The European NIS2 directive significantly broadens the scope of organisations subject to cybersecurity obligations. For many SMEs and mid-sized companies, 2026 marks their entry into a regulatory framework previously reserved for large operators. Here is a breakdown and an action plan.
What changes with NIS2?
NIS2 replaces and strengthens the 2016 NIS directive. Three major developments stand out for mid-sized organisations:
- A broader scope: more sectors (“essential” and “important”) and smaller companies now fall within the directive’s reach.
- Strengthened notification obligations, with short deadlines in the event of a significant incident.
- Executive accountability, now explicitly extended to the governance of cyber risks.
In practice, many organisations discover they are now in scope when they were not under NIS1. The first step: check your eligibility.
The expected measures
The directive mandates a risk-based approach, proportionate to each organisation’s exposure. Among the requirements:
- Risk analysis and an Information System security policy;
- Incident management (detection, response, notification);
- Business continuity: backups, crisis management, BCP/DRP;
- Supply chain and third-party provider security;
- Cyber hygiene policies and staff awareness.
Where to start?
There is no need to rebuild everything at once. A realistic trajectory unfolds in three stages: assess your exposure and maturity, prioritise the most critical gaps, then steer compliance over time — ideally with clear governance and a designated point of contact.
This is exactly the approach we provide the tools for at CyberSpector, from the initial diagnosis to delegated governance (CISO / DPO), including audits and continuous monitoring.