EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
In September 2025, we presented the EY Report “NIS2 Compliance: Practical Aspects and Challenges of Driving NIS2 Compliance.” The report explored the real-world implications of the NIS2 Directive, highlighting key challenges, regulatory expectations, and practical approaches to implementation. Today, we are introducing a supplement to this report.
This White Paper serves as a complement to and expands on the earlier EY White Paper on NIS2 compliance (NIS2 compliance-practical aspects and challenges of driving NIS2 compliance). It builds upon the foundational principles and guidance outlined therein, offering a more detailed and structured roadmap tailored to the specific obligations introduced under the NIS2 Directive.
Building on the original analysis, this new publication takes a deeper dive into the NIS2 Directive, offering expanded insights, additional practical guidance, and a more detailed discussion of critical compliance areas. The supplement is designed to further support organizations on their NIS2 journey, helping them navigate complexity with greater clarity and confidence.
Scope and audience
This White Paper provides comprehensive guidance across all phases of the NIS2 implementation, from the initial release of the Directive to full enforcement and continuous improvement. It is intended for professionals responsible for ensuring cybersecurity and regulatory compliance within their organizations and specifically cybersecurity teams, IT departments, legal and compliance officers, executive management.
The scope of this document encompasses the entire lifecycle of compliance, structured around a three-phase, 12-step approach. By addressing both strategic and operational dimensions, this White Paper helps organizations build a resilient, scalable and auditable compliance framework that aligns with EU regulatory expectations.
This White Paper provides a comprehensive roadmap for organizations seeking to achieve and sustain compliance with the NIS2 Directive. It outlines the principal challenges and corresponding actions required across key operational domains, offering both tactical recommendations and strategic priorities for Executive Managment. The guidance is structured around a three - phase compliance lifecycle - (1) post-law release, (2) pre-implementation of risk controls and (3) law enforcement - ensuring that organizations can navigate the evolving regulatory landscape with clarity and confidence.
What is the structured, phased methodology our organization should adopt to manage the NIS2 compliance journey effectively
To manage the complexity of NIS2 compliance, a structured, project-based methodology is essential. This White Paper proposes a three-phase approach that imitates established governance models and divides the compliance journey into manageable stages, namely Phase 1: post-law release, Phase 2: pre-implementation of risk controls and Phase 3: law enforcement. Each phase consists of distinct objectives and key steps, providing a clear roadmap from initial awareness to sustained operational resilience.
This approach ensures that foundational elements are already in place before more complex technical controls are deployed, minimizing rework and maximizing efficiency.
Justyna Wilczyńska-Baraniak
EY Law Poland, Partner, Intellectual Property, Technology and Personal Data Team Leader
Direct at your mail
Subscribe EY newsletters