What the NIS2 Directive means for your business

The European Union’s Network and Information Security (NIS) Directive 2 marks a significant step change in the EU’s cyber security strategy, and will place new reporting, governance and risk management demands on corporations.

European companies are subject to the highest number of cyber attacks globally, according to a Commercial Risk webinar, sponsored by Zurich and moderated by Tony Dowding, Editor of Global Risk Manager. February 2026 data from Safe Security, Inc. shows that over 40% of organizations are subjected annually to a cyber attack – ahead of the US at 31% and the UK at 12%.

With the cyber threat landscape showing no signs of abating, the purpose of the updated NIS legislation is to further strengthen the region’s cyber resilience by increasing the number of organizations affected and embedding a risk-based approach to cyber security.

What is changing

Under the original NIS Directive, the focus was primarily on operators of essential services and certain digital service providers. NIS2 widens that net considerably, according to Andreas Schmitt, Global Head of Cyber at Zurich Insurance. It now covers 18 sectors, spanning energy, transport and health to manufacturing, food production, waste management and digital services.

The threshold for inclusion has also shifted. Organizations with more than 50 employees or annual turnover of €10 million or more could fall within scope, meaning that many mid-sized companies will now be directly subject to the regime.

NIS2 also introduces a clear distinction between ‘essential’ and ‘important’ entities. Essential entities include sectors such as healthcare, energy and transport, where disruption could have immediate and serious societal impact. Important entities include areas such as manufacturing and certain digital services.

The distinction matters noted Schmitt: essential entities face more intensive supervisory oversight and, in some cases, more stringent enforcement action.

For essential entities, fines can reach up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face fines of up to €7 million or 1.4% of global annual turnover.

Governance scrutiny: from reporting to accountability

Governance expectations are heightened considerably under NIS2, the webinar heard. The Directive adopts a holistic, risk-based approach as it moves cyber security from being a pure IT issue to a core business risk.

Underscoring this approach, it states explicitly that accountability for cyber risk sits at the board level, and senior management can be held responsible for failures to comply.

“The real question is not, do we have the right control in place but who is accountable, who is taking the decisions and what are the decisions that have been taken?” observed Francois Beaume, SVP, Risk & Insurance, at Sonepar.

“In that sense, it is, I think, more of a governance stress test than a pure technical Directive,” he added.

Incident reporting timelines have also been tightened. Entities must provide an early warning to the relevant authority within 24 hours of becoming aware of a significant incident, followed by a more detailed notification within 72 hours and a final report within one month.

Supply chain under the spotlight

One of the core objectives of NIS2 is improving cyber resilience within supply chains, reflecting the growing recognition that cyber risk often enters through interconnected partners and that an attack on one supplier can impact multiple organizations and sectors.

Companies will be expected to risk assess their supply chain and have a clear understanding of key dependencies, vulnerabilities and cyber maturity, said Vivien Bilquez, Global Head of Cyber Resilience at Zurich Resilience Solutions. Third party due diligence must be demonstrated, and contract wordings should reflect the necessary cyber standards and incident reporting requirements.

The new Directive also gives weight to continuously monitoring the threat landscape within the supply chain and having well-rehearsed business continuity plans in the event of a third-party cyber incident.

Artificial intelligence will become a key tool for compliance, advised Bilquez: “We need to move from a manual audit to automated assurance, especially the use of AI,” he said.

How to demonstrate a risk-based approach

Achieving supply chain cyber resilience presents several challenges, the webinar heard. Some multinationals have over 70,000 suppliers in their network and mapping and scrutinizing second, third and fourth tier suppliers is a complex undertaking, noted Bilquez.

Furthermore, suppliers’ cyber resilience is not always accessible. The right to audit may not be included within the existing contract, for example, or there may not be a contract in place at all. For some suppliers, questionnaires may be too burdensome or not practical.

Bilquez advises companies to break down the challenge by classifying suppliers as a high, medium or low cyber risk based on key risk indicators.

For non-critical partners, lighter-touch assessments such as an outside-in scan may be sufficient. As the level of criticality increases, organizations should move towards more detailed reviews, including scrutiny of internal documentation and structured questionnaires.

Suppliers that hold critical information, sensitive data or have direct access to IT infrastructure are high risk and demand greater scrutiny and more robust processes.

For these suppliers, a comprehensive cyber risk maturity assessment is advisable, potentially incorporating penetration testing and cyber risk quantification to provide a deeper understanding of exposure.

“The evidence required will scale with criticality,” agreed Beaume. The Directive doesn’t prescribe an extensive list of mandatory controls, he added, but rather it demands evidence of a risk-based approach: “It’s about demonstrating due diligence and structural oversight in a much more organised manner.”

Regulatory harmonization

NIS2 sits within a broader suite of cyber-related regulation within the EU, including the Cyber Resilience Act, Cyber Security Act, GDPR and DORA. Many entities fall under the scope of more than one, leading to burdensome and unaligned reporting requirements, said Schmitt.

The Omnibus proposal, put forward by the EU in 2025, aims to harmonize the different regimes, an outcome Zurich is actively supporting:

“Our call for action and our strong recommendation is for harmonization in two directions,” Schmitt said. “One is the incident reporting towards just one single entry point and [the second] is a clear harmonization of templates”.

However, meaningful harmonization is unlikely until 2027 or 2028, he stressed.

Closing resilience gaps: a holistic approach

Most EU member states have now transposed NIS2 into national law. The remaining jurisdictions are expected to complete implementation in the near future.

Businesses operating across the EU should take steps immediately to assess compliance, tighten controls and deepen resilience where needed.

Resilience gaps commonly observed by Zurich include slow detect and respond processes, unvalidated controls and untested crisis management plans. In addition, many businesses are not giving adequate attention to mapping operational technology exposures – a key pillar or cyber resilience.

Zurich supports its customers address these gaps and meet NIS2 requirements. It provides a “holistic approach” to compliance, noted Schmitt, helping customers to identify and assess vulnerabilities across their supply chain, quantify their exposures and provide real-time monitoring services.

For businesses in scope, the question is no longer whether action is required, but whether existing governance, reporting processes and third-party controls are robust enough to withstand regulatory scrutiny.

Those that treat NIS2 as an opportunity to strengthen operational resilience, rather than a box-ticking obligation, will be better positioned to manage both the regulatory risk and the evolving threat landscape.

Related products