Company NIS2 Compliance Guide
If you run a company and still accept NIS2 as a topic only for large operators, you are probably underestimating the risk. For many Bulgarian companies, the new requirements are not just a formality, but directly affect the way access, archives, suppliers, incidents and management responsibility are managed. This guide to a company's NIS2 compliance is aimed at organizations that want to get their processes in order on time, without chaos and without expensive last-minute improvisations.
NIS2 is changing the cybersecurity conversation. Until now, many companies looked at security as a set of technical tools - antivirus, firewall, backups. According to the new logic, this is not enough. A manageable approach is expected in which there is a risk assessment, clear roles, documented procedures, monitoring, response and demonstrable controls. That is, not only to have measures, but to be able to show how you manage them.
What NIS2 means for a company
NIS2 is a European directive that expands cybersecurity requirements to more sectors and to more organizations. In practice, this means that companies that have not been under much regulatory pressure until now may now fall within the scope depending on their activity, size or role in the supply chain.
There is an important detail here - not every company will be affected in the same way. For some, the focus will be on the maturity of internal controls. For others - on dependencies on external suppliers, cloud environments and telecommunications services. There are also organizations where the main problem is not the lack of technology, but the lack of processes and accountability.
Therefore, NIS2 should not be read as a checklist that can be completed in a week. It is more useful to see it as a framework for operational resilience. If an employee opens a phishing email, if the office is left without access to the systems, if the archives cannot be restored, if an external provider is compromised - how quickly will you identify the problem, who will make a decision and what will you prove afterwards? This is where real compliance begins.
Guide to NIS2 compliance for a company - where to start
The most common mistake is to buy tools before the scope is clear. The first task is to determine whether your company falls within the scope and which systems, services, processes and suppliers are critical to the business. If you do not know what is critical, there is no way to correctly determine your priorities.
Then a baseline assessment of the current state should be made. It should not be limited to the question of whether you have antivirus and backup. It is necessary to check how user accounts are managed, who has administrative rights, how logs are kept, how incidents are handled, what is the level of segmentation in the network, how vulnerabilities are managed and whether there is a disaster recovery plan.
In many companies, this is where the difference between a working IT environment and a controllable IT environment becomes apparent. The former may seem stable in everyday life. The latter remains stable even when something goes wrong.
Scope is more important than speed
Some executives want a quick answer to the question of whether they are NIS2 compliant. In practice, such an answer is rarely honest without a review of the real environment. If you have multiple offices, a hybrid infrastructure, an external helpdesk, cloud platforms and internal business systems, the picture becomes more complex. And that is where hasty self-assessment creates a false sense of security.
A better approach is a step-by-step approach. First, assets and critical services are described. Then risks are assessed. Finally, gaps in processes, technology and governance are identified. This way, investments are directed where they truly reduce risk, not to the hottest topic in the market.
The main areas that NIS2 affects
For most companies, compliance comes down to a few permanent control areas. One is risk management - having a method by which threats and vulnerabilities are assessed, reviewed and addressed. The other is the incident process - who discovers, who escalates, who documents and who communicates when a problem occurs.
There is also a serious emphasis on access control. If users share passwords, if former employees still have active accounts, if multi-factor authentication is missing for critical systems, this is a weakness not only technically but also managerially. The situation is similar with archives. An untested backup is an assumption, not a defense.
The supply chain should not be underestimated. Many companies maintain good internal discipline, but work with suppliers without clearly agreed levels of security, response and accountability. With NIS2, this is already a real factor. If a key external partner has a breach, the consequences could be yours.
The role of management is now direct
One of the most significant effects of NIS2 is that cybersecurity is no longer just an IT department issue. Management must understand the risks, approve the measures and be responsible for managing them. This changes the internal dynamics.
For the business, this is useful, although inconvenient. When security decisions are made only at a technical level, there is often a lack of resources, priority and support. When management is engaged, it becomes possible to introduce clear rules, plan budgets and demand measurable results.
What practical preparation looks like
Good preparation starts with a realistic picture of the environment. This means inventorying devices, servers, cloud services, users, business applications and external vendors. Without this visibility, any compliance program is based on assumptions.
The next step is to put policies and procedures in order. This is not about filing documents. You need concise, actionable policies for access, remote work, change management, incident response, backup and recovery. If the procedures are too complex, employees will bypass them. If they are too general, they will not help with a real problem.
From there, technical measures come in. These can include multi-factor authentication, centralized endpoint management, logging, monitoring, segmentation, email protection, vulnerability management, and control over administrative rights. But the exact mix depends on the business. A company with 40 employees and cloud applications has a different profile than a manufacturing organization with on-premises systems and industrial equipment.
A Guide to NIS2 Compliance for a Resource-Strapped Company
Many small and medium-sized companies assume that NIS2 requires a large internal team and a heavy program. This is not always the case. A more realistic model is to have a clear business owner, supported by an internal or external IT partner who can structure the process and maintain control on a day-to-day basis.
Discipline is more important than scale here. It is better to have well-functioning basic controls than expensive systems with no maintenance and no accountability. For example, regularly reviewed access rights, actually tested archives, and proactive monitoring are often more valuable than complex solutions that no one is monitoring.
For many companies, this is also the time to assess whether their current IT model is mature enough. If support is reactive, if incidents are resolved by phone and chat without traceability, if there is no central asset register and clear responsibilities, NIS2 will bring these weaknesses to the forefront. In such an environment, compliance remains difficult to prove, even when individual technologies are available.
Where companies most often struggle
The first difficulty is that they mix documented compliance with real resilience. You can have policies, but if no one implements them, the risk remains. The second is the lack of prioritization. They try to do everything at once and resources are wasted.
The third problem is underestimating the human factor. Employee training is not a formality, especially when phishing, weak passwords, and unauthorized applications continue to be among the most common entry points for incidents. The fourth is related to suppliers. If you rely on external support, cloud, internet, telephony, or specialized software, you need to know what security commitments are made and how to escalate an issue.
This is where the value of a structured external IT partner is greatest. Not because it completely replaces internal responsibility, but because it introduces process, monitoring, and accountability where there is otherwise dependence on individuals and accumulated temporary solutions. This is also the reason why companies are looking for a partnership model, not just technical intervention in the event of an incident.
NIS2 does not require perfection. It requires a mature approach, demonstrable control, and a willingness to react when something happens. For a company, it's less about formally meeting requirements and more about managing business risk. The sooner you get your environment in order, the less you'll pay for chaos, disruption, and hasty decisions later.


