Compliance engineering

NIS2 just made you a regulated company. Now what?

Gociux · June 2026 · 7 min read

The NIS2 directive dramatically widened the circle of EU companies with binding cybersecurity obligations. Where the original NIS directive touched a narrow set of operators, NIS2 pulls in essential and important entities across sectors from energy, transport, banking and health to digital infrastructure, manufacturing of critical products, food, waste management and digital providers — generally starting at mid-sized companies (around 50 employees or €10M turnover, with carve-outs that capture some smaller entities regardless of size).

This is a practitioner's orientation, not legal advice — scoping decisions and national specifics belong with counsel and the official texts. Start with ENISA's NIS2 resources and your national transposition; in Romania the competent authority is DNSC.

The part that changes behavior: reporting deadlines

NIS2's incident reporting is a cascade with real clocks:

Early warning within 24 hours of becoming aware of a significant incident — a short notification, including whether malicious action or cross-border impact is suspected.
Incident notification within 72 hours — an assessment of severity, impact, and indicators of compromise where available.
Final report within one month — root cause, mitigation, and cross-border impact.

Meeting a 24-hour clock is not a paperwork problem; it is a detection problem. You cannot report what you haven't noticed. Every NIS2 readiness effort that starts with policy templates and ends without monitoring has solved the easy half.

The ten baseline measures

Article 21 obliges in-scope entities to take proportionate technical and organisational measures across, at minimum: risk analysis and security policies; incident handling; business continuity and crisis management (backups, disaster recovery); supply-chain security; security in acquisition and development including vulnerability handling; effectiveness assessment of the measures; cyber hygiene and training; cryptography policies; HR security, access control and asset management; and multi-factor authentication / secured communications where appropriate.

Read as an engineering list, most mid-sized companies discover they already have fragments of everything and the whole of nothing. The work is consolidation: an asset inventory that's real, logging that's central, an incident process someone has rehearsed, MFA that has no exceptions, and a supplier list with security expectations attached.

Management is personally on the hook

Two enforcement features get board attention. Fines scale to at least €10M or 2% of global turnover for essential entities (€7M / 1.4% for important entities). And management bodies must approve the security measures, oversee their implementation, and undergo training — with the directive providing for personal accountability of leadership for non-compliance. "IT handles that" stopped being an acceptable governance answer.

A sane first quarter: confirm scope and registration duty with the national authority · build the asset and supplier inventories · stand up central logging and define what a "significant incident" means for you · write and rehearse the 24h/72h reporting runbook · close the MFA gaps · then iterate the Article 21 list with evidence, not binders.

The honest framing

Companies that treat NIS2 as a fine-avoidance exercise will buy documents. Companies that treat it as the regulator finally requiring what good operations look like anyway — detection, response, recovery, and accountable leadership — end up more resilient and audit-ready as a side effect. The directive is a floor, and the floor is reasonable.

Just discovered you're in NIS2 scope?

We translate the directive into an engineering roadmap — measures, monitoring, and the incident-reporting machinery — sized for companies without a security department.

Book a free assessment call