The business case for NIS2 compliance

Investment versus cost

The risk of doing nothing is visible on the fines table alone. NIS2 Article 34 caps maximum fines at 10 million euro or 2 percent of global turnover for Essential Entities, whichever is higher, and 7 million euro or 1.4 percent for Important Entities. Rushed implementation under enforcement pressure typically costs significantly more than planned programs, and the operational disruption compounds the bill.

The less visible cost is commercial. Enterprise buyers now screen suppliers for cybersecurity posture, and public sector procurement in several member states already requires evidence of NIS2 readiness. Organizations that wait risk being excluded from deals before they know the requirement exists.

Organizations that treat NIS2 as a program rather than a checklist build capabilities they keep: a documented ISMS, real incident response, supply chain visibility, and a management body that actually understands the risk. Those outlast the directive.

"We already have strong cybersecurity"

Organizations with a mature ISO 27001 implementation typically meet 60 to 70 percent of NIS2 requirements already. The remaining gaps cluster in five areas:

• Incident reporting procedures aligned to the NIS2 Article 23 timelines (24 hours, 72 hours, one month)
• Supply chain and third-party risk management evidence per Article 21(2)(d)
• Management body oversight, approval, and training per Article 20
• Cross-border information sharing procedures
• NIS2-specific documentation format that regulators can audit quickly

For organizations with an ISMS in place, the gap close typically takes 60 to 90 days of focused work. For organizations starting without one, expect 90 to 180 days for foundational compliance and another 6 to 12 months to mature the ongoing disciplines.

Why start now

The official EU transposition deadline was 17 October 2024. Several member states have fully transposed (Belgium, Italy, Latvia, Croatia). Others are still legislating, including the Netherlands where the Cyberbeveiligingswet passed the Tweede Kamer in April 2026 and is expected to enter into force in Q2 2026. Use the transposition tracker to see your jurisdiction.

The practical advantage of starting now is threefold. First, you pick your timeline before regulators pick it for you. Second, consultants and auditors are not yet saturated, so you get attention and competitive pricing. Third, you can learn from the early adopters instead of becoming one.

Regulators have publicly signaled that they will prioritize Essential Entities in the first enforcement wave. If you are classified Essential, the window is short. If you are Important, you have marginally more runway but the reputational risk of being publicly non-compliant is just as high.

Next steps

Start with the scope check to confirm your status. Run the fine exposure calculator for board context. Download the checklist for an internal first pass. Then, if it is useful, book a call to talk through the findings.