What is NIS2 for businesses

What is NIS2 for companies in a real business context

NIS2 is a European directive for a higher level of cybersecurity in organizations and sectors that are essential or important for the economy and society. For companies, this does not mean just a new set of documents. It means clearer management responsibility, specific risk management measures, incident reporting processes and stricter control over dependencies on external providers.

In short, NIS2 shifts the conversation from “do we have antivirus and firewall” to “can we continue working in the event of an incident and do we have demonstrable control over the environment”. This is the essential change. The focus is not only on protection, but also on resilience.

For many companies in Bulgaria, the topic seems distant until it becomes clear that the requirements do not only affect critical infrastructure in the narrow sense. The scope has been expanded to include more sectors, more responsibilities and more expectations for management.

Which companies fall under the scope of NIS2

Not every company automatically falls under the regime, but many more organizations are affected compared to the previous framework. In general, two main factors are considered - the sector in which you operate and the size of the organization. The specific services you provide are also important, as is your role in a given supply chain.

Among the sectors that are most often considered are energy, transport, healthcare, financial services, digital infrastructure, managed IT service providers, public e-services, manufacturing in certain categories, logistics and other activities where an interruption or breach can have a significant effect.

For small and medium-sized companies, there is one important clarification - even when the size is not large, the company can be affected if it provides a critical service, has a key role for customers in a regulated sector or is part of a sensitive supply chain. Therefore, the answer to the question "are we affected" should not be given by feeling. A specific assessment is needed.

What NIS2 requires in practice

The most useful way to view NIS2 is as a governance framework for control, rather than a one-off project. The directive sets an expectation that a company has real cybersecurity measures in place that are commensurate with the risk.

This typically includes risk assessment, security policies, incident management, backups and recovery, access control, network and system protection, vulnerabilities and updates, employee training, and control over suppliers and external services. For many organizations, the last part turns out to be the weakest - they have contracts with cloud, telecommunications or software providers, but lack sufficient visibility into how the risk is managed there.

There is also a requirement to report significant incidents within certain deadlines. This means that the company must not only have technical protection, but also a clear process for who detects the incident, who makes the decision, who communicates with management and how the necessary information is collected. Without such an organization, even a good IT team can prove ineffective under pressure.

What is NIS2 for companies as a management responsibility

One of the most significant changes is the role of management. NIS2 does not leave cybersecurity only to the IT department. Managers and management teams must approve measures, monitor their implementation and be responsible for whether the organization manages the risk adequately.

This is logical. The risk of operations being stopped, data leaking or business processes being compromised is a business risk. It affects revenues, contractual relationships, reputation and ability to work. Therefore, NIS2 is a topic for management as much as for system administrators and security specialists.

In practice, good management here means several things - clearly defined roles, a budget for priority measures, a periodic risk review and accountability. If security is only discussed after an incident, the organization is already lagging behind.

Where companies most often have gaps

The problem is rarely the lack of a separate tool. More often, there is a lack of overall arrangement. There are environments with good technology, but no central monitoring, no tested recovery, no multi-factor authentication everywhere or no clear picture of who has access to what.

Another common gap is the dependence on one person. If the entire environment is known only by an internal IT employee or an external contractor without sufficient documentation, the risk is high. In the event of an incident or the absence of the key person, recovery is delayed. This is a direct problem for continuity.

There is also an organizational deficit - policies that exist only as a file; backups that are not tested; training that is done formally; suppliers that are not evaluated. NIS2 is not aimed at having documents for checkmarks, but provably working processes.

How to prepare a company without unnecessary chaos

Preparation starts with the scope. First, it must be clarified whether the company falls under NIS2 and in which category. Then comes the real work - a review of the current state. Here it is important to see not only what systems are there, but how they are managed: who monitors logs, how incidents are handled, is there segmentation, how are emails protected, how are endpoints managed, how are archives created and how is recovery done.

After this review, it makes sense to build a plan by priorities. Not everything is done at once, and this is completely normal. If the company has limited resources, the measures with the greatest effect on risk are addressed first - access control, backups, monitoring, email protection, vulnerability management, incident process and basic documentation.

Then comes the discipline of implementation. This is exactly where many organizations need an external partner, because the project is not a one-time project. It requires ongoing control, periodic reviews, accountability, and coordination between management, IT, and vendors. For companies without a large internal team, this is more realistic when there is a structured helpdesk process, monitoring, and clearly assigned responsibilities.

NIS2 and external providers - a risk that is often underestimated

If you use cloud services, external support, internet and telephony, hosting, ERP, CRM or specialized software, your security also depends on external processes. NIS2 places a strong emphasis on this dependency.

This does not mean that external providers should be avoided. On the contrary - for many companies they are the best way to obtain a higher level of expertise and control. But there must be an assessment: what access they have, how they react to an incident, what accountability they provide, how changes are managed, is there redundancy and what happens in the event of an interruption of their service.