Lead the AI era of GRC at Elevate 2026 — Join us April 22–24 in Atlanta Register nowarrow_forward

menu

Lead the AI era of GRC at Elevate 2026 — Join us April 22–24 in Atlanta Register now

arrow_forward

language

Products

arrow_drop_down

Solutions

arrow_drop_down

Resources

arrow_drop_down

Diligent AI

Request a demo

Governance

Risk

Compliance

Audit

Diligent Boards

Automate meeting prep, secure sensitive data and give directors the clarity to make the best decisions.

BoardEffect

Secure, flexible board management software for nonprofits and higher education.

Community

Increase transparency, streamline governance and empower your school board or local government.

Diligent Market Intelligence

On-demand access to exclusive shareholder activism, executive compensation and ESG data.

FEATURED

Diligent One Platform

Centralize and unify all your board management and GRC activities

Role

Use Cases

Company Type

Industries

General Counsel

Safeguard your organization with centralized oversight of governance, risk and compliance.

Corporate Secretary

Run governance flawlessly with AI tools that eliminate busywork and ensure audit-readiness.

Executive Assistant

Streamline board prep, communications and approvals with AI workflows for seamless meetings.

C-Suite

Accelerate decisions and inspire confidence with AI-powered reporting and real-time risk intelligence.

Directors & Trustees

Prepare faster, mitigate risk and make smarter decisions with purpose-built board tools.

Risk Manager

See enterprise risk in real time, act decisively, and deliver AI-powered insights.

Information Security

Unify IT risk, compliance and cyber oversight in one secure platform.

Compliance Officer

Turn regulatory obligations into clear, actionable metrics — proving compliance and ROI.

Internal Auditor

Connect audit management, analytics and monitoring in a secure, AI-powered hub.

FEATURED

Diligent One Platform

Centralize and unify all your board management and GRC activities

Content Library

Case Studies

Virtual Summits

Events

Resources Hub

Discover all of Diligent's insights in one place. Stay ahead of trends with expert perspectives, exclusive research and information you won't find anywhere else.

MEDIA TYPE

Blog Guides Videos Podcasts Content Toolkits Research & Reports

BY TOPIC

Governance Risk & Audit Compliance AI & Cyber Public Sector Diligent Institute

FEATURED

Diligent named a Leader in 2025 Gartner® Magic Quadrant™ for GRC

The NIS2 Directive: Are you ready to raise the bar on cyber resilience?

May 17, 2024

•

7 min read

Risk professional engaged in a disucssion.

Share:

Cybersecurity must be a collective effort to successfully defend against sophisticated cyber-attacks. Modern technology networks are hyperconnected, so an attack originating in one area can quickly impact another area severely — whether that area is in a different company, industry or even country. The need to develop a collective strategy is even more urgent when the networks that countries rely on to deliver critical national infrastructure services are targeted by nation-state actors wishing to cause disruption. These essential services can include health, finance, water, transport and even the government itself.

This urgency was brought into stark focus by the recent U.S. Government announcement that the Chinese hacker group Volt Typhoon was detected infiltrating the IT environments of its transport and water systems for the past five years. The statement, co-signed by national cybersecurity agencies in Britain, Canada, Australia and New Zealand, emphasised the risk of disruptive attacks launched from within compromised networks. Protecting against such widespread and high-impact attacks will only be successful if all parts of the network are covered, and that requires a collaborative approach.

The Cyber Leadership Playbook

Align your CISO, GC, and board for smarter cyber risk management. Discover practical insights and strategies to bridge the gaps between security, legal, and board leadership.

Download herechevron_right

Discover how AI-assisted board management software can boost your board’s efficiency, decision-making and strategic planning like never before.

In the UK, the Law Society recently provided guidance to law firms after a service provider of managed IT services for law firms and the professional services industry experienced a cyberattack that purportedly resulted in the disruption of up to 80 law firms, with many left unable to access case files.

Examples like this provide the rationale behind the EU’s Network and Information Security (NIS2) Directive, which is set to be transposed into national law in every EU country by October 2024. NIS2 provides a list of security risk-management measures that essential and important entities should implement to protect network and information systems and seeks to achieve a higher common level of cybersecurity and cyber resilience across the EU. The aim is to increase collective preparedness, improve the ability of organisations to withstand and recover more quickly from cybersecurity incidents and generally raise cybersecurity standards in key industries and their supply chains across Europe. Prescribing and enforcing minimum levels of cybersecurity performance for in-scope organisations will lessen the likelihood of cyberattacks disrupting citizens, societies and economies, minimise the impact of the attacks that do happen and empower collective incident responses.

As the name implies, this isn’t the first attempt to collectively improve cybersecurity standards. This iteration addresses some of the shortcomings of the earlier directive and increases the number of organisations and sectors covered. It provides for greater harmonisation and international cooperation and is more prescriptive on the timeframes and content that must be included in incident reporting.

NIS2 will impact governance, risk and compliance practices for essential and important entities across 18 sectors, divided between Sectors of High Criticality and Other Critical Sectors. Examples include energy, transport, health, drinking water and waste management, health, digital infrastructure, ICT service management, postal and courier services, production, processing and distribution of food, manufacturing and digital providers.

Crucially, NIS2 also:

Creates governance and accountability for effective cybersecurity strategy and oversight at the highest leadership levels. Management bodies are assigned an active role and will have the responsibility to approve the cybersecurity risk-management measures taken by their organisations and to oversee implementation. A failure to ensure compliance can result in individuals being found liable for breach of their duties. Sanctions include temporarily prohibiting a person who is responsible for discharging managerial responsibilities at the CEO or legal representative level from exercising their managerial functions.
Requires organisations to address cybersecurity weaknesses in their supply chain. This inclusion of security-related requirements between each organisation and its direct suppliers or service providers will ensure a top-down contractually driven effect that impacts an entire ecosystem of suppliers supporting the estimated 160,000 essential and important entities that are directly in scope of NIS2. Direct suppliers or service providers should also ready themselves for these contractual obligations.
Has extraterritorial application for certain entities who are not established in the EU but offer services within the EU. These include DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms. Further, direct suppliers who are not established inside the EU, such as UK businesses, but which supply European essential or important entities, will need to satisfy those customers that they are operating to NIS2 standards.
Establishes reporting obligations for essential and important entities for significant cybersecurity incidents. These organisations will be required to provide the government’s Computer Security Information Response Team (CSIRT) or competent authority with an early warning within 24 hours, an incident notification within 72 hours, status updates and a final report within 30 days of the incident notification.

What are the penalties for NIS2 failures?

Organisations that fail to comply with NIS2 face a range of penalties including:

Fines of up to €10 million or a maximum of 2% of global turnover for essential entities and €7 million or up to 1.4% of global turnover for important entities.
Responsible persons (such as CEOs or legal representatives) in essential entities may be temporarily prohibited from exercising managerial functions in that entity if it is not in compliance.
Responsible persons in essential or important entities may be held liable for breaching their duties to ensure compliance with NIS2.
Being publicly named or subject to binding instructions requiring them to remedy infringements.
Being forced to notify customers or service recipients of the nature and severity of risk as a result of compliance failings.

Raising the bar on cyber resilience

Complying with the NIS2 Directive, therefore, requires organisations to ensure they have good visibility over cybersecurity performance, with effective controls and monitoring to deliver the assurance needed by senior leaders.

From a governance perspective, this regulation also requires that the members of management bodies of essential and important entities are have NIS2 training so they can identify and prioritise cybersecurity risks and are sufficiently experienced in that area to discharge their risk management duty effectively.

Beyond the immediate organisation, enhanced levels of third-party risk management will be essential to identify and manage cybersecurity risk among key companies in the supply chain and ensure that the supply chain has implemented appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of their network and information systems.

If you want more information on NIS2 and how to comply, look no further. Download our white paper and NIS2 checklist today for deep insights and expert advice.

How can Diligent help?

Meeting the diverse requirements of the NIS2 Directive will entail a unified approach to governance, risk and compliance. Organisations will need visibility across the different areas of cybersecurity risk and third-party risk to deliver the assurance needed by management bodies.

The Diligent One Platform can help deliver that assurance. Diligent offers integrated tools covering internal controls, enterprise and third-party risk and compliance, which support risk practitioners and management bodies by offering a single source of truth. This data is vital for accurate decision-making, planning and quick action when a significant cybersecurity incident occurs.

We have also created a NIS2 Compliance Toolkit to elevate your IT compliance while saving time and conserving resources. This toolkit will help you to build and maintain a brand your customers trust by demonstrating an informed commitment to robust NIS2 compliance and information security.

Our NIS2 Compliance Toolkit maps the cybersecurity risk-management measures and obligations mandated by NIS2 for essential and important entities and their supply chains against a set of cybersecurity controls based on international standards and best practices.

Speak to an expert to learn how you can enhance your NIS2 compliance with Diligent.