NIS2 is the European Directive on security of network and information systems, introduced in 2023 as the successor to the original NIS Directive from 2016. It mandates organizations in essential sectors to improve their cyber resilience and to report major incidents in a timely manner. The aim of NIS2 is to harmonize and elevate cybersecurity standards across all EU member states. The directive applies to a broader range of organizations and imposes stricter requirements than its predecessor.

Stronger obligations and wider scope

NIS2 significantly expands the scope compared to NIS1. More sectors are now included, such as energy, transport, healthcare, digital infrastructure, waste management, food production, and public administration. Not only large companies but also medium-sized organizations playing a crucial role in society must implement appropriate security measures and report serious incidents within 24 hours to the competent authority.

Compliance is mandatory. Executive management can be held personally accountable for failures. The directive requires organizations to conduct risk assessments, secure their supply chains, and establish incident response procedures.

Implications for the supply chain

One of the key differences with NIS1 is the strong emphasis on supply chain security. Organizations are now responsible for the digital resilience not only of their own infrastructure, but also of their suppliers and subcontractors. This makes visibility into supplier cyber health a critical part of compliance. Without this insight, organizations may fail to meet the duty of care required under NIS2.

The directive also promotes sector-wide cooperation. Sector-specific CSIRTs (Computer Security Incident Response Teams) and effective information sharing are vital to enable faster and more coordinated responses to emerging threats.

How RiskStudio supports NIS2 compliance

RiskStudio enables organizations to take control of NIS2 requirements, especially when it comes to supply chain cybersecurity. Our platform offers automated insights into the digital resilience of suppliers and subcontractors — without lengthy questionnaires or audits. With real-time alerts on vulnerabilities, data breaches, and ransomware incidents, you immediately know where the risks lie.

You can group suppliers around critical assets or departments, assign internal owners, and structure your follow-up actions. This helps you build a provable governance framework aligned with NIS2 standards. Whether you’re conducting a risk assessment, preparing for an audit, or responding to an incident — RiskStudio gives you clarity, speed, and actionable results.