The Network and Information Security Directive 2 (NIS2) will take effect across EU countries' legislation in 2025. The directive requires businesses to comply with expanded cybersecurity regulations, including risk management, incident reporting, executive accountability, and stronger supply chain protections for essential sectors.
NIS2 is not just another regulatory obligation. It is a direct response to the rising threat landscape that is reshaping how businesses must protect their digital infrastructure. At its core, NIS2 is a cybersecurity initiative that places security, resilience, and risk accountability at the center of business operations.
This article explores cybersecurity as the foundation of NIS2 and what organizations must do to meet its demands despite persistent resource, talent, and structural challenges.
Challenges along the journey to NIS2 compliance
While many organizations are striving to meet NIS2 implementation deadlines, progress remains slow. According to IT in Practice 2024, only 3% of companies are currently fully compliant. Although 81% anticipate meeting national deadlines, 12% expect to fall short.
Making compliance even more challenging, the 2024 ISC2 Cybersecurity Workforce Study reveals that economic conditions have significantly impacted the workforce, leading to both talent shortages and skills gaps at a time when the need has never been greater.
According to IT in Practice 2024, although cybersecurity is a top priority, only 59% of organizations believe they have sufficient cybersecurity skills and resources in place today. The report highlights that many companies have spent the past year identifying and documenting their IT infrastructure, policies, and business process dependencies, uncovering structural weaknesses that hinder compliance efforts.
Cybersecurity, the root of NIS2 compliance
The NIS2 directive is a direct response to the rising volume and severity of cyberattacks across Europe and globally. According to IT in Practice 2024, cybersecurity has become the highest strategic priority ever recorded, with 93% of CxOs identifying it as a critical focus. Yet, despite this prioritization, most companies still struggle with fundamental cybersecurity maturity, which is the root challenge that NIS2 is designed to address.
The NIS2 directive aims to enhance cyber resilience through key mandates, including:
● Stronger risk management and governance frameworks
● Supply chain security compliance to reduce vulnerabilities
● Incident response and reporting requirements
● Senior management accountability for cybersecurity failures
Robust cybersecurity practices are essential for NIS2 compliance, including IT governance, security monitoring, and supply chain protections. These are not just checkboxes but form the foundation of the directive’s entire framework.
While compliance with NIS2 is essential, it’s only part of the picture. The real-world threat landscape continues to intensify, with cyberattacks growing more frequent, sophisticated, and damaging.
Many companies still lack experience handling real cyber threats despite these preparations. Desktop planning exercises are common, but cybersecurity experts emphasize the importance of simulated breaches and real-world role-playing. A well-documented plan alone is not enough. Teams need practical crisis response training to react quickly and effectively when an attack happens.
Bridging the talent gap
Organizations need to find creative ways to strengthen their teams, considering cybersecurity hiring is at a standstill in many companies. Here are some potential strategies to consider:
Upskilling Internal Teams
Investing in cybersecurity training and certifications can transform existing employees into skilled defenders
Leveraging AI and Automation
Cybersecurity professionals are increasingly turning to AI, particularly generative AI (Gen AI), to help them drive transformation, cope with demand, and shape strategic decisions within their organizations
Promoting Cybersecurity as a Brand Asset
A strong security-first culture helps companies attract and retain top talent while also boosting customer confidence
Turning Compliance into a Competitive Edge
The sharp rise in cyber incidents has elevated cybersecurity from a technical function to a business survival issue. Organizations that view compliance as an investment rather than a burden will be better positioned to earn stakeholder trust, maintain operations, and drive long-term growth. Even so, many companies remain reluctant to invest in compliance-related projects, viewing them as check-the-box exercises. But cybersecurity initiatives tied to NIS2 should not be seen as costs; they are fundamental protections for business continuity, operational resilience, and brand reputation.
Investing in cybersecurity now means safeguarding against far more than regulatory penalties. It means mitigating the escalating risks of operational downtime, data loss, supply chain disruption, and reputational damage that can cripple unprepared organizations.
Beyond Compliance: Building True Cyber Resilience
Forward-thinking businesses that embrace NIS2 compliance gain a competitive edge by strengthening security, building trust, and differentiating themselves from competitors by staying ahead of regulations. As government scrutiny increases, cybersecurity is no longer optional but a "license to operate," a term reinforced by the 2024 IT in Practice report.
With the NIS2 deadline fast approaching, businesses must act promptly to ensure compliance. But the real opportunity lies in going beyond the baseline. Compliance should not be the finish line; it should be the foundation. Cybersecurity is now a core business function, vital not only for regulatory alignment but also for mitigating risk, maintaining operations, and earning trust in a threat-heavy digital landscape. As cyberattacks grow in volume and complexity, investing in proactive security and cross-functional readiness is essential. By addressing cybersecurity investment, talent development, and skills shortages head-on, organizations can transform compliance into resilience, and resilience into competitive advantage.
Want to ensure your business is fully compliant with the NIS2 directive?
Learn how 7N can help you bridge cybersecurity skill gaps and manage regulatory requirements. Read more or reach out to Jens Laugesen, VP of Delivery & Value-add.
Cases, insights & courses
Explore related cases and articles or discover new topics.
In this article, we debunk five misleading myths and cover the aspects that should guide you when planning your IT career.
