Who is Affected by NIS2?

Where responsibility breaks — and incidents begin

What makes NIS2 difficult is not missing technology, but missing clarity.

Who is responsible when something goes wrong?

Who decides what happens next?

Who talks to customers, partners, or regulators?

In many organisations, the answers only become clear when a real incident happens - which is exactly when it is too late.

Nobody Checks Whether Our Policies Actually Work

NIS2 does not ask whether policies exist. It asks whether your organisation can actually handle an incident when it happens. This is not about documents. It is about whether attacks are detected, contained and managed in real time — not after the damage is already done.

Our Clients Suffer Before We Realise Something Is Wrong

NIS2 also affects far more companies than many expect. This is not just about energy providers or transport systems. E-commerce businesses, SaaS companies, IT service providers and cloud platforms are already part of the digital backbone of the economy. If your outage impacts your customers’ ability to operate, then NIS2 is already relevant to you. Most companies don’t realise this when authorities call — they realise it when enterprise clients start asking serious questions during onboarding, audits and contract negotiations.

Too Many Systems, Too Many Accounts, Zero Control

At the same time, most companies believe they are safer than they really are. Unmanaged systems, excessive access rights, forgotten accounts, untested backups and fast-growing cloud environments quietly increase exposure. Nothing feels urgent until something breaks. And when something finally does, it usually breaks faster than expected.

Attackers Use the Same Logins Our Team Does

Today, attackers rarely force their way in. They log in. Stolen credentials, exposed access tokens and compromised identities allow breaches to happen quietly and without alarms. By the time a system looks “offline”, attackers have often been present for days or weeks.

“We’re Compliant” Has Become an Excuse, Not Protection

This is why compliance alone will not protect anyone. Policies don’t stop incidents. Checklists don’t restore operations. Certificates don’t contain breaches. Only operational readiness does.

Big Clients Lose Trust Faster Than We Can Respond

NIS2 will change how companies choose partners. Security is becoming a requirement, not a bonus. Vendors who cannot demonstrate resilience will slowly disappear from supply chains. The market will divide between organisations that can prove security and those that can only talk about it.

Security Lands on the CEO’s Desk Whether We Like It or Not

NIS2 does not add paperwork. It adds accountability.

Cybersecurity is no longer just an IT issue. It is an executive responsibility. And the message is simple: It is no longer enough to say you are secure. You must be able to prove it - continuously.

Seeing the Full Picture Often Requires an Outside View

For many organisations, the hardest part of NIS2 is understanding their actual level of readiness. Policies and tools can give a sense of structure, but they rarely reveal how the organisation would function under real pressure. That clarity usually appears only when someone from the outside looks at the systems the way an attacker would - without assumptions and without internal bias.

Independent assessments are not about passing or failing. They help companies understand where their strengths truly are, where blind spots accumulate, and what can be improved before a real incident tests the organisation.

Leave us a short message with the code word “Sheriff”, and we will arrange a free online consultation together with our partners at Sheriff Security GmbH. It’s an easy first step toward understanding where your strengths are - and where attention may be needed.