The NIS 2 directive isn’t coming, it’s already knocking on your firewall. . The rules apply, the expectations are clear, and EU businesses are officially being held accountable. If you’re not up to speed yet, this is your sign to stop snoozing. Let’s break down what NIS 2 means, who needs to care, and how to stay compliant without losing sleep (or uptime).
Quick refresher: what was NIS 1?
NIS 1 was the EU’s first real attempt to align cybersecurity across member states. It focused on providers of essential services (like energy, transport, and healthcare) and certain digital service providers (like cloud platforms and online marketplaces).
The main deal? Have essential cybersecurity in place and report serious incidents. Not rocket science, but a solid first step.
How NIS 2 changes the game
NIS 2 takes things further. It covers more sectors, demands stricter controls, and introduces real consequences for non-compliance. Here’s what’s different:
- More sectors included: Manufacturing, public administration, more digital stuff. If it moves or processes data, it’s probably in.
- Stricter requirements: Organisations are expected to manage risks proactively, respond quickly to incidents, and implement concrete policies.
- Uniform rules across the EU: Less room for vague or creative interpretations.
- Enforcement and penalties: Not complying could cost you more than just sleep, like evere financial and reputational damage.
Does NIS 2 apply to you?
If your organisation operates in sectors like energy, transport, healthcare, digital infrastructure, manufacturing, or public services, chances are NIS 2 applies to you.
Not 100% sure? Check with your national cybersecurity authority, they typically publish sector lists and guidance to help you determine your status. Belgians can check the official NIS 2 overview from the Belgian Centre for Cybersecurity (CCB). It includes a list of affected sectors and practical guidance.
Here’s what NIS 2 compliance means in practice
Short version: know your risks, protect your assets, react fast when things go sideways. Long version:
1. Risk management
You need a clear, structured view of your cybersecurity risks — including risks in your supply chain.
2. Security measures
You’re expected to implement a range of both technical and organisational measures:
- Security policies and governance
- Incident detection and response
- Business continuity and disaster recovery
- Network and system protection
- Supplier risk management
- Regular testing and evaluations
3. Incident reporting
Significant incidents must be reported to the relevant authorities — fast. NIS 2 sets strict timelines and procedures for this.
4. Oversight and accountability
Supervisory authorities have the power to audit, investigate, and impose penalties. Being non-compliant isn’t just a theoretical risk.
Who you gonna call?
Not Ghostbusters. But you will need a mix van brains on deck to meet NIS 2 requirements.
Internally:
- Cybersecurity experts who understand the risks
- IT teams who know their way around logs and patches
- Legal folks who can decode EU directives
- Management to drive cybersecurity from the top
- Awareness training so all employees understand their role
Externally:
- Consultants with NIS 2 implementation experience (spoiler: we have those)
- Specialised legal advisors for sector-specific questions
- Tech partners with tools that actually work and don’t require 6-day onboarding rituals
What should you be doing right now?
If you haven’t yet fully addressed NIS 2, here are the steps to focus on:
- Conduct a detailed risk assessment
- Review and update your cybersecurity policies
- Ensure you have appropriate technical and organisational measures in place
- Set up a solid incident response plan
- Provide security awareness training for staff
- Monitor and improve continuously, because attackers don’t take coffee breaks
Need support?
Need experienced consultants to help you get compliant or fill gaps in your team? Ravio provides hands-on experts who can jump in and make progress fast. Get in touch, we’ll get you sorted.
