Security
5 min read
Contagem regressiva NIS2: Você está pronto?
Com a aplicação da NIS2 em pleno vigor na UE, muitas organizações ainda não estão em conformidade. Prazos, penalidades e como se adequar.
NIS2 Enforcement Is Here — No More Grace Periods
The Network and Information Security Directive 2 (NIS2) has been the most significant cybersecurity regulation to hit European organizations since GDPR. With national transposition deadlines passed in most EU member states, enforcement agencies are now actively auditing and penalizing non-compliant organizations.
If you're still scrambling to meet NIS2 requirements, you're not alone — but the window for leniency is closing rapidly.
Current State of NIS2 Implementation Across the EU
As of February 2026, the implementation landscape varies significantly:
- Germany (NIS2UmsuCG) — Full enforcement since January 2026. BSI conducting audits. First fines issued in January.
- France (ANSSI) — Active enforcement with sector-specific guidance published.
- Netherlands — Enforcement active since Q4 2025. Focus on essential entities first.
- Austria — NISG 2024 in effect. Emphasis on critical infrastructure providers.
- Italy, Spain, Portugal — Enforcement ramping up. Initial focus on awareness and self-assessment.
⚠️ Penalty Reality Check
NIS2 fines can reach €10 million or 2% of global annual turnover (whichever is higher) for essential entities. Management can be held personally liable for compliance failures.
Who Must Comply? The Expanded Scope
NIS2 dramatically expanded the scope of covered entities compared to NIS1:
- Essential entities: Energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, space
- Important entities: Postal services, waste management, chemicals, food, manufacturing, digital providers, research
- Size threshold: Generally applies to medium-sized companies (50+ employees or €10M+ revenue) and above
A critical change: supply chain obligations mean even smaller companies may need to demonstrate NIS2-level security to maintain contracts with covered entities.
The 10 Key Requirements You Must Meet
- Risk management policies — Documented, board-approved cybersecurity risk assessments
- Incident handling — 24-hour early warning, 72-hour incident notification to authorities
- Business continuity — Backup management, disaster recovery, crisis management plans
- Supply chain security — Risk assessments for direct suppliers and service providers
- Vulnerability management — Systematic identification and remediation of vulnerabilities
- Cyber hygiene & training — Regular employee awareness training programs
- Cryptography — Policies for encryption and where applicable, multi-factor authentication
- Access control — Human resources security, asset management policies
- MFA/continuous authentication — Secure communications and emergency access systems
- Reporting obligations — Established processes for timely incident notification
Fast-Track Compliance: A 90-Day Action Plan
Month 1: Assessment & Gap Analysis
- Determine if your organization falls under NIS2 scope
- Conduct a gap analysis against NIS2 requirements
- Run an automated vulnerability assessment to identify critical exposures
- Appoint a responsible person/team for NIS2 compliance
Month 2: Implementation
- Deploy continuous vulnerability scanning and penetration testing
- Implement incident response procedures with required notification timelines
- Establish supply chain security assessment processes
- Begin employee cybersecurity awareness training
Month 3: Validation & Documentation
- Test incident response with tabletop exercises
- Document all policies, procedures, and technical measures
- Conduct a validation penetration test to confirm remediation
- Prepare for potential audits with compliance evidence packages
NIS2 Requires Continuous Vulnerability Management
Article 21 of NIS2 explicitly requires vulnerability handling and disclosure. KENSAI automates vulnerability detection and provides audit-ready compliance reports. Get compliant faster.
Start NIS2 Compliance Scan →
Don't Wait for the Fine — Act Now
The organizations facing the steepest penalties are those that haven't started at all. NIS2 compliance isn't a destination — it's an ongoing process of continuous improvement. Start with automated security scanning, build your incident response capability, and document everything. The clock is ticking.
← Back to Blog