“As the world becomes more connected, organizations see that their IT and OT infrastructures become increasingly integrated, whereby the potential of physical cybersecurity incidents is growing. As a result, the NIS2 Directive underlines the EU’s motivation to put cybersecurity at the forefront of the agenda.” (KPMG)
In January 2025, The Network & Information Security Directive (NIS2) goes into effect. This Directive requires organizations across the EU and those that serve EU customers to strengthen their cybersecurity posture, mandating:
Under NIS2 companies in “essential” and “important” sectors must comply:
Essential entities | Important entities |
Energy Transport Banking Financial market infrastructure Health Drinking water Wastewater Digital infrastructure ICT-service management Public administration Space |
Postal and courier services Waste management Chemical production and processing Food Manufacturing Digital providers Domain name providers |
It’s important to note that even if a company is based outside of the EU, this Directive still applies if it offers critical services within the EU.
Both essential and important entities are subject to the ten minimum requirements of NIS.
The difference lies in that essential entities will be subject to direct supervision under NIS2, while important entities will face post-event oversight, with authorities taking action if evidence of non-compliance arises.
Risk assessments |
Evaluating the effectiveness of security measures | Incident response planning | Business continuity planning | Multi-factor authentication |
Procedures for cryptography |
Procurement security | Procedures for access to sensitive or important data | Cybersecurity training | Security around supply chains |
Incident readiness has always been a strategic priority for organizations. However, with the introduction of NIS2, the repercussions of being unprepared for an incident will be considerably more severe.
Non-compliance could lead to substantial fines and even the dismissal of executives, where NIS2 may hold leadership personally liable if gross negligence is proven after a cyber incident.
Steep fines for non-compliance
Essential entities | Important entities |
€10M or 2% of the global annual revenue, whichever is higher | €7M or 1.4% of the global annual revenue, whichever is higher |
Under NIS2, organizations that fail to adequately prepare for security and operational incidents face not only extended downtime, damaged reputations, and costly recovery efforts, but also increased fines and the potential for significant repercussions on individual careers.
The importance of readiness through robust planning cannot be overstated. This is why it is critical to comply with the NIS2 mandate for formal incident response (IR) with the creation of a comprehensive IR plan that also incorporates business continuity measures.
Implementing a well-structured IR plan is a fundamental pillar for NIS2 compliance.
“Exigence streamlines NIS2 compliance by enabling structured incident planning and simplifying the generation of reports required to meet legal obligations,” Nicola Fusco, Security Operations Auditor, Arcasafe.
Exigence helps organizations ensure NIS2 and incident readiness with a platform that brings template-based incident response planning.
This structured and guided approach makes incident plan creation and testing fast, easy, reliable, and documentable.
The platform’s intuitive interface with pre-defined forms, checklists, and timers, walks users through the different sections of the IR plan, helping them to fill them in quickly and accurately.
This way, when an incident hits, every responder can determine immediately who to reach, how to reach them, and what everyone’s roles and responsibilities are, without having to sift through pages and pages of static documents.
The platform also provides guided tabletop testing that engages all relevant incident response stakeholders in testing the IR plan, processes, and procedures, to make sure that the plan works and that everyone knows what to do during the moment of truth.
And, when an incident hits, the Exigence platform remains fully accessible and operational, as it functions out-of-band, unaffected by disruptions to the organization's network infrastructure.
Furthermore, in being multi-tenant, service providers, such as MSPs and MSSPs, can seamlessly create and provide incident response plans and tabletops to a great number of different customers.
Compliance with NIS2 is not just a legal requirement—it’s a strategic imperative for risk mitigation and resilience.
With template-based IR planning from Exigence, organizations can avoid the risk and ensure they are ready for NIS2 and beyond.
To learn more about how Exigence can help you be incident ready and NIS2 compliant, we invite you to book a demo by clicking here.