Enterprise Cyber Readiness - What NIS2 Reveals

Tuesday, June 30, 2026

Share: Print

The New Frontier of Digital Security 

Building sustainable and lasting cyber resilience aligned with regulatory expectations can be daunting. The goal posts are constantly moving, and the threats are increasingly sophisticated. Many think of preparing an enterprise for cybersecurity readiness as a compliance requirement, but it’s more than that. True cyber readiness is a signal of operational maturity, resilience and trust. 

Directive (EU) 2022/2555, known as NIS2, is the framework designed to raise the level of cybersecurity and digital resilience across the European Union (EU). Its purpose is to make the protection of networks and information systems more consistent among EU Member States and to strengthen the resilience of essential services and strategic sectors against increasingly sophisticated cyber threats. 

NIS2 is no longer a future regulatory development. By April 2025, Member States were required to establish the list of entities classified as essential or important, as well as entities providing domain name registration services, with those lists to be reviewed and updated at least every two years. For organizations, this means that scope determination is not merely a theoretical exercise: companies operating in critical or strategic sectors should assess whether they may fall within these categories and be prepared to demonstrate progress toward compliance.  

In practical terms, cyber risk management, incident reporting, governance accountability and resilience planning must now be treated as active management priorities rather than as future compliance considerations.  

Please fill out this form to continue.

Who Needs to Comply 

NIS2 applies to both public and private entities that meet the relevant size criteria and operate in sectors considered critical or strategic for the economy, society and national security. In practice, this means that many medium and large organizations in sectors such as energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration and space may fall within the scope of the Directive. 

The Directive distinguishes between essential entities and important entities. Essential entities generally operate in highly critical sectors, while important entities include organizations in other strategic areas, such as postal and courier services, waste management, chemicals, food, manufacturing, digital providers and research. The distinction does not remove the obligation to comply, rather, it affects how supervision and enforcement are applied by the competent national authorities designated by each Member State. Both categories are subject to governance, risk management and incident reporting duties.  

The potential exposure is also material: essential entities may face administrative fines of at least EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities may face fines of at least EUR 7 million or 1.4% of total worldwide annual turnover, whichever is higher. 

Table 1: Different Industries Face Different Fines for Noncompliance 

 

How Enterprises Should Govern Cybersecurity 

NIS2 changes the way organizations are expected to govern cybersecurity. The Directive does not simply require additional technical controls; it requires management to take ownership of cyber risk, approve appropriate risk-management measures and oversee their implementation. For business leaders, the practical challenge is therefore to move from informal or technology-led security practices to a governance model that is documented, measurable and evidence-based. Compliance depends not only on the existence of controls, but on the organization’s ability to demonstrate that cyber risks are understood, decisions are traceable and responsibilities are clearly assigned across management, IT, security and business functions. 

The risk-management measures must be appropriate and proportionate to the risks faced by the organization and aligned with the current state of the art. They should cover the full security lifecycle, including incident handling, business continuity, disaster recovery, crisis management, supply chain security, secure acquisition, development and maintenance of systems, vulnerability management and disclosure, security testing, cyber hygiene, training, cryptography, access control, asset management and the use of multi-factor authentication or equivalent secure authentication solutions where appropriate. 

Incident notification is another central requirement. Significant incidents must be reported to the competent authority or CSIRT according to the NIS2 timelines: an early warning within 24 hours, an incident notification within 72 hours and a final report within one month. In the Italian context, notifications are addressed through the competent national channels, including ACN and CSIRT Italy, according to the applicable national procedures. 

How to Achieve NIS2 Compliance - Our Approach 

Achieving NIS2 compliance requires a structured and integrated program that combines strategy, governance, technical controls and operational resilience. The objective is not only to close regulatory gaps, but also to create a repeatable management model that can be maintained over time and demonstrated through evidence during audits, supervisory reviews or customer due diligence. 

For this reason, the assessment should be aligned with recognized cybersecurity frameworks and good practices. ISO/IEC 27001 and ISO/IEC 27002 provide a solid basis for information security governance and control design; the NIST Cybersecurity Framework helps structure capabilities around identify, protect, detect, respond and recover; and ENISA guidance supports interpretation of European cybersecurity expectations. Where the organization falls within the sectors covered by Commission Implementing Regulation (EU) 2024/2690, that regulation and the related ENISA guidance should also be included in the control mapping. 

ISG’s methodology translates these references into a pragmatic four-phase roadmap, designed to strengthen cyber resilience while keeping a clear line of sight between regulatory obligations, technical implementation and business priorities. 

Operational Roadmap for NIS2 Compliance 

The four-phase roadmap is designed to operationalize NIS2 compliance. It builds on recognized cybersecurity and governance frameworks and is organized into a practical sequence that helps organizations move from assessment to implementation, resilience and continuous improvement.  

Phase I: Mapping, Analysis and Technical Governance 

In the first phase, the organization’s IT, security, risk and business stakeholders work to build a clear understanding of the IT landscape, the criticality of services and the organization’s exposure to cyber risk. Together, they must identify and classify critical assets, including hardware, software, data, business services, cloud environments and, where relevant, OT systems. This mapping provides the basis for assessing vulnerabilities, threat scenarios and potential business impacts on essential assets and services. 

The organization’s relevant internal stakeholders identify existing technical and organizational policies, where they need to be updated, formalized or better aligned with NIS2 expectations. This review may cover areas such as access control, password management, encryption standards, logging, backup, supplier security and incident management, with the organization retaining ownership of formal approval and adoption. Particular attention is given to the supply chain.  

Then, procurement, legal, vendor management and security stakeholders must assess third-party risks, review contractual security clauses and define periodic due diligence or audit mechanisms where necessary. By the end of this phase, the organization has built a consolidated view of its assets, dependencies and third-party exposure, supported by a technical governance framework that enables the organization’s management and security teams to make cybersecurity decisions through a clear, risk-based model. 

Phase II: Implementation of Protection and Control Measures 

In the second phase, the organization translates governance requirements into practical protection and control measures. The organization’s IT and security teams, supported where appropriate by technology providers, must strengthen identity and access management through multi-factor authentication, role-based access and the principle of least privilege. They also need to formalize vulnerability and patch management through regular scanning, prioritization criteria and defined remediation timelines, while improving network and endpoint security through segmentation, monitoring capabilities, IDS/IPS or EDR solutions and encryption of sensitive data. 

This phase also includes system hardening, defining secure configuration baselines and restricting administrative privileges. The goal is to convert governance requirements into operational controls that reduce the likelihood of compromise and improve day-to-day cyber hygiene. The effect is a more disciplined security baseline: exposure to cyber threats is reduced and day-to-day IT operations are supported by stronger cyber hygiene practices. 

Table 2: Four Phases of NIS2 Compliance 

 

Phase III: Resilience and Incident Management 

In the third phase, the organization reviews or designs the operating model required to detect, respond to and recover from cyber incidents. Security monitoring is strengthened by centralizing logs and, where appropriate, defining how SIEM or SOC capabilities should support timely detection and response. Business continuity and disaster recovery plans are reviewed or designed with the relevant internal teams to reflect cyber scenarios, with particular focus on secure, isolated and immutable backups. 

The incident response plan defines roles, responsibilities, escalation paths and decision-making processes. It should be explicitly aligned with the NIS2 reporting timeline of 24 hours, 72 hours and one month, so that technical teams, management and legal or compliance functions understand what must happen during the first hours of an incident.  

Simulation exercises, tabletop sessions and attack scenarios should involve technical teams, management, legal, compliance, communications and business continuity stakeholders. These exercises validate the incident response plan, test escalation and decision-making processes, and help the organization understand what must happen during the first hours of an incident. This creates a more resilient operating model, in which incidents can be detected earlier, escalated consistently and managed through recovery actions that reduce business disruption. 

Phase IV: Validation, Audit and Training 

In the fourth phase, the organization consolidates compliance and establishes a cycle of continuous improvement. This may include coordinating vulnerability assessments and penetration tests, reviewing the effectiveness of implemented controls and performing audit-readiness activities against NIS2 requirements and selected reference frameworks such as ISO/IEC 27001, NIST CSF and ENISA guidance. It’s also important to define targeted training and awareness initiatives for employees, IT and security teams and management. 

Training and awareness are treated as part of the control environment. All employees should receive appropriate cybersecurity awareness, while IT and security teams require more advanced technical training. Management should also receive targeted sessions on responsibilities, decision-making during incidents and the evidence expected by regulators or auditors.  

Periodic reporting then keeps the program visible and allows controls to be updated in line with emerging threats, business changes and regulatory developments. The result is an organization that is not only aligned with NIS2 expectations at a given point in time, but also aware, trained and able to improve its controls as threats, technologies and regulatory expectations evolve. 

The Value for Your Organization 

The value of NIS2 compliance lies not only in meeting regulatory expectations, but in building an operating model that can demonstrate control under pressure. Organizations that can show clear governance, tested response capabilities, stronger supplier oversight and reliable evidence of risk management are better positioned in audits, customer assurance processes, tenders and strategic partnerships. In this sense, NIS2 readiness is more than a compliance requirement: it becomes a signal of operational maturity and resilience. 

For many enterprises, cyber readiness can be overwhelming. ISG helps organizations throughout the compliance journey by supporting the initial assessment and gap analysis, the design of the compliance roadmap, the definition of program governance, the implementation and validation of technical measures, and the delivery of training and continuous improvement initiatives. 

Our approach helps organizations build sustainable and lasting cyber resilience, aligned with European regulatory expectations and global best practices. 

Share:

About the author

Vittorio Capuano

Vittorio Capuano

Vittorio is a Principal Consultant with more than 20 years of proven experience in Service and Project Management. He offers ISG clients his expertise in ICT, Telco and Public Sector companies.