NIS2: A Practical Compliance Guide for Mid-Market Companies
The NIS2 directive dramatically expands the scope of companies subject to cybersecurity obligations, with personal accountability for management. A pragmatic, step-by-step approach for mid-market companies.
José DA COSTA January 20, 2026 3 min read
The NIS2 directive marks a change of scale in European cybersecurity regulation. Where its predecessor covered a narrow set of operators, NIS2 extends obligations to thousands of mid-market companies across sectors such as manufacturing, transport, energy, health, digital services, and food — including many that have never dealt with cybersecurity regulation before. Sanctions are substantial, and management bodies can be held personally accountable.
First, determine whether and how you are covered
Coverage depends on sector and size, with entities classified as 'essential' or 'important' — the obligations are similar, the supervision and sanction regimes differ. Many companies discover they are in scope indirectly, as suppliers to covered entities that push requirements down their supply chain. The analysis is worth doing carefully and early, with the national transposition texts in hand, because everything else — timeline, budget, governance — follows from it.
What NIS2 actually requires
The core obligations are risk-management measures that competent security teams would recognize as fundamentals: risk analysis and security policies, incident handling, business continuity and backup management, supply chain security, secure development and procurement practices, vulnerability handling, cyber hygiene and training, encryption where appropriate, access control, and multi-factor authentication. NIS2 does not demand exotic technology; it demands that the basics be implemented, documented, and maintained.
Two points deserve particular attention. Incident reporting is time-bound: significant incidents must be notified to the authority quickly — an early warning within 24 hours, a fuller notification within 72 hours, and a final report afterward. That is achievable only if detection, qualification, and escalation procedures exist and have been rehearsed. And management is accountable by design: leadership must approve risk measures, oversee their implementation, and be trained — cybersecurity can no longer be delegated entirely to the IT department.
A realistic compliance sequence
Start with a gap analysis: map critical assets and processes, assess current measures against NIS2 requirements, and produce a prioritized remediation plan — structured risk analysis methods such as EBIOS RM work well here. Then remediate by risk, not by checklist order: multi-factor authentication, tested and isolated backups, patch and vulnerability management, logging and detection, and a written, rehearsed incident response procedure typically come first because they reduce the most real-world risk per euro.
In parallel, build the governance layer: policies that describe what you actually do, a risk register that leadership reviews, supplier security requirements in contracts, and training for both employees and executives. Documentation produced for its own sake convinces no auditor; documentation that reflects operating reality does.
Compliance as a floor, not a ceiling
The companies that handle NIS2 well treat it as a forcing function to build the security program they needed anyway, rather than a paperwork exercise. Sustained compliance requires rhythm: periodic risk reviews, incident exercises, supplier reassessments, and indicator reporting to management. Done this way, the directive's real cost is front-loaded and its benefit — materially lower operational risk — compounds over time.
Founder and president of ACCENSEO, software engineer. He works directly with clients on software architecture, cloud infrastructure, and custom development.