The EU's NIS2 Directive was supposed to be implemented by October 2024. Many mid-sized companies still haven't taken it seriously. If you're unsure whether it applies to you — it probably does. And the personal liability clause means 'my IT provider handles it' is no longer a valid answer.
What NIS2 Actually Is
NIS2 substantially expands its predecessor directive from 2016. Where the original rules covered only critical infrastructure — power grids, water utilities, financial systems — the new directive extends to mid-sized companies across a wide range of sectors: healthcare, transport, digital infrastructure, food production, chemicals, mechanical engineering, and postal and delivery services.
Threshold: Companies with at least 50 employees or €10 million in annual turnover operating in a covered sector fall under the directive.
NIS2 is the first cybersecurity directive that explicitly anchors personal liability for management. Delegating responsibility to an IT department or external provider is no longer sufficient — and no longer legally valid.
What NIS2 Requires From You
1. Risk Management: Written, documented security policies. Regular risk assessments. Access control mechanisms. Encryption of sensitive data. Demonstrable, lived processes — not just documentation that exists on paper for audits.
2. Incident Reporting: Security incidents must be reported within 24 hours (initial assessment) and a full report submitted within 72 hours. This presupposes that you can actually detect incidents.
3. Supply Chain Security: Your liability extends to your service providers and external partners. Your ERP provider, your cloud hosting, your IT service company — their security gaps are your security gaps.
4. Management Liability: Company leadership must approve and supervise cybersecurity measures. Personal liability for executives is possible. Fines reach up to €10 million or 2% of global annual turnover for essential entities.
The Silent Problem: Your Software Infrastructure
Many mid-sized companies have a structural vulnerability that NIS2 exposes directly: their business processes run on software they don't control. Customer data in third-party cloud systems. Automated workflows through external platforms. ERP systems with update management handled remotely by a vendor.
NIS2 asks three questions most SaaS-dependent businesses cannot answer: Do you know who can access your data right now? Can you prove the security of your infrastructure? Can you identify and report an incident within 24 hours?
The supply chain problem in concrete terms: If your software provider has an incident and you don't know about it within 24 hours — because you lack access to logs — you are in violation. Not the provider. You.
The Only Approach That Actually Works
Surface-level compliance — a new policy document, a training session, a checkbox — won't hold up. NIS2 requires structural conformity: full control over your own infrastructure.
Open-source software, self-hosted. Servers under complete monitoring. Real-time monitoring with alert systems. Complete log history. Your own incident response processes. Independence from third-party update cycles.
Three Concrete Steps Right Now
Step 1: Determine whether you're affected. When in doubt: assume you are. Acting unnecessarily is recoverable. Ignoring a directive with executive liability is not.
Step 2: Infrastructure audit. Which software runs where? Who has access? Where does your data reside? Can you pull a full access log for the last 30 days?
Step 3: Plan a structural solution. Identify cloud dependencies. Map a path toward controlled infrastructure. The companies that started two years ago are already compliant.
Tycho Platform: NIS2-Compliant Infrastructure for Your Business
ERPNext + self-hosted + full monitoring. Documentable, auditable, yours.
Tycho Platform: NIS2-Compliant Infrastructure for Your Business
NIS2 doesn't wait — but the first step is simpler than you think.