Cybersecurity

NIS2 Directive: What Companies Need to Know in 2026

BlackSwan Team 10 min read

The second Network and Information Security Directive (NIS2) updates how the EU expects essential services to manage cyber risk. If you still think of cybersecurity as an “IT-only” checklist, NIS2 is the regulatory signal that boards, legal, HR, and operations now share accountability.

Member states were expected to transpose the directive by October 2024. Across 2025 and 2026, national authorities are moving from paper compliance to supervision—making 2026 a practical enforcement window for many firms, especially those newly in scope.

What NIS2 changes compared with NIS1

NIS2 widens the sectors covered, tightens governance expectations, and harmonizes penalties across the EU. It also makes explicit what NIS1 implied: human readiness is part of security, not an add-on. That includes documented training for leadership and recurring awareness for the wider workforce.

Who is affected

NIS2 distinguishes between essential and important entities across sectors such as energy, transport, banking, health, digital infrastructure, wastewater, food, manufacturing of critical products, and more. Size thresholds differ by country—many EU member implementations capture medium-sized and large undertakings in listed sectors even if they did not previously consider themselves “critical infrastructure.”

Important entities face serious duties as well; the distinction matters for supervisory intensity, but not for pretending training is optional.

Key requirements teams should prioritize

  • Risk management and policies proportionate to digital exposure
  • Incident handling with reporting timelines that assume trained responders
  • Business continuity and crisis management that people have actually rehearsed
  • Supply-chain security—your organization is only as prepared as your vendors act
  • Human resources and training spelled out as obligations, not suggestions

Training requirements (Article 20)

Article 20 requires member states to ensure that management bodies approve cybersecurity risk-management measures and undertake cybersecurity training. It also requires regular cyber hygiene training for employees. In plain language: executives need enough literacy to govern cyber risk, and frontline staff need ongoing practice—not a once-a-year video.

This aligns with what breach data already show: many incidents exploit human decision points—phishing, credential abuse, and misconfigured access. A policy PDF does not fix that; scenario-based awareness training does.

Penalties

NIS2 introduces serious corporate penalties—up to the greater of €10 million or 2% of global annual turnover for essential entities (important entities face a lower cap). Personal liability for chief executives is on the table in several implementations. Training gaps are no longer a “soft” finding when supervisors look for evidence of operating effectiveness.

What to do now

  1. Confirm scope with counsel using your national transposition—not generic blog summaries.
  2. Run a gap analysis on policies, logging, reporting, and supplier due diligence.
  3. Rebuild training around measurable judgment, not completion quotas.
  4. Document outcomes you can show auditors: who trained, on what risks, with what improvement signals.

Future articles in this series will dive deeper into evidence packs for supervisory reviews—subscribe to the blog listing for updates.

How BlackSwan supports NIS2 training outcomes

BlackSwan delivers browser-based, adaptive cybersecurity scenarios so teams practice realistic decisions and leaders can see competence trends—not just attendance. Learn more on our cybersecurity training page or explore the full platform approach.