NIS2 in 2026: What Companies Need to Do Now

NIS2 is no longer a future problem. With national transposition laws now in force across most EU member states, the question for mid-sized companies has shifted from "does this apply to us?" to "can we prove we are compliant?" This article cuts through the noise and gives you a concrete sequence of actions.

First, determine if you are in scope

NIS2 distinguishes between "essential" and "important" entities across 18 sectors, including energy, transport, banking, health, digital infrastructure, manufacturing, and food. Size matters too: medium and large organizations are generally captured, but smaller companies can still fall in scope if they are critical to a supply chain.

• Map your sector against the NIS2 Annexes — don't assume you're exempt.
• Check whether you are a supplier to an essential entity; their obligations flow down to you.
• Document the determination. "We decided we're out of scope" needs a paper trail.

The ten baseline measures

Article 21 sets out a minimum set of risk-management measures. You don't need a 300-page manual, but you do need evidence that each area is genuinely addressed:

• Risk analysis and information security policies
• Incident handling and reporting
• Business continuity and crisis management
• Supply chain security
• Security in acquisition, development, and maintenance
• Policies to assess the effectiveness of measures
• Basic cyber hygiene and training
• Cryptography and encryption where appropriate
• Access control and asset management
• Multi-factor authentication and secure communications

Reporting timelines are tight

A significant incident triggers an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month. If your team has never rehearsed this, the first real incident is the worst time to find out. Run a tabletop exercise.

Management is accountable

One of the biggest shifts in NIS2 is personal accountability for management bodies. Leadership must approve risk measures, oversee implementation, and undergo training. This is not something you can fully delegate to IT.

The organizations that struggle are not the ones with weak technology — they are the ones who cannot demonstrate ownership and evidence.

A practical 90-day sequence

• Weeks 1–2: Scope determination and gap assessment against Article 21.
• Weeks 3–6: Close the highest-risk gaps and stand up incident reporting.
• Weeks 7–10: Supply chain review and management training.
• Weeks 11–13: Tabletop exercise, evidence collection, and a living compliance record.

NIS2 rewards organizations that treat security as an ongoing program rather than a one-time project. Start with a clear-eyed assessment, fix what matters most first, and keep your evidence current.