Whether you’re based in the EU or not, NIS2 is a board-level concern that can’t be ignored. 

March 18th, 2026
Kaseya
Cybersecurity

Even if your company isn’t directly affected, you’ve likely heard of the EU’s NIS directive and its successor NIS2.

The 2016 NIS (Network and Information Systems) directive came into force to bring greater accountability around security and governance to sectors that the EU classes as “critical,” such as energy and transport. Its reach also extended to other “important” industries that could negatively impact the functioning of those critical sectors if an incident occurred.

With the implementation of Network and Information Security Directive (NIS2), the scope of the directive expanded to additional sectors while harmonising some of the legislation’s obligations.

Crucially, it also expanded senior management’s accountability, ensuring security and resilience are embedded within the organisation’s corporate governance.

Management is now directly responsible – and liable – for NIS2

The consequences of failure can be severe both for your company and its leaders.

For companies, potential fines are calculated as a percentage of global revenue — not just revenue from the affected market. That could mean penalties of up to 2% of total revenue or €10 million.

But the company’s fine will not shield senior leadership. NIS2 places responsibility on senior management to ensure compliance and holds them liable for failures. As a result, if negligence is proven, they may no longer be permitted to lead the company in question.

The legislation is clear: cybersecurity and resilience are no longer an “IT problem.” They are a core part of corporate governance, and failing to treat them as such could have serious consequences for both the company and its leaders.

NIS2 should be a concern, even if you don’t fall under its remit

NIS2 requires companies to look beyond just the risks under their control. It also requires them to evaluate their supply chains for potential weaknesses and overreliance on certain companies.

If your company is one of many vendors to another organisation, you may be deemed “important.” But if you are the sole provider of certain services, you could become “critical” to that business — transferring compliance risk to your company. 

So even if your organisation is not directly affected by NIS2, you may still be asked to demonstrate that your work is in scope if you wish to do business with companies that are.

And it’s not even just about NIS2. Other countries also have similar legislation with overlapping requirements. The UK, for example, has its own NIS legislation, along with strict breach reporting requirements under UK GDPR. There’s also talk of what may come as part of NIS3 within the EU. Legislation rarely shrinks and there’s already discussion of how its remit will be broadened.

In short, frameworks like this aren’t going anywhere and will only expand.

Watch the on-demand webinar

to learn the importance of NIS2 compliance, and explore steps to boost resilience and reduce regulatory risk.

Get Started

The four key areas of NIS2 oversight

While these fall under NIS2 legislation, they also represent a practical framework for strengthening corporate governance, cybersecurity and resilience in any organisation.

  • Risk management – This is the preventive element. It’s about ensuring your house is in order to minimise risk. Areas include incident management, stronger supply chain security, enhanced network security, better access control and encryption.
  • Reporting obligations – If something goes wrong, strict timelines govern how breaches must be reported. Every second counts, and ensuring your company understands its obligations as part of an incident response is vital.
  • Business continuity – When the worst happens, how does your organisation continue operating? Does it have disaster recovery in place? Is it tested? Are teams ready to adapt quickly in the event of an incident? In short: can your business cope and recover?

Underlying those three core areas is corporate accountability. This isn’t about letting IT sort it out — it’s about ensuring management teams are trained to understand their responsibilities and take action to ensure compliance.

Legislation may evolve — the underlying need hasn’t

Embracing the principles of NIS2, even if you don’t have a legal obligation to do so, means you’re ready to do business with those that do. And adopting its approach will only serve to improve your security posture and ability to respond to incidents.

With the average cost of a data breach exceeding €3.3m, the financial impact alone underlines the need for strong governance. And that’s before taking into account the cost of reputational damage. 

Kaseya, with its suite of IT operations and risk management solutions, has long been making the case for the importance of the right tools to streamline, manage and protect organisations.

Good governance requires the right tools

While the overarching legislation may change and continue to evolve, the same principles remain. Good governance relies on tools that reduce the chance of human error, speed up detection, aid resolution of issues and ensure teams have exactly what they need when something goes wrong.

It also means having the right evidence to call upon if your company is audited or needs to report a security breach. That includes everything from proof of training, governance records and detailed documentation showing how a security incident was handled step by step.

In our next article, we explore the 10 areas that management teams should be discussing with IT leaders to ensure NIS2 compliance.

One Complete Platform for IT & Security Management

Kaseya 365 is the all-in-one solution for managing, securing, and automating IT. With seamless integrations across critical IT functions, it simplifies operations, strengthens security, and boosts efficiency.

Get a demo Explore Kaseya 365

One platform. Everything IT.

Kaseya 365 customers experience the benefits of the best IT Management and Security tools in a single solution.

Explore Kaseya 365

Your success is our #1 priority

Partner First is a commitment to flexible terms, shared risk and dedicated support for your business.

Explore Partner First Pledge

2025 Global MSP Benchmark Report

The 2025 Global MSP Benchmark Report from Kaseya is your go-to resource for understanding where the industry is headed.

Download Now

Explore Categories

Rethinking cyber resilience for modern IT

Discover why cyber resilience is essential for modern businesses to withstand disruption and ensure rapid, reliable recovery.

Read blog post

Unifying security across the IT stack

Discover how unifying security across infrastructure, applications and data reduces risk and strengthens resilience.

Read blog post

Triage guide to failed logons in Windows 

Learn how to investigate Windows Event ID 4625 failed logons, understand logon types and identify common causes to strengthen security monitoring.

Read blog post