DE
When people talk about NIS2 today, one comparison comes up repeatedly: “This will be the GDPR of cybersecurity.” The comparison sounds logical, but it is misleading and pushes many organizations in the wrong direction.
The NIS2 Directive is not simply a compliance regulation. It fundamentally changes how organisations must approach digital risk — shifting the focus away from documentation and towards resilience, operational stability, and accountability at the management level.
Many organisations underestimate precisely this distinction — and in doing so, risk not only regulatory consequences, but operational disruptions, reputational damage, and significant financial exposure. For a broader perspective on how this shift affects day-to-day governance work, see our article When GRC Stopped Being Periodic and Became Everyday Work.
Why the GDPR Comparison Falls Short
GDPR has established a well-worn playbook in many organisations — and that thinking runs deep:
| Criterion | GDPR Approach | NIS2 Requirement |
|---|---|---|
| Focus | Documentation & evidence | Effectiveness & resilience |
| Goal | Pass the audit | Remain operational under attack |
| Accountability | Data Protection Officer | Senior management directly |
| Nature | Static documentation | Dynamic risk management |
| Response | React to requests | Actively report & manage incidents |
NIS2 Makes Cybersecurity a Management Responsibility
One of the most significant changes introduced by NIS2 concerns the executive level. Cybersecurity can no longer be treated as the sole responsibility of the IT department. According to BSI guidance on NIS2 implementation, senior management must approve security measures, oversee their execution, and receive regular updates on the organisation's security posture.
This fundamentally reshapes governance structures across many organisations:
Cybersecurity is evolving from a technical discipline into a question of sound corporate governance.
Mid-Market Companies Face Particular Pressure
Many organisations still assume that NIS2 applies exclusively to operators of critical infrastructure. The reality is considerably broader:
Source: ENISA – NIS2 Overview
Affected organisations span a wide range of sectors:
The Real Problem: Lack of Visibility
In many organisations, IT infrastructure has grown organically over the years. Cloud solutions, external service providers, hybrid working models, and complex system landscapes create new dependencies — while a complete overview of the following is often absent:
- Which systems are business-critical?
- Where are the greatest risks and vulnerabilities?
- Who is responsible for what?
- Which third parties have access to sensitive data?
- What happens in an emergency — and who runs the response?
Concretely, the directive requires structured risk management, incident reporting processes, incident response capabilities, business continuity planning, and supply chain risk consideration. The BSI provides concrete implementation guidance to support organisations through this process.
Why Spreadsheets and Siloed Tools Are Not Enough
Many organisations are still attempting to address NIS2 with spreadsheets, shared document folders, and isolated tools. The fundamental problem with this approach:
Organisations need integrated Governance, Risk and Compliance structures that bring risks, measures, controls, processes, and accountabilities together in one place. Only then is it possible to:
- Continuously prioritise and manage risks
- Implement and track measures effectively
- Produce evidence at any time and in full
- Manage incidents efficiently and within required timeframes
- Meet regulatory requirements on an ongoing basis
NIS2 Changes the Way Organisations Think About Cybersecurity
Perhaps the most important point is consistently overlooked in the debate: NIS2 is not simply a regulatory burden. The directive compels organisations to take a structured, honest look at their digital resilience — and that, in the long run, is precisely where the strategic advantage lies.
Organisations with strong cyber resilience benefit from:
- More stable operations
- Reduced risk of outages
- Greater trust from customers and partners
- Better insurability
- Stronger competitive positioning
- Higher regulatory certainty
According to the ENISA Threat Landscape 2024, the frequency and sophistication of cyberattacks targeting European organisations continue to rise. Cybersecurity is becoming an increasingly decisive factor in long-term enterprise value and future viability.
Now Is the Right Time to Act
Many organisations are still waiting for full clarity on national transposition laws or specific regulatory guidance. That is a risky stance: the threat landscape evolves faster than regulatory processes — and the expectations of customers, partners, insurers, and supervisory authorities are rising continuously.
Rather than waiting for regulatory pressure to force action, organisations should move proactively. A practical starting point is the NIS2 Readiness Check — it shows where your organisation stands in just a few minutes. Or speak directly with our experts in a Discovery Call:
- Assess applicability — are you directly or indirectly regulated?
- Define governance structures — who owns accountability internally?
- Systematically evaluate risks — where are the critical gaps?
- Establish processes — reporting channels, incident response, BCM
- Clarify responsibilities — up to and including senior management
- Anchor resilience strategically — as a permanent organisational objective
