies that think they're outside NIS2's reach are getting pulled in through supply chain requirements.

The 84% non-compliance rate tells you something important: most companies treated this as a future problem. It's not. It's today's problem. And the companies that act now will have a massive competitive advantage over those that keep waiting.

For sure, compliance is hard. It takes time, budget, and cross-functional coordination. But the alternative — €10 million fines, personal liability for executives, public disclosure of violations, and losing customers who need compliant suppliers — is a lot harder.

The clock is ticking. And it's not going to stop.

---

Not sure where your company stands with NIS2? Book a free 20-minute consultation — we'll help you figure out your scope, identify the gaps, and build a realistic compliance roadmap.