Over the past several weeks, we have dedicated a 19-episode series to the NIS 2 Directive, addressing the most frequently asked questions from businesses, local authorities, and public sector organizations.
Through these discussions with Marc-Antoine Ledieu, a cybersecurity lawyer, and James Partick Ngoupayou, a NIS2 expert, one conclusion became clear: NIS 2 compliance is first and foremost an exercise in understanding, anticipation, and governance.
Contrary to common misconceptions, NIS 2 is not simply about implementing a few cybersecurity measures. The Directive introduces a comprehensive regulatory framework that impacts organizational structures, processes, management responsibilities, and relationships with partners and suppliers.
19 episodes to decode the challenges of NIS 2
During our support engagements, we consistently encounter the same questions:
- Am I affected by NIS 2?
- Will I be audited?
- What are the risks for executives and directors?
- How does NIS2 align with ISO 27001 or DORA?
- What should be done in the event of a cybersecurity incident?
To answer these questions, we produced a 19-episode series combining legal expertise and cybersecurity expertise.
Discover all episodes below before exploring the key lessons we have drawn from them.
The 5 key takeaways from this series
Lesson 1: determining whether you are in scope is not always straightforward
One of the most common questions concerns the scope of application.
Beyond the sectors explicitly identified by the Directive, many factors must be considered:
- Organization size
- Group membership
- Legal status
- Actual activities performed
- Criticality of certain services
Some situations even require an in-depth legal analysis, particularly for atypical organizations, international groups, or entities operating across multiple sectors.
Lesson 2: NIS 2 is a governance issue before it is an IT issue
The Directive introduces increased accountability for management bodies.
Executives and directors must now ensure that appropriate risk management measures are implemented and that the organization has the necessary capabilities to prevent, detect, and respond to cybersecurity incidents.
This marks a significant shift: cybersecurity becomes both a strategic and compliance-driven issue.
Lesson 3: partners and suppliers are also impacted
Even when an organization does not fall directly within the scope of NIS 2, it may still be affected indirectly.
Essential and important entities will be required to strengthen cybersecurity requirements throughout their supply chains and among their critical suppliers.
This supply chain dimension represents one of the most significant changes introduced by the Directive.
Lesson 4: Compliance goes beyond existing certifications
Many organizations already follow security frameworks such as ISO 27001 or are subject to sector-specific regulations such as DORA.
While these frameworks provide a solid foundation, they do not, by themselves, guarantee NIS 2 compliance.
A gap analysis remains essential to identify additional requirements that must be implemented.
Lesson 5: anticipating always costs less than reacting
The penalties provided for under the Directive can reach several million euros.
However, beyond the financial aspect, the operational, reputational, and organizational consequences of a major incident are often far more significant.
Waiting until the last minute to begin a compliance program is now one of the greatest risk factors organizations face.
NIS 2: a holistic approach requiring complementary expertise
Throughout this series, we observed that NIS 2 projects simultaneously require expertise in:
- Cybersecurity
- Risk governance
- Regulatory compliance
- Auditing
- Incident management
- Executive advisory services
- Legal expertise
It is precisely this multidisciplinary approach that enables organizations to transform a regulatory obligation into an effective and sustainable cybersecurity strategy.
How SERMA Safety and Security supports organizations
SERMA Safety & Security teams support organizations at every stage of their compliance journey:
✔ Applicability assessment and entity qualification
✔ NIS 2 requirements mapping
✔ Gap analysis
✔ Cybersecurity governance and organizational design
✔ Risk management
✔ Audit preparation
✔ Incident management and notification processes
✔ Executive management and CISO support
✔ Alignment with other standards and regulations (ISO 27001, DORA, etc.)
The NIS 2 Directive represents a major transformation for many organizations. Companies that take action today will gain a significant advantage when regulatory deadlines arrive and supervisory audits begin.
Would you like to assess your level of preparedness or structure your NIS 2 roadmap?
The SERMA Safety and Security experts are available to support you throughout your NIS 2 compliance journey.
