Last updated on July 19, 2025
The European Union’s NIS2 Directive represents a step change in how EU firms will need to approach cybersecurity. And, if you work in compliance, IT or security operations at any organisation that’s affected, NIS2 will have a big impact on your job.
Achieving NIS2 compliance is complicated. There are multiple issues to be aware of, processes to change, and technical fixes to make.
To help you get a handle on NIS2 compliance, we’ve created a hub of content to get you up to speed on best practices, solutions and strategies.
In this hub, you will learn about:
The Network and Information Systems Directive 2 (Directive 2022/2555) is a piece of EU legislation that is designed to enforce a high common level of cybersecurity across the bloc.
It was adopted in 2023, and came into effect in October 2024.
In recent years, thousands of organisations have been affected by cyberattacks. These attacks damage the EU’s economy due to disruption, theft or ransoms.
What is more, such attacks also resulted in breaches of EU citizens’ rights (to privacy, for instance). Many of these breaches could have been avoided if the companies affected had followed higher security standards.
Speaking in a recent Q&A, one of Heimdal’s cybersecurity experts, Andrei Hinodache, explained the basic logic behind NIS2:
“If policymakers see that organizations are not able to defend themselves properly, what is the policymaker going to do? They're putting in a baseline [i.e. NIS2] so that we can all start from an equal footing.”
The NIS2 Directive has a number of key features to be aware of:
Supply chain security: Many breaches happen through the supply chain. NIS2 recognises this and requires ‘essential’ and ‘important’ entities to verify IT suppliers and other contractors, to ensure they are not leaving ‘back doors’ open into their systems.
NIS2 is an improvement and expansion on the pre-existing NIS1 regulations.
It introduces a variety of changes, such as:
Learn more about the differences between NIS1 and NIS2 in our primer.
Get the ball rolling with our NIS2 compliance checklist which is available to download in three convenient formats: Word, Google Docs, and PDF
The checklist covers seven essential areas for NIS2 compliance:
The Digital Operations Resilience Act (DORA) is a related piece of EU regulation that applies specifically to the financial services (FS) sector. It came into effect in January 2025.
In many ways, DORA mirrors NIS2, requiring FS companies to follow best practices, submit to audits, produce reports, and monitor their supply chains.
One key difference is that DORA covers almost all FS firms, no matter their size or importance to the overall EU economy/stability (whereas NIS2 is mainly focused on larger organisations).
DORA also exceeds NIS2 in various ways, requiring firms to do even more to boost their security.
Financial services businesses will need to make a variety of changes to comply with DORA.
These include implementing IT risk management, IT incident planning, resilience testing, supply chain risk assessments, and sharing information.
For a complete overview, read our guide to the 8 Essential Steps for DORA Compliance and Effective Reporting.
In the business world, new regulations are often viewed as onerous and frustrating.
And there is no doubt that NIS2 will require organisations to make changes to their processes and technology.
Nevertheless, we believe it can and should be viewed as an opportunity:
A more coherent approach to security: While this might not necessarily make a major difference to individual organisations, harmonized security across the EU will reduce differences between countries.
Equally, by pushing big businesses to inspect their suppliers’ security policies, it should ‘trickle down’ and enhance security in smaller businesses too.
One of the biggest potential benefits of NIS2 is that it will push organisations to implement ‘continuous compliance’. In our recent webinar with compliance expert Larisa Mihai, she explained:
“People look at these regulations [like NIS2] from the paradigm, that ‘this is something that I need to do because I need to check that mark’. [In fact], this is something that you need to do in your company just to have a foundation of security.”
Continuous compliance is about getting the essential foundations of security in place, so you are compliant all the time – not just when you get audited. By implementing NIS2, you should be able to achieve that.
Learn what continuous compliance looks like in our guide.
If you supply IT services to essential or important entities in the EU, NIS2 will almost certainly impact you. Your customers are likely to review contracts, and ask for evidence that you comply.
At the same time, NIS2 presents a golden opportunity to add value. By using a unified cybersecurity platform, you can provide customers with many of the technological solutions they need to scan for threats, undergo testing, manage their assets and more.
You can also support clients with:
For more ideas about how MSPs can help clients comply with regulations like DORA and NIS2, read our guide.
“One of the trends I've noticed when chatting with MSPs in regards to their compliance and cybersecurity practices is that often, not only are they looking primarily at the compliance requirements of their own customers… but also they're looking at cybersecurity solutions that would help them be a little bit more prepared for future compliance requirements that might come out later.”
- Jacob Hazelbaker , Heimdal Cybersecurity Expert
Complying with NIS2 will require organisations to implement various changes and do more reporting than in the past.
However, if you already follow ‘best practice’ cybersecurity standards (e.g. ISO 27001), adapting to NIS2 won’t actually require major changes.
Here are some of the most common challenges and pain points that organisations face when trying to comply with NIS2.
In the coming years, many organisations will face NIS2 compliance audits.
These may happen in the aftermath of a cyber attack, but they may also be random spot checks (depending on the approach taken by national competent authorities).
NIS2 compliance audits are likely to be challenging.
Companies will have just two weeks to prepare for the audits and will need to compile large amounts of documentation and evidence to demonstrate compliance.
IT departments are often overstretched, so requiring them to support NIS2 compliance will only add to their burden. This is especially true when companies need to produce audit reports fast.
In the Heimdal webinar, Larisa explained:
“My engineering team… needs pockets of silence. When an engineer does implementation, he can't be in 27 audits. He needs pockets of silence, pockets of no meetings”. Asking engineering teams to stop their work to help with compliance audits is likely to result in lots of friction. ”
NIS2 requires EU businesses to reassess their suppliers and ITC vendors. If any of these are found to have poor cybersecurity practices, contracts may need to be curtailed.
This may potentially be disruptive if, for instance, you rely on a supplier for key services, but they are resistant to changing their own cybersecurity practices.
NIS2 compliance is as much about people as it is about technology. Senior executives will need to be frequently reminded that they face criminal liability if their company is found to be negligent.
Across the business, new practices will need to be implemented:
“I've been in too many meetings where I lay out the serious NIS 2 requirements we need to urgently address... Rather than listening, the CEO and his merry band of VPs just start shuffling papers and changing the subject. As if by avoiding eye contact, the regulation will somehow poof into thin air.”
- Reddit GRC channel discussion ,
Competent authorities in EU countries will enforce the directive through NIS2 audits. These inspections are likely to be stressful and time consuming, especially since you only have two weeks to prepare.
Read our guide to preparing for NIS2 audits, with insights from compliance expert Larisa Mihai.
If your company does get breached, you will almost certainly be audited by the competent authority in your country. They will be looking to ascertain whether you were complying with NIS2.
If not, you may face major penalties.
As mentioned above, fines for non-compliance with NIS2 are significant – ranging from €7m to €10m or a percentage of annual turnover. There is also a real risk of individuals being held liable for negligence.
That being said, there are a number of actions you can take to reduce your risk of a fine (or to negotiate it down), even if you do get breached. These include:
For more insights, read our guide: How to Negotiate Your NIS2 Fine or Completely Avoid the Risk
Complying with NIS2 is multifaceted. It requires a combination of changes to people, processes and technology.
The way you pick and use your cybersecurity tools will therefore play an essential role in compliance.
At a bare minimum, you will need cybersecurity solutions that provide:
For many organizations, this will require investing in a variety of additional cybersecurity point solutions.
However, with Heimdal’s Unified Security Platform, you can flexibly add additional security tools as needed, building out your defences so you can achieve NIS2 compliance from a single, central dashboard.
“Pick something that's flexible, that's super easy to simply add in more pieces, more modules to cover a broader range of that stack, just in case you wake up tomorrow and realize ‘oh, we do need this to meet compliance after all.”
- Jacob Hazelbaker , Heimdal Cybersecurity Expert
At present, there is no ‘silver bullet’ solution that will make an organisation compliant with NIS2.
However, there are several companies who have developed solutions, products and services that help customers address NIS2 compliance.
These vendors take different approaches – from insider threat software to risk reporting tools through to consultancy.
Read our guide to five of the best NIS2 compliance solutions providers.
Heimdal’s lightweight NIS2 compliance wizard automatically scans your environment to identify gaps and issues that could leave you non-compliant.
It then automatically generates a report that you can share with your internal team or an external auditor saving your hours of time per report.
Get your automatic, user-friendly and fast NIS2 compliance report here.
We expect NIS2 to have major – and positive – effects across the EU and beyond. It will push organisations of all sizes to follow more advanced, more reliable, and more robust security practices.
In turn, this should reduce the risk of breaches, and mean people’s money, private information and physical safety is better protected.
Complying with NIS2 can be challenging, and it won’t be straightforward for every organisation.
However, we hope that this information hub will help you with planning your NIS2 compliance project, and answer any questions you have.
One Platform. Total Security.
Network Security
Vulnerability Management
Privileged Access Management 
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
