NIS2 compliance made simple: 8 steps to follow

EU Member States implemented the Network and Information Security 2 Directive (NIS2), officially known as Directive (EU) 2022/2555, in October last year.

By now, businesses should have a solid compliance strategy in place and have implemented the necessary measures. However, if you're just starting, you'll need to act fast to achieve NIS2 compliance.

NIS2-compliance in 8 steps

Following the motto "better late than never," organizations can still take key steps to comply with the legal requirements. Here are eight strategic steps to help decision-makers approach compliance effectively.

1. Clarifying legal obligation: Is my business affected by NIS2?

The first step for organizations is to determine whether they fall under the scope of the NIS2 Directive. The directive primarily targets entities in critical and important sectors, classified by the EU as “essential” and “important” entities.

This classification should be legally validated, as the implications are significant. NIS2 not only mandates robust cybersecurity risk management but also requires organizations to assess and secure their digital supply chains. As compliance extends beyond internal systems to include relationships with suppliers, continuous monitoring becomes necessary.

Organizations must also establish whether they are directly or indirectly affected by NIS2. This doesn’t just apply to critical infrastructure but also to many businesses within supply chains. In this article, we provide a detailed overview of the sectors impacted by the NIS2 Directive.

2. Registering as a NIS2-relevant entity with the relevant authority

This step is directly linked to the previous one. If it becomes apparent that your organization is affected by NIS2, the directive requires you to register with the relevant national cybersecurity authority in your country.

3. Building a project team

Once a company has established that it is subject to NIS2, it should assemble a dedicated project team consisting of various experts (IT, management, legal, etc.) to ensure all critical aspects are covered.

A project of this scale, especially one involving the development and implementation of NIS2 compliance measures, cannot be treated as a side task. To drive progress effectively, clear responsibilities must be assigned.

4. Passing on knowledge

Cybersecurity is a core pillar of NIS2 compliance. To develop and evaluate a solid strategy, a strong understanding of cybersecurity is essential. At a minimum, basic knowledge of cybersecurity and risk management should be established across all levels of the organization.

Experts in the field should also provide training for executives, offering guidance on which measures to implement and how. This is especially critical from a liability perspective — management is accountable not only for understanding cybersecurity risks (knowledge-based liability) but also for ensuring proper implementation of required measures (internal liability).

If an organization lacks in-depth cybersecurity expertise — perhaps due to the absence of an in-house IT department — it may be worth considering third-party providers to handle some or all aspects of cybersecurity.

Certifications can be a useful guide when selecting the right partner. Accreditation from an independent body demonstrates a provider’s expertise and experience in cybersecurity. Examples of relevant certifications include HIPAA, GDPR, ISO/IEC 27001, CCPA, the Digital Trust Label, and the Common Criteria certificate.

5. Developing and communicating a security strategy

Clear and proactive communication of the security strategy ensures that everyone in the organization understands its importance. Management should take the lead in promoting this initiative and actively involve executives and staff.

To keep (data) security top of mind, regular staff awareness training is essential. These sessions should highlight potential security risks and provide concrete action steps for responding to breaches. Simulated exercises can also be valuable in strengthening IT and data security practices across the organization.

In this context, developing a clear incident response plan is essential. It should define what qualifies as a security incident and outline the necessary steps for an effective response. Companies must have cyberattack emergency plans in place and conduct regular test to ensure preparedness.

Incident management shouldn’t be limited to the crisis response team — every employee should know how to act in an emergency, where to find key incident management information, and whom to notify in different scenarios. Reporting obligations are also crucial: Under NIS2, critical security incidents may need to be reported within 24 hours.

6. Analyzing business processes and IT systems

NIS2 provides clear guidelines on how to respond when a breach occurs. To enhance preparedness, organizations must analyze their business processes thoroughly.

This analysis helps identify critical operations, their reliance on IT systems, and access controls — answering key questions like, “Who has access to what data?”. It also plays a crucial role in risk management by identifying and documenting potential threats. Common risk assessment methods, such as evaluating potential damage and likelihood of occurrence, can then be used to prioritize security measures effectively.

Access management challenges can be addressed with specialized tools. For example, Tresorit’s data rooms provide granular access controls, ensuring that only authorized individuals can access specific assets. By limiting access to only those who truly need it, organizations can significantly reduce potential entry points for cybercriminals.

7. Revising the data security architecture

The next step involves reviewing and adjusting the data and IT security architecture, including measures such as endpoint protection, network security, and monitoring, and secure data management.

At this stage, adopting an external data management tool may be necessary to ensure robust protection when collaborating on sensitive data, both internally and with external partners. To choose the right solution, consider key criteria such as:

• Encryption: The collaboration platform should make use of cutting-edge encryption technology — ideally zero-knowledge end-to-end encryption.
• Usability: To be successful, the application must be exceptionally user-friendly. An intuitive user interface and the integration with common programs such as Microsoft Outlook and Teams significantly facilitate implementation and use.
• Security controls: In addition to encryption, further security measures such as granular access control are essential.
• Data residency: The location of the server is an important criterion when choosing a suitable solution. Organizations which fall under the GDPR must store their data on servers within the EU or a third country deemed safe. Providers should therefore offer different data residency options.

8. Regular reviews and adjustments

Cybersecurity is not a one-time task but an ongoing process that requires continuous attention. Regularly reviewing and updating your cybersecurity strategy is essential to stay ahead of evolving threats.

Businesses must not only stay informed about current regulations but also conduct regular security audits and penetration tests to proactively identify and address potential vulnerabilities.

NIS2 compliance step-by-step: a structured approach for increased cybersecurity

Achieving NIS2 compliance may seem daunting at first, but with a structured approach and clear priorities, it becomes manageable. The key is for organizations to recognize cybersecurity risks, define responsibilities, and take a step-by-step approach to implementation.

Seeking external expertise can be beneficial, especially to mitigate liability risks and prepare for unexpected threats. The extent of necessary action depends on the organization's existing security framework — those already certified under ISO/IEC 27001, for example, may require fewer adjustments than businesses starting from scratch. Investing in reliable security tools is always a smart decision to strengthen overall protection.