Heimdal
5 Best NIS2 Compliance Software and Solution Providers
8 EDR Best Practices You Need to Pay Attention to in 2025
8+ Free and Open Source Patch Management Tools for Your Company [Updated 2025]
Admin Rights in Action: How Hackers Target Privileged Accounts
Best Automated Patch Management Software in 2025
Cybersecurity And The Patching Paralysis Problem
EDR Implementation: Essential Features, Considerations, And Best Practices
EDR vs NGAV: Which Works Better for Your Organization?
EDR vs. SIEM: Key Differences, Features, Functionality Gaps, and More
Effective Privileged Access Management Implementation: A Step-by-Step Guide
Endpoint Detection and Response: Uses, Benefits, and Trends
EPP vs. EDR [How to Choose the Best Endpoint Protection Platform]
How Patch Management Software Solves the Update Problem
How to Conduct a Successful Privileged Access Management Audit
How to Create an End-to-End Privileged Access Management Lifecycle
How to Defend Against the 10 Most Dangerous Privileged Attack Vectors
How to Implement Patch Management Software
How to Negotiate Your NIS2 Fine or Completely Avoid the Risk
How to Prepare for NIS2 Audits – A Compliance Expert’s View
How to Prioritize Vulnerabilities Effectively: Vulnerability Prioritization Explained
IAM vs PAM: What’s the Difference And Why It Matters
Main Types of Patch Management: A Decision-Making Guide
Modern Patch Management
NDR vs EDR: A Comparison Between the Two Cybersecurity Solutions
Patch Management Guide
Patch Management Policy Guide 2025 [Free Template Inside]
Patch Management vs. Vulnerability Management: A Comparison
Patch management: Best practices, implementation, and tools
PIM vs PAM vs IAM. Definitions and Roles in the Cybersecurity Strategy
Privileged Access Management (PAM) Best Practices
Privileged Access Management Features: What You Need in Your PAM Solutions
Privileged access management: Best practices, implementation, and tools
Six Patch Management Best Practices [Updated 2025]
Ten Open-Source EDR Tools to Enhance Your Cyber-Resilience Factor
The Complete Guide to PAM Tools, Features, and Techniques
The Complete Guide: How to Create an Endpoint Detection and Response (EDR) Strategy
Top 11 Privileged Access Management Software Solutions in 2025
What Is a Privileged Access Management Policy? Guidelines and Benefits
What Is Cyber Threat Hunting? Process, Types and Solutions
What Is EDR? Endpoint Detection and Response
What Is PAM-as-a-Service (PAMaaS)?
What Is Patch Management as a Service (PMaaS) & What Can It Do For You?
What Is Patch Management? Definition, Process, Benefits, and Best Practices [UPDATED 2025]
What Is Privileged Access Management (PAM)?
What Makes Endpoint Detection and Response (EDR) Important? With Solid Use Cases
Why Is MDR Better Than EDR: Enhancing Cybersecurity in the Modern World
XDR vs. EDR – A Comparison
Home > NIS2 Compliance | Challenges, Pain Points and Solutions

NIS2 Compliance | Challenges, Pain Points and Solutions

Securing Systems, Simplifying Solutions.

In this guide, you’ll find:

The European Union’s NIS2 Directive represents a step change in how EU firms will need to approach cybersecurity. And, if you work in compliance, IT or security operations at any organisation that’s affected, NIS2 will have a big impact on your job. 

Achieving NIS2 compliance is complicated. There are multiple issues to be aware of, processes to change, and technical fixes to make. 

To help you get a handle on NIS2 compliance, we’ve created a hub of content to get you up to speed on best practices, solutions and strategies. 

In this hub, you will learn about:

  • What NIS2 is
  • The opportunity of NIS2
  • Challenges and issues around NIS2 compliance
  • The technical side of NIS2 compliance

What is NIS2?

The Network and Information Systems Directive 2 (Directive 2022/2555) is a piece of EU legislation that is designed to enforce a high common level of cybersecurity across the bloc.

It was adopted in 2023, and came into effect in October 2024. 

In recent years, thousands of organisations have been affected by cyberattacks. These attacks damage the EU’s economy due to disruption, theft or ransoms.

What is more, such attacks also resulted in breaches of EU citizens’ rights (to privacy, for instance). Many of these breaches could have been avoided if the companies affected had followed higher security standards. 

Speaking in a recent Q&A, one of  Heimdal’s cybersecurity experts, Andrei Hinodache, explained the basic logic behind NIS2:

white arrow“If policymakers see that organizations are not able to defend themselves properly, what is the policymaker going to do? They're putting in a baseline [i.e. NIS2] so that we can all start from an equal footing.”

Key features of NIS2

The NIS2 Directive has a number of key features to be aware of:

  • Essential entities: ‘Essential’ entities are those who play a critical role in the EU’s stability. Breaches to these organisations’ security would be highly disruptive. ‘Essential’ entities include banks, healthcare providers, energy companies and more. Fines for non-compliance among ‘essential’ entities could be as high as €10 million, or at least 2% of total annual turnover.

 

  • Important entities: ‘Important’ entities are organisations that would also trigger serious disruption if breached, although this would be less severe than with ‘essential’ entities. Fines for non-compliance with NIS2 by ‘important’ entities will be up to €7 million, or at least 1.4% of annual turnover. 


  • Personal responsibility: NIS2 aims to focus minds by making individuals at organisations personally responsible for non-compliance. If an organisation is found to be negligent following a breach, a named individual (normally a senior executive) will be held responsible. They may be legally barred from managerial responsibilities for a certain number of years. They could, potentially, face legal proceedings. 


  • Greater supervision: Each EU country will need to appoint a ‘competent authority’ whose job it will be to carry out audits and confirm that organisations are complying with NIS2. 


Supply chain security: Many breaches happen through the supply chain. NIS2 recognises this and requires ‘essential’ and ‘important’ entities to verify IT suppliers and other contractors, to ensure they are not leaving ‘back doors’ open into their systems.

How does NIS2 compare to NIS1?

NIS2 is an improvement and expansion on the pre-existing NIS1 regulations.

It introduces a variety of changes, such as:

  • Making organisations implement more advanced security measures including MFA and encryption (MFA and encryption are specifically mentioned as an obligation in Article 21 2(h) and 2(j)

 

  • Requiring organisations to report on cyber incidents in a structured way and to a timeframe

 

  • Making entities consider supply chain security, by including them in the “Cybersecurity risk-management measures and reporting obligations” chapter

Learn more about the differences between NIS1 and NIS2 in our primer.

Quick start for NIS2 compliance: Heimdal checklist

Get the ball rolling with our NIS2 compliance checklist which is available to download in three convenient formats: Word, Google Docs, and PDF

The checklist covers seven essential areas for NIS2 compliance:

  1. Governance and leadership
  2. Risk Management and Security Measures
  3. Supply Chain Security
  4. Incident Reporting and Response
  5. Legal and Compliance Requirements
  6. Training and Awareness
  7. Continuous Improvement

Links between DORA and NIS2

The Digital Operations Resilience Act (DORA) is a related piece of EU regulation that applies specifically to the financial services (FS) sector. It came into effect in January 2025.

In many ways, DORA mirrors NIS2, requiring FS companies to follow best practices, submit to audits, produce reports, and monitor their supply chains. 

One key difference is that DORA covers almost all FS firms, no matter their size or importance to the overall EU economy/stability (whereas NIS2 is mainly focused on larger organisations).

DORA also exceeds NIS2 in various ways, requiring firms to do even more to boost their security.

Complying with DORA

Financial services businesses will need to make a variety of changes to comply with DORA.

These include implementing IT risk management, IT incident planning, resilience testing, supply chain risk assessments, and sharing information. 

For a complete overview, read our guide to the 8 Essential Steps for DORA Compliance and Effective Reporting.

NIS2 is an opportunity: Achieving continuous compliance

In the business world, new regulations are often viewed as onerous and frustrating.

And there is no doubt that NIS2 will require organisations to make changes to their processes and technology. 

Nevertheless, we believe it can and should be viewed as an opportunity:

  • Ultimately reduces security risk: Complying with NIS2 will, in the long run, reduce your organisation’s risk of being breached – and all the financial and reputational damage this entails. 


  • Close gaps: NIS2 will require organisations to carry out a gap analysis of their security posture. Completing this process can help uncover a range of issues (e.g. poor password hygiene) you may not have previously been aware of. 


A more coherent approach to security: While this might not necessarily make a major difference to individual organisations, harmonized security across the EU will reduce differences between countries.

Equally, by pushing big businesses to inspect their suppliers’ security policies, it should ‘trickle down’ and enhance security in smaller businesses too.

NIS2 - fostering ‘continuous compliance’

One of the biggest potential benefits of NIS2 is that it will push organisations to implement ‘continuous compliance’. In our recent webinar with compliance expert Larisa Mihai, she explained:

white arrow“People look at these regulations [like NIS2] from the paradigm, that ‘this is something that I need to do because I need to check that mark’. [In fact], this is something that you need to do in your company just to have a foundation of security.”

Continuous compliance is about getting the essential foundations of security in place, so you are compliant all the time – not just when you get audited. By implementing NIS2, you should be able to achieve that. 

Learn what continuous compliance looks like in our guide.

NIS2 is an opportunity for Managed Service Providers

If you supply IT services to essential or important entities in the EU, NIS2 will almost certainly impact you. Your customers are likely to review contracts, and ask for evidence that you comply. 

At the same time, NIS2 presents a golden opportunity to add value. By using a unified cybersecurity platform, you can provide customers with many of the technological solutions they need to scan for threats, undergo testing, manage their assets and more. 

You can also support clients with:

  • consultancy (NIS2 compliance gap analysis, creating risk management policies, etc.) 
  • training
  • NIS2 compliance reports 

For more ideas about how MSPs can help clients comply with regulations like DORA and NIS2, read our guide.

white arrow“One of the trends I've noticed when chatting with MSPs in regards to their compliance and cybersecurity practices is that often, not only are they looking primarily at the compliance requirements of their own customers… but also they're looking at cybersecurity solutions that would help them be a little bit more prepared for future compliance requirements that might come out later.”

- Jacob Hazelbaker , Heimdal Cybersecurity Expert

What are the challenges of NIS2 compliance?

Complying with NIS2 will require organisations to implement various changes and do more reporting than in the past. 

However, if you already follow ‘best practice’ cybersecurity standards (e.g. ISO 27001), adapting to NIS2 won’t actually require major changes. 

Here are some of the most common challenges and pain points that organisations face when trying to comply with NIS2.

NIS2 compliance audits

In the coming years, many organisations will face NIS2 compliance audits.

These may happen in the aftermath of a cyber attack, but they may also be random spot checks (depending on the approach taken by national competent authorities).

NIS2 compliance audits are likely to be challenging.

Companies will have just two weeks to prepare for the audits and will need to compile large amounts of documentation and evidence to demonstrate compliance.

Shortage of IT resources to support compliance

IT departments are often overstretched, so requiring them to support NIS2 compliance will only add to their burden. This is especially true when companies need to produce audit reports fast. 

In the Heimdal webinar, Larisa explained:

white arrow“My engineering team… needs pockets of silence. When an engineer does implementation, he can't be in 27 audits. He needs pockets of silence, pockets of no meetings”. Asking engineering teams to stop their work to help with compliance audits is likely to result in lots of friction. ”

Supply chain challenges

NIS2 requires EU businesses to reassess their suppliers and ITC vendors. If any of these are found to have poor cybersecurity practices, contracts may need to be curtailed.

This may potentially be disruptive if, for instance, you rely on a supplier for key services, but they are resistant to changing their own cybersecurity practices. 

Culture change

NIS2 compliance is as much about people as it is about technology. Senior executives will need to be frequently reminded that they face criminal liability if their company is found to be negligent.

Across the business, new practices will need to be implemented:

  • Including cybersecurity training in all staff onboarding
  • Providing regular training on security best practices
  • Conducting penetration testing

white arrow“I've been in too many meetings where I lay out the serious NIS 2 requirements we need to urgently address... Rather than listening, the CEO and his merry band of VPs just start shuffling papers and changing the subject. As if by avoiding eye contact, the regulation will somehow poof into thin air.”

- Reddit GRC channel discussion ,

Preparing for a NIS2 audit

Competent authorities in EU countries will enforce the directive through NIS2 audits. These inspections are likely to be stressful and time consuming, especially since you only have two weeks to prepare.

Read our guide to preparing for NIS2 audits, with insights from compliance expert Larisa Mihai.

What happens if you fail to comply with NIS2?

If your company does get breached, you will almost certainly be audited by the competent authority in your country. They will be looking to ascertain whether you were complying with NIS2. If not, you may face major penalties. 

 

As mentioned above, fines for non-compliance with NIS2 are significant – ranging from €7m to €10m or a percentage of annual turnover. There is also a real risk of individuals being held liable for negligence. 

 

That being said, there are a number of actions you can take to reduce your risk of a fine (or to negotiate it down), even if you do get breached. These include:

  • Completing a risk assessment
  • Producing security policies and documenting them
  • Deploying advanced cybersecurity technology
  • Collecting and retaining evidence of due diligence efforts

For more insights, read our guide: How to Negotiate Your NIS2 Fine or Completely Avoid the Risk

The technical side of NIS2 compliance

Complying with NIS2 is multifaceted. It requires a combination of changes to people, processes and technology. 

The way you pick and use your cybersecurity tools will therefore play an essential role in compliance.

At a bare minimum, you will need cybersecurity solutions that provide:

  • Multi-factor authentication
  • Encryption
  • Intrusion detection and extended detection and response
  • Incident response management
  • Vulnerability management
  • Access control
  • Modern firewalls
  • Threat hunting

For many organizations, this will require investing in a variety of additional cybersecurity point solutions.

However, with Heimdal’s Unified Security Platform, you can flexibly add additional security tools as needed, building out your defences so you can achieve NIS2 compliance from a single, central dashboard.

white arrow“Pick something that's flexible, that's super easy to simply add in more pieces, more modules to cover a broader range of that stack, just in case you wake up tomorrow and realize ‘oh, we do need this to meet compliance after all.”

- Jacob Hazelbaker , Heimdal Cybersecurity Expert

What NIS2 Compliance software is available?

At present, there is no ‘silver bullet’ solution that will make an organisation compliant with NIS2.

However, there are several companies who have developed solutions, products and services that help customers address NIS2 compliance. 

These vendors take different approaches – from insider threat software to risk reporting tools through to consultancy. 

Read our guide to five of the best NIS2 compliance solutions providers.

Get your whitelabel NIS2 compliance report

Heimdal’s lightweight NIS2 compliance wizard automatically scans your environment to identify gaps and issues that could leave you non-compliant.

It then automatically generates a report that you can share with your internal team or an external auditor saving your hours of time per report.

Get your automatic, user-friendly and fast NIS2 compliance report here.

Helping you comply with NIS2

We expect NIS2 to have major – and positive – effects across the EU and beyond. It will push organisations of all sizes to follow more advanced, more reliable, and more robust security practices.

In turn, this should reduce the risk of breaches, and mean people’s money, private information and physical safety is better protected. 

Complying with NIS2 can be challenging, and it won’t be straightforward for every organisation.

However, we hope that this information hub will help you with planning your NIS2 compliance project, and answer any questions you have.

linkedin
youtube
facebook
x

resources

company

newsletter

© 2025 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V