With NIS2, cybersecurity has finally become a board-level responsibility. Companies that underestimate the requirements risk more than fines: they risk personal liability. This guide explains what is changing in concrete terms, where the biggest gaps lie, and what a pragmatic rollout looks like.

What has changed with NIS2?

NIS2 expands the range of regulated sectors from 7 to 18 and introduces two categories: essential entities are subject to proactive oversight, important entities to reactive oversight. Companies that previously operated outside any regulation suddenly find themselves squarely within the scope, often without knowing it.

The threshold is lower than many assume. In the affected sectors, the directive already applies at 50 employees or 10 million euros in annual revenue. That shifts NIS2 away from being purely a large-enterprise topic and turns it into an obligation that covers a large part of the German Mittelstand: mechanical engineering, logistics, healthcare providers, IT service providers, food production.

The key point: being in scope is neither optional nor negotiable. It follows automatically from sector and company size. Anyone who fails to check whether they are affected is still liable.

The new rules of the game: what NIS2 actually requires

NIS2 is not a compliance-checklist law. It is a framework that redefines security as a management responsibility, and companies feel that in five central areas.

Risk management. Cybersecurity must be systematic, documented, and verifiable. Ad-hoc measures or a concept drawn up once and left in a drawer are no longer enough. What is needed is a living process that continuously assesses risks and derives the right measures.

Reporting obligation. Significant security incidents must be reported within 24 hours. A detailed report follows 72 hours later, and a final report after one month. These deadlines presuppose working detection and escalation processes, built today, not improvised after the next incident.

Supply chain security. Your own security does not end at the factory gate. Companies are accountable for the cybersecurity of their supply chain. Anyone who does not audit critical service providers and their access shares the risk.

Access control. Multi-factor authentication and Privileged Access Management are not a recommendation but an explicit requirement. Under NIS2, privileged access without control is a regulatory risk.

Management liability. This is the change with the greatest impact: managing directors and board members are personally liable for violations. NIS2 makes cybersecurity a matter for the top, legally binding and not delegable.

"NIS2 is not an IT topic, it is a topic for the board. The liability rules mean that executives who do not take cybersecurity seriously will face personal consequences." — ENISA NIS2 Implementation Guide

The sanctions underline how serious this is. Essential entities face fines of up to 10 million euros or 2 percent of global annual revenue, whichever is higher. For important entities, the ceiling is 7 million euros or 1.4 percent.

Why Privileged Access Management is the critical lever

Many companies have IAM. Few have PAM. This is exactly the gap that NIS2 addresses directly, and it is exactly where the biggest risks arise in practice.

It is worth separating the two disciplines cleanly. Identity and Access Management (IAM) manages all digital identities in the company, meaning employees, partners, and systems, and answers the question: who are you, and what may you generally access? Privileged Access Management (PAM) is the specialization for the most powerful accounts and answers a different question: how exactly do we control, monitor, and document the most dangerous access in the system?

Privileged accounts are the crown jewels of any IT infrastructure: domain admins, root access, service accounts, emergency access. They have access to everything. And when left uncontrolled, they are the most common attack surface in serious security incidents. NIS2 requires that these accounts are not only managed but actively controlled, monitored, and audited, with session recording, Just-in-Time access, and granular logging.

Visulox is built precisely for this as a decentralized remote PAM platform. External service providers and internal administrators gain secure, centralized, and fully documented access to the IT infrastructure, without agents, deployed in under two days, with no disruption to ongoing operations. Session recording, Just-in-Time access, granular auditing: everything NIS2 demands, without the operational overhead that traditional PAM solutions bring with them.

For companies with critical, regulated infrastructure, this is not a nice-to-have. It is the difference between verifiable compliance and personal liability for the management.

Your NIS2 action plan: three steps that count

Getting started with NIS2 compliance does not have to be complex, but it does have to be structured. Three steps have proven themselves in practice.

Step 1: Scope analysis.
First clarify which category your company falls into. Essential or important entity? The classification determines the supervisory framework and the logic of the deadlines. Involve your legal department early. The national implementation laws vary considerably from country to country, and anyone operating in several EU states must account for several transposition regimes.

Step 2: Gap analysis.
Where do you stand today? Systematic risk management, reporting processes, supply chain audits, access control: each of these areas needs an honest assessment against the NIS2 requirements. Prioritize the gaps by risk, not by effort. The areas furthest from the requirement should be tackled first.

Step 3: Technical implementation.
IAM and PAM are no longer lengthy projects. With Visulox, a complete PAM implementation goes live in under two days, without agents, without interrupting operations, with German-language support. It is the fastest way to demonstrably meet the NIS2 requirements for access control and auditability.

NIS2 shifts cybersecurity from the IT department to the boardroom. The combination of an expanded scope, strict reporting deadlines, supply chain responsibility, and personal liability turns a technical obligation into a strategic priority. Companies that start now with an honest gap analysis and close the most obvious gap first, namely uncontrolled privileged access, gain not only legal certainty but also a genuine improvement in security.