What does NIS2 really change for IT teams?
For years, many organizations treated cybersecurity as an essentially technical and reactive issue. They protected systems considered critical, responded to incidents when something went wrong, and trusted that contracts with suppliers alone would be sufficient to guarantee security. The entry into force of NIS2 profoundly changes this approach, and it is the Information Technology (IT) teams that will feel this change most in their day-to-day work.
The first major change brought about by NIS2 is the way risk is viewed. Until now, most organizations have focused on the “most important” assets, i.e., central servers, critical databases, or core business applications. The problem is that experience has shown that many serious incidents do not start with these assets. They start at seemingly secondary points, such as misconfigured equipment, an overlooked system, or a printer connected to the network without the proper safeguards. NIS2 is clear: it is no longer enough to protect what is critical at first glance. It is necessary to identify all assets, assess the associated risks, and define proportionate measures for each of them. For IT teams, this means a structural change in how they map, understand, and manage the technological environment as a whole.
The second major change is in how organizations view their supply chain. Suppliers and partners are no longer a “blind spot” in terms of cybersecurity. NIS2 requires companies to assess the risk posed by third parties and define minimum security criteria. It is not just a matter of trusting that “the supplier does its job well,” but of demanding evidence of maturity: processes, practices, adequate team size, or even certifications, where applicable. For IT teams, this implies much greater involvement in the selection, evaluation, and monitoring of suppliers, especially when they have access to critical systems or sensitive data.
Another relevant transformation concerns incident management. Traditionally, many incidents were handled “in the heat of the moment,” in emergency mode, with teams reacting under pressure to solve the immediate problem. NIS2 changes this paradigm by requiring prior preparation. Having incident response plans, documented procedures, clearly assigned responsibilities, and regular exercises is no longer optional. IT teams now have to train for scenarios, test decisions, and ensure that when an incident occurs—because it will—the response is faster, more coordinated, and more effective.
Finally, the directive reinforces the importance of business continuity. Not all incidents are cyberattacks: power failures, data center problems, or interruptions in critical services are part of reality. NIS2 requires organizations to think ahead about how to ensure that the business continues to function, even if in a limited way, and how to recover within an acceptable timeframe. This is especially critical not only for large organizations but also for companies that are suppliers to essential entities. A seemingly “small” failure can have a significant ripple effect.
Ultimately, what NIS2 brings to IT teams is not just more regulatory obligations. It brings a change in mindset. It moves from a reactive logic to a structured, preventive, and integrated approach, in which cybersecurity, risk management, and business continuity are no longer isolated issues but become part of the organization’s overall strategy. For many teams, this will be a demanding challenge, but also an opportunity to elevate the role of IT to a true pillar of resilience and trust in the business.
