NIS2 READY
“Our organization is not affected. We haven’t received any official notification.“
This statement has become increasingly common in discussions about NIS2. Not because companies neglect cybersecurity, but because many organizations still rely on an outdated regulatory mindset, where obligations only arise after a formal administrative decision.
NIS2 fundamentally changes this approach.
If you have already faced the question “Does NIS2 apply to us?”, you have probably encountered the same challenge as many other organizations – the answer is often different from what companies expect. In a separate article (Does Your Organization Fall Under NIS2? Here’s What You Need to Know), we explain in detail how NIS2 defines essential and important entities and how the scope of the Directive is determined. Even when organizations understand these principles, we still see the same misconception in practice.
How NIS2 works in Practice
The NIS2 Directive introduces a principle under which organizations become regulated entities automatically once they meet the defined conditions.
It distinguishes between two categories:
- Essential entities
- Important entities
The difference between these categories mainly concerns:
- supervisory intensity,
- enforcement mechanisms,
- penalty regimes.
However, the core obligations apply to both groups:
implementing appropriate cybersecurity risk management measures and reporting significant incidents.
When Do NIS2 Obligations Actually Arise?
One key legal point must be clearly understood:
The NIS2 Directive becomes legally binding only after it is transposed into national law by each EU Member State.
Once transposition takes place, a new regulatory model applies:
Obligations may arise directly by operation of law (“ex lege”) when an organization meets the applicable criteria – without the need for an individual administrative decision by the supervisory authority.
Waiting for a formal notification therefore does not suspend legal responsibility.
NIS2 vs “Classified Entity” in National Legislation
A frequent source of confusion is terminology. NIS2 uses the concepts of essential entity and important entity.
These terms determine whether an organization falls within the scope of the Directive and which supervisory regime applies.
National legislation (for example in Slovakia) uses the term classified entity.
This concept primarily serves administrative and supervisory purposes, such as:
- maintaining official registries,
- enabling formal communication with the competent authority,
- conducting supervisory activities and inspections.
In simple terms:
- NIS2 defines who is subject to regulation
- national law defines how regulation is implemented and enforced
These layers complement each other – they do not contradict each other.
Self-Assessment: Responsibility Lies with the Organization
NIS2 shifts a significant part of regulatory responsibility directly to organizations.
Entities are required to:
- perform a self-assessment of applicability,
- determine whether they meet sectoral and size-related criteria,
- register with the competent national authority,
- provide accurate and up-to-date information.
Waiting for formal registration does not mean that obligations do not already exist.
A Real-world example
A mid-sized technology company was providing IT services to public sector organizations. It met the sectoral and size thresholds under NIS2 but assumed that the regulation did not yet apply because no official notice had been received.
Following a cybersecurity incident, it became clear that:
- the company should have been registered,
- appropriate security measures should have been in place,
- the incident should have been reported within statutory time limits.
The consequences extended beyond technical remediation and included compliance gaps and reputational impact.
What this means for organizations
For organizations, this leads to one key conclusion: even if you have not been formally classified by a national authority (such as NBÚ in Slovakia), once NIS2 is transposed into national law, you may already fall under legally binding obligations.
Waiting for a formal decision does not postpone responsibility. It only postpones preparation.
NIS2 therefore shifts the center of regulatory responsibility inside the organization. Accountability for assessment, documentation, and implementation of baseline measures no longer lies primarily with authorities, but with the organization itself and its management.
Key takeaway
NIS2 is not about whether you are “on a list”. It is about whether you are prepared to take responsibility in time.
Organizations that understand this early will approach NIS2 as a manageable risk governance framework. Those who wait for external formal signals will encounter regulation only in crisis mode – after an incident or during an audit.
After identifying your NIS2 obligations, many organizations often struggle with execution. Our article How to Choose the Right GRC Tool for Your Organization explains how to structure governance and compliance processes effectively.
