Since the European NIS2 Directive came into force on 6 December 2025, numerous companies have been under increasing regulatory pressure to implement their information security measures in a transparent, documented and verifiable manner. Nevertheless, according to AirITSystems GmbH, many organisations continue to underestimate the actual action required of them.

Particularly critical: the statutory registration deadline with the relevant authorities expired on 6 March 2026. Many companies therefore find themselves in a situation where regulatory requirements are already formally in force, yet practical implementation still has significant gaps.

Between individual measures and a lack of an overall strategy

According to AirITSystems, numerous companies do indeed already have individual technical or organisational security measures in place. However, there is often a lack of a robust overall overview of how well processes, responsibilities and security structures are actually prepared for the requirements of the NIS2 Directive.

It is precisely this lack of transparency that is increasingly becoming a problem. This is because NIS2 no longer requires only isolated IT security measures, but a systematic governance approach with clearly documented processes, risk assessments and traceable security structures.

Cybersecurity is thus increasingly becoming a management and compliance task at corporate level. Companies must not only implement security measures, but also be able to demonstrate how risks are assessed, systems operated and security processes documented.

GAP analyses are gaining in importance

To highlight existing shortcomings, structured GAP analyses are increasingly coming into focus. They are designed to help companies systematically identify the gap between their current security level and the regulatory requirements of the NIS2 Directive.

AirITSystems provides a free “NIS2 GAP Analysis Self-Assessment” for this purpose, which is based on the requirements of ISO 27001. This provides companies with a structured initial assessment of their current maturity level in various areas of information security.

The self-assessment is designed to help evaluate existing security measures more realistically and prioritise necessary actions. According to AirITSystems, many organisations continue to underestimate both the complexity of the regulatory requirements and the extent to which they are affected.

NIS2 is changing the understanding of security within companies

The discussion surrounding NIS2 also highlights a fundamental shift within the security and IT sectors. Information security is increasingly no longer viewed solely as a technical discipline, but as a strategic component of corporate governance, operational stability and resilience.

Operators of critical infrastructure, industrial companies and larger medium-sized organisations in particular face the challenge of establishing security processes that are permanently auditable and compliant with regulatory requirements. In this context, structured risk analyses, governance models and documented security processes are becoming increasingly important.

The experience of many companies also shows that regulatory requirements are often only seriously addressed once specific deadlines or audit obligations come into effect. NIS2 is likely to significantly increase this pressure on European companies in the coming years.