NIS2 is not a certification you pursue when a customer asks for it. It is an EU regulation that came into force in October 2024 - and if your company operates in the EU or EEA, supplies European companies, or sits in a regulated sector, it very likely applies to you.
Here's what finance and compliance leaders at growing companies need to understand.
Essential vs Important - Which Category Are You In?
This is the question most companies get wrong, and it determines both your obligations and your penalty exposure.
Essential entities - energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, ICT service management, public administration, and space. Stricter supervision, higher penalties.
Important entities - postal and courier services, waste management, chemicals, food, manufacturing, digital providers (online marketplaces, search engines), and research. Lighter-touch supervision but still significant obligations.
The size threshold is lower than most companies expect. Essential entities: 250+ employees or a50M+ turnover. Important entities: 50+ employees or a10M+ turnover.
Supply chain pull-in is the hidden exposure. Even if your company falls below these thresholds, if you supply an essential or important entity, their NIS2 obligations are already flowing into your vendor contracts.
Procurement teams at large European companies are adding NIS2 requirements to supplier agreements now.
If you are unsure which category applies - or whether NIS2 applies at all - the answer is almost certainly yes, and a scope determination costs far less than a regulatory investigation.
What NIS2 Actually Requires From Leadership
NIS2 is built around four pillars. All four touch governance workflows that sit with finance and compliance leadership, not IT.
1. Risk management. Documented cybersecurity risk assessments with board-level approval. NIS2 explicitly holds senior management accountable. Article 20 states that management bodies must approve risk measures and oversee their implementation.
2. Incident reporting. A 24-hour initial notification to your national competent authority for significant incidents, followed by a detailed report within 72 hours. Finance leaders own the materiality assessment - whether an incident is significant enough to trigger reporting. This decision must be documented and defensible before an incident occurs, not during one.
3. Supply chain security. Documented assessment of your suppliers' security posture with contractual requirements for key vendors. Finance owns vendor contracts - which means supply chain security sits directly in your procurement process.
4. Board accountability. NIS2 can result in personal liability for directors and executives. This is not an IT obligation delegated upward - it starts at board level and regulators can enforce it there.
How Long NIS2 Compliance Takes
The regulation is already in force. The question is not whether to comply but how quickly you can close the gap.
Unlike ISO 27001 or SOC 2, there is no certification audit at the end. What you need is a defensible, documented compliance position - evidence that your controls are in place and operating if a regulator asks.
What the Penalties Look Like
Essential entities: up to a10 million or 2% of global annual turnover, whichever is higher.
Important entities: up to a7 million or 1.4% of global annual turnover, whichever is higher.
Personal liability for senior management is explicitly included - up to and including temporary bans from management roles for serious violations. This is the provision that moves NIS2 from an IT task to a board governance matter.
What It Costs to Comply
With governance automation tooling: a5,000-12,000 first year.
Traditional consultant route: a15,000-40,000 depending on scope and sector.
Annual ongoing with tooling: a5,000-10,000. NIS2 is a continuous obligation - incident reporting requirements don't have an annual review cycle, and regulators can request evidence at any time.
Want the NIS2 sign-off checklist, the incident reporting framework, and the full compliance roadmap for finance leaders?
