Skip to content
Close
SEARCH
Contact Us
Contact Us

AI Governance and Compliance

AI Governance

AI Maturity Model

AI Management System

AI Governance Tooling and Technologies

Regulatory Compliance

AI Trust for Goverments

AI Embeded in Products and Software

AI Trust Mark

AI Embedded in Products

Digital Trust

Other Services

Trainings and Workshops

AI Trust Hub

ai_academy_1 (1)

AI Academy

Learn More

Regulations

EU AI Act (Europe)

NIST RMF 1.0 (USA)

United Kingdom

United Arab Emirates

Medical Devices Regulation (EU)

Ethics Guidelines for Trustworthy AI

All Regulations


 

Standards

ISO/IEC 42001

ISO/IEC 42005

ISO/IEC TR 24027

ISO/IEC TR 24028

ISO/IEC TR 24029-1

ISO/IEC 22989

EU Harmonized Standards

COBIT Framework

All Standards

Webinars

Our Webinars


Other Resources

AI Trust Hub

eu_ai_act_1 (1)

Webinars

Learn More
ai_trust_hub_1

AI Trust Hub

Learn More

Explore Our Insights

Digital Trust

AI Trust

Data Privacy

AI Maturity

AI Safety and Robustness

EU AI Act

ISO/IEC 42001

Cybersecurity

Nemko Digital News

AI - Artificial Intelligence

AI Trust

EU AI Act

GPAI Code of Practice

Korean AI Trust Mark

Webinar Announcements

About us

About
Nemko Digital Learn about us here

careers-2

Careers
Contribute towards responsible AI

New Information Security Directive NIS2 Guide

Navigating the 2027 EU Machinery Regulation: A Guide for Manufacturers

Get ready for the EU Machinery Regulation (EU) 2023/1230: mandatory from January 20, 2027. Understand the new EU Machinery Regulation requirements for cybersecurity, AI, digital documentation, and conformity assessments to keep market access.

NIS2 enforcement is here in 2026: learn what regulators are auditing, where ENISA data shows the biggest gaps, and how to turn compliance into provable resilience, stronger governance, and a competitive advantage.

The NIS2 Directive (EU) 2022/2555 officially entered into force in January 2023, but 2026 marks the pivotal year where a critical mass of EU Member States moves from legal transposition to active supervision, audits, and sanctions. While the deadline for transposition was October 2024, the process has been uneven. As of February 2026, 19 of the 27 Member States have fully transposed the directive into national law. Countries such as Germany and Bulgaria completing their legislation in late 2025 and early 2026, respectively, highlighting how each Member State operationalizes EU cybersecurity rules differently. These differences combined with lagging transposition can increase infringements risk.

This shift means that national competent authorities are now actively examining organizations' operational capabilities. The focus is no longer on intent, but on evidence. Regulators are scrutinizing whether organizations can demonstrate consistent control, reliable incident response, and robust governance in practice. Especially around incident reporting processes that can reliably report incidents within the required timelines. It also signals a broader shift in information policy leadership across EU member states. As national competent authorities align enforcement with national cybersecurity strategies and the EU’s goal of a high common level of cybersecurity.

 

Understanding the Scope: A Radically Expanded Net

NIS2 dramatically expands the EU’s regulatory net (beyond the original NIS directive, i.e., Directive 2016/1148), classifying in-scope entities into two tiers based on their criticality. It generally applies to medium and large organizations (50+ employees or €10M+ turnover) across 18 sectors and many types of digital infrastructure and digital providers.

Category Description & Key Sectors Supervision Model
Essential Entities (Annex I) Sectors of high criticality, including energy, transport, health, banking, digital infrastructure, and public administration—often including financial institutions, trust service providers, and key technical backbones such as dns service providers and tld name registries. Proactive, ex-ante supervision with stricter enforcement.
Important Entities (Annex II) Other critical sectors like postal services, waste management, food production, manufacturing, and digital providers (e.g., social networking services platforms, online market places, online search engines, and parts of the ecosystem supporting cloud computing service providers, data centre service providers, and content delivery network providers). Reactive, ex-post supervision with investigations triggered by incidents.

 

This expansion brings an estimated 160,000 entities under direct cybersecurity regulation for the first time. With countless others affected through supply chain obligations, including third parties such as managed security service providers that support regulated entities’ operational cybersecurity capabilities.

 

Core Obligations & Common Challenges

Article 21 of the directive mandates a baseline of ten risk management measures, including incident handling, supply chain security, and business continuity. In practice, these requirements push organizations toward an all-hazards approach to resilience and more explicit cybersecurity obligations tied to governance and measurable controls. However, the latest industry data from the European Union Agency for Cybersecurity (ENISA)—the EU’s specialist European Union Agency in this space—reveals where organizations are struggling to meet these requirements in practice.

 

The ENISA Data: Where Reality Bites

ENISA's 2025 NIS Investments Report, surveying over 1,000 EU organizations, paints a clear picture of the current challenges:

  • Talent Scarcity: The cyber talent crunch is severe, with 76% of organizations reporting difficulty attracting skilled professionals. 71% struggling to retain them, fueling renewed interest in cybersecurity education and structured skills development.
  • Implementation Hurdles: While compliance is the top investment driver (70%), organizations find implementing NIS2’s requirements challenging. In patching (50%), business continuity (49%), and supply chain risk management (37%). These are areas that directly affect readiness for fast-moving cyber threats.
  • Persistent Vulnerabilities: The operational reality is stark. Nearly one in three organizations have not conducted a cybersecurity assessment in the past year, and 28% take over three months to patch critical vulnerabilities.

 

NIS2 Directive Implementation Reality

Figure 1: Key findings from ENISA's 2025 NIS Investments Report, based on a survey of over 1,000 EU organizations. The data reveals persistent gaps in talent acquisition, vulnerability patching, and security assessments — underscoring the operational challenges of NIS2 compliance. Source: ENISA, December 2025.

 

These statistics highlight that having policies on paper is insufficient. The core challenge of 2026 is demonstrating operational effectiveness. Especially the ability to detect, contain, and report incidents with consistent, auditable evidence.

 

Figure 2: NIS2 mandates a structured, multi-stage incident reporting timeline. Organizations must issue an early warning within 24 hours, a full incident notification within 72 hours, and a detailed final reportto all of a significant incident. Source: Directive (EU) 2022/2555, Article 23.

 

Management Accountability: The Stakes Are Personal

NIS2 places direct, personal responsibility on senior leadership. Management bodies must approve and oversee cybersecurity measures and can be held liable for non-compliance. For essential entities, this can even include temporary bans from managerial roles. This provision has successfully elevated cybersecurity from an IT issue to a permanent boardroom agenda item. Reinforcing that cybersecurity is a governance discipline for protecting information systems.

 

Enforcement and the Evolving Landscape

Non-compliance carries significant financial penalties: up to €10 million or 2% of global turnover for essential entities, and €7 million or 1.4% for important entities.

The regulatory landscape also continues to evolve. In 2026, organizations increasingly view NIS2 alongside other new EU cybersecurity standards and complementary EU instruments. This includes the Cyber Resilience Act and the Cyber Solidarity Act. All as part of a more integrated set of enhanced cybersecurity requirements. The Cyber Solidarity Act, in particular, is associated with EU-level coordination measures such as an EU cybersecurity reserve and a cybersecurity emergency mechanism. Reinforcing cross-border preparedness and operational support models.

Meanwhile, coordination forums like the NIS Cooperation Group continue to shape shared expectations. Even as enforcement remains at the national level, carried out by each competent authority in each Member State. The European Parliament and the European Commission influence the overall direction through ongoing legislation and policy work.

 

The New Information Security Directive as a Strategic Advantage

While the challenges are real, the New Information Security Directive offers a clear strategic opportunity. The ENISA report confirms that compliance-driven investments yield tangible security benefits. Strengthening risk management (41%), threat detection (35%), and incident response (26%) capabilities.

Organizations that leverage established best-practice frameworks are best positioned to succeed. Aligning with ISO/IEC 27001, for example, provides a powerful accelerator for NIS2 readiness, sharing a common foundation of risk management and structured controls. Similarly, understanding the broader cybersecurity landscape and aligning with frameworks like ISO 22301 for business continuity directly addresses the top challenges identified by ENISA.

By treating the directive as a blueprint for resilience, organizations can transform this regulatory requirement into a competitive advantage. Building on digital trust and operational robustness, without losing sight of the practical demands of supervision, audits, and evidence.

 

Navigate 2026 with Confidence

The era of NIS2 enforcement is here. Demonstrating compliance requires more than policies; it demands a provably effective, evidence-based cybersecurity posture. The organizations that thrive will be those that move beyond a check-the-box mentality. Embracing the directive as a catalyst for building genuine, sustainable resilience under evolving EU cybersecurity rules.

Nemko Digital provides the expertise and assurance to navigate this complex landscape. From gap assessments and risk management to alignment with global standards, we help you transform compliance obligations into a foundation for sustainable digital trust. Take the next step. Contact Nemko Digital to assess your NIS2 readiness and build a cybersecurity posture that is resilient, compliant, and strategically sound.

Future-Ready Solutions

Nemko Digital’s AI governance and regulatory compliance experts help organizations navigate current and upcoming regulatory frameworks, ensuring readiness for the future.

Contact Us

Future-ready solutions

Nemko Digital’s AI governance and regulatory compliance experts help organizations navigate current and upcoming regulatory frameworks, ensuring readiness for the future.
Contact Us

Get Started on your Digital Trust Journey

Contact Us