The OT Security Academy

NIS2 in 3-minutes: Omny’s take on what you need to know

Written by Omny | November 5, 2025

For many of us, the word “directive” is enough to send us running. But for organizations operating in the European Union (EU), NIS2 is an important game-changer that none of us can afford to ignore. There’s nothing mystical about it, despite all the buzz around its complexity. At Omny, we believe it to be actionable and reasonable – a natural evolution given the cybersecurity threat landscape we face.

To get you going, we’ve put together a quick NIS2 compliancy guide, as a way to help you move from understanding to action.

Getting to know NIS2: What's the buzz about?

The Network and Information Security Directive, a.k.a. NIS2, is the EU’s way of upping the ante on cybersecurity. It’s not just about protecting data anymore. It’s about ensuring the availability and integrity of essential services across industries. Think of it as cybersecurity meets mission assurance. For industries such as healthcare, energy, transport, or digital infrastructure, this directive will impact you.

 

The 3-box test to determine if NIS2 applies to you

If you can tick off all three of these items, then chances are you fall under the NIS2 scope:

  1. Location: Do you operate in (or do business in) the EU?
  2. Sector: Are you part of a sector deemed essential or important, like energy, water supply, healthcare, digital infrastructure, etc.? 
  3. Size: Are you a medium- to large-sized organization? 

“Yes” to all three? Maybe it's time to take this NIS2 readiness quiz

 

What's new with NIS2 versus NIS1?

NIS2 refreshes the original NIS directive but takes cybersecurity preparedness to a whole new level. Here are some key highlights:

  • Expanded scope: More industries are in scope and the requirements are more stringent.
  • Supply chain security: More focus on managing and securing supply chains.
  • Incident reporting: New requirements that incidents need to be reported within 24 hours. 
  • Higher fines: Non-compliance can lead to hefty fines, similar to GDPR non-compliance penalties.

 

Changing the conversation from compliance to risk management

NIS2 is not just about checking off boxes to ensure compliance. It elevates the conversation to risk management. Here’s how:

  • Governance: Under NIS2, management must be involved in approving and implementing cybersecurity measures. Training for leadership and staff is crucial. 
  • Technical implementation: This includes identity and access management, encryption, and understanding the risks in your supply chain.
  • Incident response and reporting: NIS2 requires clear processes for handling cyber incidents and ensuring business continuity.

 

Start with a solid baseline

To build a strong security posture for your organization, you need to invest time in planning. We would suggest using an existing framework to help guide your investments.  

  • Assess current processes: What cybersecurity measures do you currently have in place? Use a framework like IEC 62443 for determining your current maturity level and setting future maturity goals. 
  • Identify short-term wins: What are some of the low hanging fruits you can take advantage of right now to build momentum and show progress?
  • Develop a long-term plan: Use your early successes to pave the way for long-term improvements, and take a proactive approach to adapt to new and evolving threats. Remember, cyber security is not a one-time task.

Leverage technology and training

Manual processes and spreadsheets stored on your hard drive can only get you so far. The right technology can help you streamline and enhance your cybersecurity efforts.

  • Tools and solutions: Invest in cybersecurity tools that help with risk management, incident reporting, and supply chain security. 
  • Training and awareness: Regular training ensures that your team is up-to-date with the latest cybersecurity practices, and there are tools and vendors who can support you in this. 

 

NIS2 is not the end of the road

NIS2 is a significant step in the evolution of cybersecurity regulations. It’s about much more than just compliance; it’s about creating a resilient and secure digital landscape. The goal is to build a more cyber-prepared Europe, so that our defenses are strong when cyber-attacks strike. 

We hope this overview helps you get going in your NIS2 journey and puts you in an even stronger position when the next cyber resilience directive rolls around.

 

 
View full post