EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
It is our great pleasure to present the EY Report: NIS2 Compliance. Practical aspects and challenges of driving NIS2 compliance.
The NIS2 Directive represents a significant advancement in cybersecurity legislation, introducing new obligations for companies and individuals within critical sectors. This directive broadens the EU's cybersecurity requirements, encompassing a wider array of sectors and entities. Article 2 delineates the scope of the Directive based on sector and size, establishing that all medium and large enterprises operating within the EU and listed in Annex I or II are subject to the provisions of NIS2.
What are the challenges related to NIS2 Directive?
NIS2 does not exist in isolation: organizations will often need to align it with other widely–adopted cybersecurity frameworks (such as ISO 27001 and the NIST Cybersecurity Framework) and transition smoothly from the original NIS Directive.
This report provides executive leadership, CISOs, and compliance officers with a clear, actionable view of the EU NIS2 Directive and, crucially, what it means in their day–to–day operations. It traces the Directive’s origins in Europe’s escalating threat landscape, explains who now falls within the scope under the new “essential” and “important” entity tiers, and spells out exactly what NIS2 requires across governance, risk management, incident reporting, and supply–chain security.
By walking through a roadmap – “establish, implement, embed” – the report shows not only how to achieve first–day compliance but also how to maintain it through continuous metrics, board engagement, and annual risk cycles.
It also highlights where NIS2 aligns with frameworks you may already use (ISO 27001, NIST CSF, DORA, CER)so that existing investments are leveraged rather than duplicated. In short, beyond ticking legal boxes, the report positions NIS2 as a catalyst for building a security culture and long–term operational resilience, turning a regulatory obligation into a strategic advantage.
Are you ready for new requirements of NIS2 Directive?
EY's report will help the entities that are covered by the NIS2 Directive to better understand the upcoming obligations. In the report we presented the maturity roadmap, which provides a structured pathway for organizations to progress from initial compliance efforts to a state of sustained cybersecurity resilience under NIS2. It emphasizes that compliance is not a one-time exercise but an ongoing journey, requiring clear milestones, executive accountability, and continuous improvement. By aligning governance, technical controls, and cultural change, the roadmap ensures that security becomes an embedded, measurable component of business operations.
Achieving NIS2 compliance is not a one-time project - it’s a maturity journey. Organizations should treat the Directive as a catalyst to elevate their cybersecurity posture, embedding resilience into operations and governance. The roadmap must be tailored to each entity’s risk profile, with clear milestones and executive accountability to ensure progress is measurable and sustainable.
Justyna Wilczyńska-Baraniak
EY Law Poland, Partner, Intellectual Property, Technology and Personal Data Team Leader
Direct at your mail
Subscribe EY newsletters