NIS 2 in practice: What it delivers, and where gaps remain
Introduction
NIS 2 is the EU's most significant update to network and information security requirements in years, pushing cybersecurity from an IT concern to a boardroom priority. The directive is structurally sound in several respects, but its real-world impact depends on consistent application across member states and that consistency is still a work in progress.
Key Takeaways
- Incident reporting follows a strict three-stage timeline: 24 hours, 72 hours, one month.
- Supply-chain accountability extends to the full vendor and supplier network.
- Fragmented implementation across member states creates compliance friction for cross-border organisations.
- Without harmonised standards, NIS 2 risks producing compliance activity rather than actual resilience.
The European Union’s updated Network and Information Security Directive (NIS 2) aims to elevate cybersecurity across critical sectors by introducing clear responsibilities, faster incident reporting, and a stronger focus on supply-chain risk management. The directive’s intent is to make cybersecurity a strategic priority for organisations across the EU, embedding it into boardroom discussions and risk frameworks.
One of the most notable changes under NIS 2 is the tightening of incident reporting requirements. Organisations must now notify authorities within 24 hours of becoming aware of a serious incident, provide detailed updates within 72 hours, and submit a full report within a month. This structured timeline brings greater transparency and urgency to cyber incident management.
Another key element of NIS 2 is the emphasis on supply-chain security. Businesses are expected to assess and manage cybersecurity risks not only within their own operations but also across their supplier and vendor ecosystem. This broadens accountability and makes risk-based decision-making paramount.
However, despite these advances, implementation challenges remain. The directive sets minimum requirements, but common EU-wide standards, shared reporting templates, and interoperable systems are still lacking. Because each member state currently interprets and applies NIS 2 differently – from definitions and deadlines to reporting formats – organisations operating internationally face potential duplication of effort and increased compliance complexity.
Experts and practitioners stress the importance of developing harmonised incident taxonomies, central reporting frameworks, and aligned interfaces with other EU regulations such as GDPR and DORA. Such standardisation would reduce friction, improve comparability of data across borders, and help organisations move beyond compliance toward measurable cybersecurity resilience.
👉 Read the full article on Security-Insider:
https://www.security-insider.de/nis2-eu-standards-meldeprozesse-lieferkette-a-f6ea51861527cb7f1785eca4b50787a3/
Published on: security-insider.de
Author: Antonio Mecci
Conclusion
NIS 2 moves in the right direction, but setting minimum thresholds without common standards beneath them places a disproportionate burden on organisations operating across multiple jurisdictions. Whether the directive delivers on its intent will depend on the infrastructure built around it: shared taxonomies, interoperable reporting, and regulatory alignment with GDPR and DORA.
