Global Insight | October 2025

NIS2 and the Rising Compliance Bar: Are you ready for Europe’s New Cybersecurity Framework?

Cybercrime is now a daily global threat, not just to companies, but to national infrastructure. The EU’s NIS2 Directive is a game-changer for how companies handle IT security, especially those in, or supporting, critical infrastructure. This is a very important Directive that affects all in EU infrastructure, and many suppliers and entities are unaware of their obligations.

What is NIS2? It’s a European Union directive mandating stricter cybersecurity measures. It applies to both public and private sector entities that are part of critical infrastructure: utilities, transport, telecoms, healthcare and public services. “You just need to think that the whole public transport in London could collapse just by being hacked,” Christoph Schillinger, a cybersecurity specialist at Nexia Austria, notes, highlighting why these regulations exist.

The requirements are comprehensive: cybersecurity controls, independent audits, incident response planning and reporting. The penalties are significant with fines.

“These critical infrastructure companies… have to have the security system in place and they are audited,” explains Schillinger. “They get huge fines if they are in breach… I think we are above €2 million on average in Europe.”

Who needs to comply? Any company providing services deemed essential to society. This includes private companies that supply or subcontract to larger infrastructure providers. Even smaller firms are affected if their disruption would impact broader infrastructure.

For example, if your company supplies software to transport operators, provides maintenance to energy companies, or handles data for healthcare providers, NIS2 likely applies to you.

Why it matters: It’s no longer enough to just have a firewall or antivirus software. Companies must demonstrate they’ve identified risks, implemented mitigations, and planned for incident response and recovery. For insurers and regulators, this is now a key priority.

The opportunity angle: This isn’t just a compliance burden, it’s a consulting opportunity. Mid-market firms need help interpreting, applying, and implementing NIS2-aligned programmes. For advisory firms, it offers a route to recurring advisory relationships, not just one-off engagements.

NIS2 is both warning and invitation. Companies that prepare now will be resilient, insurable, and trusted. Those that don’t may soon find themselves uninsurable—or offline. The compliance bar has been raised permanently, and early movers will have the competitive advantage.