Skip to content

NIS2 Directive: 48% of Companies Underestimate Their Regulatory Obligations

Bottom Line: A large proportion of companies underestimate their obligations under NIS2 and thereby risk inadequate security measures and compliance penalties.

Nearly half of all firms incorrectly assess their regulatory obligations under the NIS2 Directive. This points to significant implementation gaps in preparation for the EU-wide cybersecurity regulation.

48 percent of companies underestimate their obligations under the European Union’s NIS2 Directive according to current surveys. This means that nearly half of the affected organizations assess their actual regulatory framework and associated requirements too low.

The NIS2 Directive (Network and Information Security Directive 2) governs cybersecurity requirements for critical infrastructure and important services across the entire EU area. Companies must correctly classify themselves as “essential” or “important” entities in order to implement appropriate security measures. An underestimation of regulatory scope leads to insufficient investments in security architecture, processes, and compliance management.

For CISOs, this creates a twofold risk: on one hand, penalties threaten for failure to meet regulatory requirements; on the other hand, operational security gaps emerge. A realistic self-assessment of the company within the NIS2 context is therefore necessary to avoid subsequent implementation crises and fines.


Source: news.google.com · Published June 23, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: