NIS 2 & Compliance • Article
The NIS 2 Directive is already in force – and most organisations are still not prepared
⏱️ Estimated reading time: 7 minutes
A turning point in risk management, cybersecurity and incident reporting for essential, important and critical sectors.
It is a real turning point in the way important, essential and critical sectors (together with the CER Directive (EU 2022/2557)) must deal with cybersecurity, risk management and incident reporting. If your organisation operates in sectors such as energy, transport, healthcare, finance, digital services, or provides services to essential entities, this article is mandatory reading.
What is NIS 2?
NIS 2 replaces the previous NIS Directive (2016/1148) and establishes stricter and broader rules to ensure the security of network and information systems in the EU.
Its main objectives include:
- Reducing security disparities between Member States
- Strengthening the resilience of essential and digital sectors
- Creating a common approach to risk and incident management and reporting
What changed in practice?
1. More sectors included
NIS 2 now applies to many more areas — including digital services, food, chemicals, waste, postal services, and drinking water management.
2. More entities covered
The rule is now: if your organisation is essential to the functioning of society or the economy, it is included.
It does not matter whether the organisation is public or private. What matters is the impact if it stopped operating.
3. Responsibilities of top management
Members of management may be held personally accountable for failing to implement appropriate cybersecurity measures.
4. Mandatory incident reporting
Organisations must:
- Notify critical incidents within 24 hours of detection.
- Update information within 72 hours.
- Submit a final report within 1 month.
5. Supervision, fines and sanctions
National regulators now have stronger audit and enforcement powers.
Fines can reach millions of euros — and reputation… well, that may never recover.
What organisations should do now
Identify whether they are in scope
Consult the list of sectors and entity types included. National legislation (such as the Cybersecurity Law in Portugal) already sets out the criteria.
Assess the current level of maturity
- Does the organisation have a formal cybersecurity policy?
- Is there a systematic approach to ICT risk management?
- Is the organisation prepared to report incidents in less than 24 hours?
Implement technical and organisational controls
The minimum security requirements set out in Article 21 of the Directive must be met, such as:
- Risk management
- Incident management
- Business continuity
- Supply chain security
- Cyber hygiene and training
- Cryptography, access control and other requirements
Appoint responsible parties and create clear governance
Define who leads, who executes and who approves security measures.
Responsibility must be visible, traceable and effective.
Preparation requires more than “reading the Directive”
The practical application of NIS 2 requires:
- Specialised training
- Incident response simulations
- Internal audits
- Updating policies and procedures, and ensuring tested continuity plans
How Behaviour can help
We specialise in training professionals and teams to lead implementation, audit and compliance with NIS 2:
These courses are not just technical. They are designed for those who lead, decide, implement and respond.
NIS 2 is already in force. Supervision has already begun. And your organisation? Preparing is not an option. It is a legal, ethical and strategic responsibility.
What is at stake is not only compliance. It is the continuity of your business, the trust of your customers and the future of the organisation’s reputation.
Author: Behaviour
Published on: 22 October 2025
Copying or reproducing this article is not authorised.