Europe has stopped treating cybersecurity as a topic reserved for system administrators. Today, it is an area of hard law, real sanctions, and personal liability for management boards. The NIS2 Directive and the amendment to the National Cybersecurity System Act are not just another regulation from the EU shelf. They are a clear signal that a company’s digital resilience is becoming a condition for its continued operation.

The question is no longer whether a company has a firewall. The question is whether it can prove that it consciously manages cyber risk.

New Risk Landscape

NIS2 expands the range of entities covered by regulation. In addition to energy, finance, and healthcare, the rules also apply to food producers, logistics companies, the chemical sector, digital service providers, water and wastewater utilities, and ICT supply chain entities. In practice, this means that medium-sized and large companies operating in strategic sectors can no longer ignore the issue.

If an organization meets specific employment or revenue thresholds and operates in a sector classified as essential or important, the obligations are clear. An information security management system. Risk assessment. Incident response procedures. Rapid reporting of significant incidents. Supplier oversight.

These are not recommendations. They are statutory requirements.

The Board at the Center of Responsibility

The most groundbreaking change does not concern technology, but accountability. NIS2 explicitly states that management bodies are required to approve and oversee cybersecurity risk management measures. In practice, this means that board members can no longer hide behind the argument that “this is an IT issue.”

In the event of a serious incident, the supervisory authority may examine not only the scale of the damage, but also whether the board genuinely monitored the level of security, received reports, allocated an adequate budget, and responded to warning signals.

Cybersecurity is becoming an element of corporate governance, just like financial reporting or compliance with environmental regulations.

Sanctions That Change the Equation

The new regulations introduce severe administrative penalties. For essential entities, fines may reach up to €10 million or 2 percent of annual global turnover. For important entities, up to €7 million or 1.4 percent of turnover. In addition, there are penalties for failing to comply with supervisory decisions, as well as potential reputational and contractual consequences.

It is worth noting that the legislator has provided a transitional period regarding the application of certain administrative penalties. However, this is not a time for delay. It is a time for preparation. Organizations that begin acting only at the moment of their first inspection will already be too late.

The Supply Chain Under Scrutiny

One of the most demanding elements of NIS2 is the obligation to control the supply chain. Companies must assess not only their own systems, but also the security of suppliers of hardware, software, and services.

The amendment to the National Cybersecurity System Act introduces an additional mechanism allowing certain entities to be designated as high-risk suppliers. In such cases, companies may be required to limit or eliminate the use of their products within a defined timeframe. This may pose significant organizational and financial challenges, particularly in infrastructure sectors.

As a result, purchasing decisions in IT and OT are no longer solely about price and functionality. They become strategic decisions burdened with regulatory risk.

Incident Reporting. The End of Sweeping Things Under the Rug

NIS2 introduces clear reporting obligations. Significant incidents must be reported within specified timeframes and then thoroughly analyzed. The purpose is not to punish the mere fact of being attacked, but the lack of preparation and response.

Companies that previously concealed incidents out of fear of reputational damage will need to change their approach. Transparency becomes part of the security system.

Cyber Resilience as a Competitive Advantage

Paradoxically, NIS2 may be an opportunity for many companies. Organizations that streamline their processes, inventory their assets, implement security management standards, and train their management teams gain more than regulatory compliance.

They gain predictability. Greater control over risk. Credibility with business partners and financial institutions. In a world where a cyberattack can halt production, disrupt logistics, or expose customer data, digital resilience becomes a tangible component of enterprise value.

The Question Every Board Should Ask Today

It is not “Are we covered by NIS2?”

It is “In the event of an attack, can we demonstrate that we did everything required and reasonable?”

Because in the new legal reality, the incident itself will not be the biggest problem. The biggest problem will be the lack of proof that the organization was prepared for it.