NIS2 and CRA: A turning point for cybersecurity

Growing pressure from both sides

Cyberattacks are becoming more frequent and more organized. A ransomware attack can stop operations for days. A weakness at one supplier can spread quickly across multiple organizations. When that happens, the impact is not limited to IT systems. It affects production, delivery schedules, contracts, and, ultimately, customer trust.

At the same time, regulation is becoming stricter and more concrete.

NIS2 extends cybersecurity requirements to many more organizations and sets clear expectations around risk management, incident reporting, and supply chain security. In simple terms, organizations must show that they understand their risks and actively manage them.

The penalties are not symbolic, reaching up to €10 million or 2% of global annual turnover for essential entities.

These are significant numbers. But the real change is not the fine itself; it is the shift in accountability.

A structural change

NIS2 makes one thing very clear: cybersecurity cannot be treated as a standalone technical function. It must be approved, understood, and overseen at the highest level of the organization. Security is expected to be visible and integrated into overall risk management.

This is not about adding more documentation. It is about closing real gaps.

Most security incidents do not happen because of one major failure. They happen because of small weaknesses, unclear ownership, siloed teams, and disconnected systems. Over time, these weak links create exposure.

Regulation is pushing organizations to look at these vulnerabilities more closely and to take a more structured approach to managing them.

As Jorma Issakainen, our SVP and Head of Critical Infrastructure explains: “Regulation makes accountability clear, but the real objective is resilience. Cybersecurity is part of business continuity. Without visibility and ownership across the security environment, organizations remain exposed.”

Beyond compliance

NIS2 and the Cyber Resilience Act mark an important milestone. They define a minimum standard for how cybersecurity should be managed. But meeting the regulation is only the starting point.

The real challenge lies in implementation, aligning teams, clarifying responsibilities, and ensuring that systems and processes work together without gaps. Compliance can be documented. Resilience has to be built.

In the next article, we will look at where compliance efforts often fall short in practice, and why alignment across people, processes and technology makes the difference between formal compliance and effective security.

Because cybersecurity today is not simply about avoiding penalties. It is about protecting the foundations your organization depends on - every day.

If you’re looking for clearer oversight across systems, suppliers, and responsibilities, contact us to explore how a more integrated approach can support your NIS2 and CRA journey.