Why organisations should view the new EU directive as an opportunity to enhance security and competitiveness

The implementation of the NIS-2 Directive is currently one of the most significant challenges facing organisations and operators of critical infrastructure in Europe. Whilst many decision-makers initially perceive the new requirements as an additional regulatory burden, a different picture is increasingly emerging: NIS-2 is evolving into a tool that helps companies to strengthen their digital resilience in the long term.

This is because the European directive has a clear objective. It is designed to enable organisations to systematically identify cyber risks, effectively implement security measures and maintain their ability to operate even in the event of a crisis. NIS-2 thus goes far beyond traditional compliance requirements and places cyber resilience at the heart of business operations as a core corporate task.

Cyberattacks are becoming a business risk

The threat landscape has become significantly more severe in recent years. Ransomware attacks, targeted sabotage attempts, supply chain attacks and data theft no longer affect only large corporations or government institutions. Small and medium-sized enterprises are also increasingly coming under the scrutiny of professionally organised attackers.

At the same time, reliance on digital processes is growing steadily. Production facilities, logistics systems, ERP platforms, cloud services and networked infrastructures now form the backbone of many business models. A successful cyberattack can therefore have far-reaching consequences – ranging from business interruptions and financial losses to significant damage to reputation.

This is precisely where NIS-2 comes in. The directive calls on companies not to view cyber risks in isolation as an IT issue, but as an integral part of corporate risk management.

Identifying critical systems and understanding dependencies

One of the key requirements of the directive is to identify business-critical systems and processes. Companies must be able to document in a transparent manner which applications, data sets and infrastructures are indispensable for their service delivery.

In particular, complex IT landscapes are coming into focus. Many companies today operate hybrid environments comprising on-premises data centres, cloud services, SaaS applications and specialised industry solutions. Added to this are numerous external service providers and suppliers, whose systems are often closely linked to the company’s own processes.

NIS-2 therefore requires transparency not only regarding the company’s own infrastructure, but also regarding dependencies within the supply chain. Security incidents at partners or service providers can have a direct impact on one’s own organisation and must be taken into account accordingly.

Holistic security architectures instead of isolated solutions

The directive makes it clear that individual security measures alone are not sufficient. Whilst firewalls, endpoint protection and secure servers are important building blocks, they only become effective when integrated into a holistic security strategy.

Areas such as identity and access management, patch and vulnerability management, monitoring, logging, and the securing of interfaces and cloud connections are becoming particularly important. Backup and recovery concepts are also coming more into focus. Organisations must be able to demonstrate that they can resume operations within defined timeframes following a security incident.

Operators of business-critical systems, in particular, face the challenge of integrating existing infrastructures into modern security concepts. This applies, for example, to ERP systems, production control systems or central data platforms, the availability of which is directly linked to the company’s success.

Cyber resilience instead of the firefighting principle

In many organisations, cybersecurity is still treated reactively. Security measures are often only implemented after incidents or in the event of acute threats. However, this so-called ‘firefighting approach’ is increasingly reaching its limits in the face of today’s threat landscape.

NIS-2 takes a different approach. Risks should be continuously assessed and security measures systematically planned. The aim is not to completely avoid all threats – an unrealistic endeavour – but to be able to detect attacks at an early stage, limit their impact and restore business operations as quickly as possible.

This mindset fundamentally changes the role of IT security. It shifts from an operational protective mechanism to a strategic management tool for corporate leadership.

People remain the biggest point of entry

Despite technological advances, the human factor remains one of the greatest challenges in the field of cybersecurity. Phishing campaigns, social engineering and faulty configurations continue to be among the most common causes of successful attacks.

That is why NIS-2 places great emphasis on training and awareness-raising measures. Employees should be able to recognise security risks, know the reporting channels and understand their role within the security architecture.

The directive is explicitly not aimed solely at IT departments. Cybersecurity becomes the responsibility of all employees – from reception and specialist departments right up to senior management. Only when security awareness becomes part of the corporate culture can technical protective measures be fully effective.

Management’s responsibility

One of the most far-reaching changes brought about by NIS-2 concerns the role of senior management. The directive makes it clear that responsibility for cybersecurity cannot be delegated to specialist departments.

Board members, managing directors and other decision-makers must assess risks, prioritise security measures and monitor their effectiveness. This finally makes cybersecurity a management-level issue.

This development reflects the reality of modern businesses. Cyberattacks today threaten not only IT systems, but entire business models. Accordingly, strategic decisions regarding investments, resources and contingency plans must be made at the highest level.

Economic benefit rather than a mere cost factor

Critics frequently cite the costs of NIS 2 implementation. Indeed, risk assessments, technical measures and training programmes require additional investment. However, a purely cost-oriented view falls short.

The economic consequences of a successful cyberattack can be significant. Production downtime, delivery delays, contractual penalties or reputational damage often result in costs running into six or even seven figures. Added to this are regulatory consequences and potential liability issues.

Against this backdrop, investment in cyber resilience is increasingly seen as a business necessity. Companies are not only enhancing security but also improving their stability, availability and resilience to crises.

From regulatory pressure to competitive advantage

The implementation of NIS-2 will keep many companies busy in the coming years. Organisations that view the directive solely as a compulsory exercise run the risk of overlooking valuable potential.

Those who, on the other hand, use the requirements as an opportunity to analyse existing processes, make risks transparent and expand security structures in a sustainable manner can develop a genuine competitive advantage from this. Customers, partners and investors are paying increasing attention to how professionally companies handle cyber risks.

NIS-2 thus marks a paradigm shift. The directive stands not only for more regulation, but for a new approach to digital security. At its heart is the realisation that cyber resilience is no longer merely an IT project, but a central prerequisite for economic success, security of supply and business sustainability.

For operators of critical infrastructure and security-relevant companies in particular, the ability to remain operational even under difficult conditions is increasingly becoming a decisive factor. NIS-2 provides the regulatory framework for this – the real challenge now lies in using it to foster a living security culture and sustainable resilience.