all systems operational +48 697 610 212
Technical · [2026-06-17]

NIS2 Step by Step — What a Company Technically Needs

NIS2 without the legal jargon: which companies it covers, what you need on the IT side (backup, DR, access, monitoring) and where to start.

NIS2 · SECURITY · BACKUP · DISASTER-RECOVERY · COMPLIANCE

NIS2 is a directive that sounds like a topic for lawyers, but in practice it's 80% a topic for the IT department. It comes down to one question: after an attack, outage or breach, can your company keep operating and report the incident on time? Below, without jargon, what that means in practice and where to start.

TL;DR

  • Who it covers: a wider set than before — including mid-sized firms and suppliers to essential entities
  • What it's about: resilience to incidents, business continuity and the ability to report on time
  • What to have: immutable backup, tested DR, access control, monitoring, procedures
  • It's a process: compliance has to be maintained, not "achieved once"
  • Where to start: a prioritized gap audit — biggest risks first

First: does it even apply to you

NIS2 extends cybersecurity obligations to a far wider set of companies than the previous directive — including many mid-sized entities and suppliers serving essential sectors. It doesn't cover every micro-business, but the threshold is lower than many assume, and supply-chain obligations can "infect" smaller subcontractors too.

Establishing whether and to what extent you're in scope is the first step. That's partly a legal question — we handle the technical and organizational side, meaning what actually has to be implemented.

What you need — on the IT side

The requirements boil down to a few pillars, which happen to be the foundation of good security anyway:

  • Incident-resilient backups — immutable and offsite, so ransomware can't encrypt the backup too
  • A tested recovery plan — with a defined recovery time (RTO) and acceptable data loss (RPO)
  • Access control — MFA, least-privilege, clean account management
  • Monitoring and detection — to spot an incident before your client does
  • Hardening — servers, network and workstations configured securely, not "by default"
  • Procedures — who does what during an incident and how to report it within the required time

Note the last point: NIS2 requires the ability to report an incident within set timeframes. That's a procedure and accountability, not another program to buy.

Tools aren't compliance

The most common misunderstanding: "we'll buy a firewall and antivirus, that's NIS2". It isn't. The best hardware won't help if the backup was never tested, nobody knows who responds to an incident, and former employees' permissions are still active. Compliance is processes wired to tools — and maintained, because an audit from a year ago won't stop today's attack.

Where to start

With an audit that shows the gap between your current state and the requirements. You get a list of gaps ranked by risk and a remediation plan — then you know what to do first and what it costs. You don't have to do everything at once; you have to start with what threatens most.


Not sure if NIS2 applies to you or what you actually need? See how we implement NIS2 compliance or book a free consultation — we'll check the scope and show you where to start.

Want the same results in your infrastructure?

Get in touch — the first consultation is free.

Free consultation