As cybersecurity moves from the server room to the boardroom, complexities in the implementation of new regulations are posing significant challenges to organisations. Delays in the adoption of the European Union’s NIS2 cybersecurity directive across member states has left businesses with an unclear picture of the regulatory landscape.

NIS2, a unified legal framework that represents a major shift in how cyber risk is regulated and enforced across sectors in the EU, was meant to be transposed into national law by member states by October 17, 2024. Several months after that deadline has passed, only 10 countries have completed transposition¹. The European Commission has issued an update this month warning that if member states do not respond and take necessary steps for full transposition in the next two months, it may decide to refer the cases to the EU Court of Justice².

In the meantime, however, nearly half the countries are still in the process of finalizing their national legislation, leaving businesses to operate in a landscape marked by evolving and, at times, unclear requirements.

This disconnect between EU-level ambition and national-level implementation introduces tangible difficulties for companies and business leaders. Organisations are expected to comply with laws that, in many jurisdictions, don’t fully exist yet. Executives are expected to make informed, forward-looking decisions, even in the absence of complete regulatory guidance.

Figure 1 highlights the fragmented adoption landscape, underscoring the legal and operational uncertainty facing businesses across the region.

Unlike its predecessor, NIS2 substantially expands both the scope and the stakes. It reinforces the EU’s vision of embedding digital resilience into the backbone of modern economies, not just to ensure compliance, but to protect critical value chains and secure long-term competitiveness.

Strategic Expansion Across Sectors

NIS2 builds upon the original NIS framework by deepening regulatory oversight in core sectors such as energy, transportation, banking, financial market infrastructure, healthcare and telecommunications infrastructure. It now extends to a broader range of industries including:

• Critical manufacturing (pharmaceuticals, chemicals, electronic devices)
   
• Production, processing and distribution of food
   
• Postal and courier services
   
• Space and satellite services
   
• Waste management

This expansion reflects a push by EU policymakers to secure essential services and industries against rising cyber threats. Accordingly, business leaders and investors must treat cybersecurity as a pillar of enterprise value and operational resilience, not just as a cost centre.

 

Key Implications for Executive Leadership

For business leaders, the directive has implications on everything from executive accountability to recalibrating cyber budgets, value realisation and greater awareness of non-compliance penalties. In this section, we outline the main areas of focus and the actions that must be prioritized:

1.Executive Accountability and Governance

NIS2 elevates cybersecurity oversight to the board level. It mandates that executive teams and directors demonstrate awareness and responsibility for cyber risk management, extending even to third-party suppliers.

Key actions for boards include the following:

• Embed cyber oversight into board governance frameworks.
   
• Strengthen internal controls and escalation protocols.
   
• Ensure supplier and partner ecosystems meet defined cybersecurity thresholds.
   

2. Strategy-Driven Cyber Investment

The directive requires alignment between cybersecurity and enterprise risk management. CISOs and executive teams must demonstrate that investments are proportional to the risk landscape.

What this means:

• Treat cyber risk with the same intensity as financial or operational risk.
• Move from reactive spend to risk-based investment decisions.
• Integrate cyber metrics into enterprise dashboards and performance KPIs.
   

3. Budget Recalibration and Value Realisation

NIS2 will increase baseline cybersecurity spend, but not indiscriminately. Boards must demand efficiency, impact and traceability in every euro allocated.

Priority areas:

• Rationalise legacy investments and eliminate inefficiencies.
   
• Prioritise controls with tangible risk-reduction outcomes.
   
• Use budget planning to reinforce accountability and measurable ROSI.
   

4. Regulatory Pressure and Enforcement

The directive introduces stricter sanctions for non-compliance, elevating reputational and financial risk. That means there must be clear internal ownership, documentation and demonstrable compliance maturity.

Executive imperatives:

• Define roles and responsibilities at every layer of the organisation.
   
• Conduct regular audits and maturity assessments.
   
• Foster a culture of continuous improvement in cybersecurity posture.

5. Supply-Chain Resilience as a Business Differentiator

NIS2 places supply-chain security at the centre of regulatory scrutiny. Organisations must ensure that cybersecurity is contractually enforced and continuously monitored across vendors.

Key Actions:

• Implement rigorous third-party risk management practices.
   
• Standardise cyber expectations across contracts and procurement.
   
• Treat supply-chain resilience as a strategic capability, not a compliance checkbox.
  
   

6. Cyber Resilience as a Commercial Asset

More than just regulatory alignment, meeting NIS2 obligations signals operational maturity to stakeholders including investors, clients and distribution partners. Increasingly, resilient organisations are seen as reliable partners, investment-worthy businesses, and trustworthy brands.

For investors, cyber maturity correlates with:

• Reduced operational and reputational risk
   
• Greater business continuity assurance
   
• Enhanced enterprise value and long-term sustainability

Cross-Industry Executive Perspectives on NIS2 Strategies

Here are a few examples of how executives are responding across various industries to the challenges posed by NIS2 implementation in Europe .

1.Financial institution (mature programme): Strategic cybersecurity for systemic resilience

"As a national development and promotional bank, we are navigating a rapidly evolving cyber landscape shaped by NIS2, DORA, and the AI Act. In this context, where confidentiality and potential systemic impact are critical, cybersecurity must be approached strategically. Our programme integrates regulatory compliance with strong governance, continuous workforce training, inter-sector collaboration, and the adoption of advanced technologies. A cornerstone of our strategy is embedding security into both operational workflows and decision-making, built on zero trust and security-by-design principles. This is enabled by a well-structured budget that supports innovation, including the testing and implementation of predictive solutions to proactively manage risk.

Pro tip: Make cybersecurity a leadership priority, integrate it into strategic decisions, not just IT systems, and invest wisely to stay ahead of future risks.”

— Chief Innovation Transformation and Operations Officer, Leading European Development Bank

2. Information and communications technology (mature programme): Cyber as a market differentiator in a tech-driven space

"Strategic investment in cybersecurity is no longer optional, it’s a clear market differentiator. Demonstrating a serious, well-funded commitment to cyber resilience sends a strong message to customers: your organisation is ready to meet increasingly complex regulatory demands. This is especially true for ICT service providers and their clients, who are jointly affected by frameworks like NIS2 and other evolving regulations. Success requires a shared, proactive approach built on transparency, accountability, and trust.

Pro tip: Position cybersecurity as a core business enabler, well-structured investment signals leadership, builds trust, and future-proofs your organisation in an increasingly regulated digital landscape.”

— Global Cybersecurity Counsel, Global B2B Technology Solutions Provider

3. Manufacturing (early adopter): NIS2 as a strategic opportunity to strengthen client partnerships

"Adopting NIS2 is not only a significant challenge, it’s also a strategic opportunity to reinforce partnerships with clients in high-stakes sectors like aerospace, defence, and medical technology. We’re leveraging this transition to engage our board by positioning compliance as a way to outperform competitors. Progress is tracked through clear, shared KPIs and reported monthly. The biggest hurdle remains cultural, especially beyond company boundaries, where supplier ecosystems come into play. We're now exploring initiatives to raise cybersecurity awareness across the supply chain.

Pro tip: Use NIS2 as a strategic lever to align the board, engage your supply chain, and turn compliance into a competitive edge that deepens client trust and operational resilience."

— Chief Operating Officer, Global Manufacturer of Industrial Dual-Use Goods

4. Chemical Sector (early adopter): NIS2 requires a cultural shift embedding cybersecurity in corporate governance

"NIS2 represents more than a regulatory update—it demands a cultural shift. It’s no longer sufficient to simply invest in cybersecurity; organisations must integrate it into their governance structures. This means raising awareness at the executive level, clearly defining accountability, and preparing for more rigorous scrutiny from clients regarding third-party risk. Companies will also need to demonstrate their level of compliance in a transparent and measurable way.

Pro tip: Treat compliance not as a burden, but as a lever for market trust and competitive advantage."

— Chief Information Security Officer, National Chemical and Pharmaceutical Manufacturer
 

From Compliance to Competitive Advantage

NIS2 is more than a regulatory obligation. It can be a strategic lever for modernisation, resilience and competitive advantage. Those who treat NIS2 as a board-level priority will shape industry standards, while others risk falling behind.

Executives who respond decisively by embedding cybersecurity into governance, aligning budgets with evolving risks and strengthening resilience across their value chains will lead the market as they establish strong grounds for trust, continuity and long-term value creation.
 

How A&M can support your cyber ambitions

A&M helps organisations assess cyber risk exposure across assets, processes and technologies by offering clear, business-aligned strategies for resilience and compliance. We work with leadership and boards to define practical roadmaps that strengthen cybersecurity maturity year-over-year, ensuring investments deliver measurable risk reduction and value.

During periods of transition or change (such as M&A or carve-outs), we help ensure continuity in cyber leadership, facilitate effective knowledge transfer and help the organisation achieve regulatory compliance in line with evolving industry standards and rules.

Our senior experts also test crisis readiness and help refine operating models to meet evolving expectations and industry standards. Our approach equips executive teams with the insight and structure needed to build resilience, justify investment and maintain trust in a complex regulatory and threat landscape.