Navigating the EU NIS2 Directive with TAPA’s Cyber Security Standard

The evolving cybersecurity landscape

In today’s interconnected world, supply chains have become increasingly complex and digitized, enhancing efficiency but also exposing organisations to a myriad of cyber threats. Cybercriminals are no longer just targeting individual companies; they are exploiting vulnerabilities across entire supply networks, causing disruptions that ripple through industries and economies.

Recognising the escalating cyber risks, the European Union has introduced the NIS2 Directive – a comprehensive legislative framework aimed at strengthening cybersecurity across critical sectors. Building upon the original NIS Directive, NIS2 expands its scope and imposes stricter security requirements to address the evolving threat landscape.

For TAPA EMEA members, understanding and aligning with NIS2 is not just about regulatory compliance; it is about safeguarding operations, protecting assets, and ensuring the resilience of the supply chain. By proactively adopting robust cybersecurity measures, organisations can mitigate risks, maintain stakeholder trust, and contribute to a more secure and resilient digital ecosystem.

Understanding NIS2: A brief overview

The Network and Information Security Directive 2 (NIS2), formally known as Directive 2022/2555, represents the European Union’s comprehensive effort to enhance cybersecurity across its Member States. Building upon the foundations of the original NIS Directive (NIS1), NIS2 introduces more stringent requirements and a broader scope to address the evolving landscape of cyber threats.

Key objectives of NIS2

NIS2 aims to establish a high common level of cybersecurity across the EU by:

• Expanding the Scope: Unlike its predecessor, NIS2 encompasses a wider range of sectors and entities, recognising the interconnectedness of modern digital infrastructures.
• Enhancing Risk Management: Organisations are required to implement comprehensive cybersecurity risk management measures, ensuring resilience against potential threats.
• Improving Incident Reporting: NIS2 mandates timely reporting of significant cybersecurity incidents, facilitating rapid response and mitigation.
• Strengthening Supply Chain Security: Acknowledging the complexities of modern supply chains, the directive emphasises the importance of securing third-party relationships.
• Ensuring Governance and Accountability: Management bodies are held accountable for compliance, promoting a culture of cybersecurity awareness at all organisational levels.

Member States were required to transpose NIS2 into national law by October 17, 2024. 

Applicability: Who needs to comply?

NIS2 applies to entities classified as either “Essential” or “Important,” based on the criticality of the sector and the size of the organisation.

Essential Entities

These include organisations in sectors such as:

• Energy
• Transport
• Banking
• Healthcare
• Drinking water
• Digital infrastructure
• Public administration space

Important Entities

These encompass sectors like: 

• Postal and courier services
• Waste management
• Chemicals
• Food production
• Manufacturing
• Research

In principle, NIS2 applies to medium and large enterprises, defined as organisations with:

• 50 or more employees, and/or
• An annual turnover or balance sheet total exceeding €10 million.

However, certain entities are subject to NIS2 regardless of size, including providers of publicly available electronic communications services, trust service providers, and DNS service providers. 

Key requirements of NIS2

The NIS2 Directive outlines a set of minimum cybersecurity requirements that all in-scope organistions must implement to reduce their exposure to cyber threats and improve collective resilience across the European Union. These requirements are not one-size-fits-all – they must be applied in a risk-based, proportional manner according to the size, sector, and specific risk profile of the entity.

Below is a deeper look into the core components that organisations need to focus on:

Risk management measures

At the heart of NIS2 lies the expectation that cybersecurity must be a proactive, continuous process – not a reactive afterthought. Organisations must:

• Integrate a risk management framework within business processes to effectively identify and prioritise vulnerabilities and threat vectors relevant to the organisation’s industry and operations.
• Tailor technical and organisational safeguards – such as firewalls, intrusion detection systems, access controls, and encryption – to the level of risk involved. 
• Regularly reassess the evolving threat landscape and adjust protective measures accordingly, including risks stemming from dependencies like cloud services or IoT infrastructure.
• Incorporate cybersecurity into governance by ensuring that roles, responsibilities, and escalation paths are clearly defined and documented.

Incident handling and reporting

Timely incident management is a cornerstone of NIS2. The Directive mandates a structured, multi-step reporting process:

• Organisations must notify the Computer Security Incident Response Team (CSIRT) or national competent authority of a significant incident within 24 hours of becoming aware of it.
• A follow-up report must be submitted within 72 hours, containing an initial assessment of the incident, its severity, and potential impact.

There might be a request from the competent authority also to submit interim(s) progress reports.

A final report is required within one-month, documenting root cause analysis, remediation actions, and lessons learned.

Beyond regulatory compliance, a well-practiced incident response plan is essential to minimise operational disruption and reputational damage.

Supply chain and third-party risk management

NIS2 explicitly acknowledges that a chain is only as strong as its weakest link. Organisations must:

• Evaluate the security posture of vendors, logistics providers, IT service partners, and other external parties.
• Include cybersecurity requirements in contracts to ensure that suppliers meet baseline controls.
• Implement monitoring procedures to identify changes in risk exposure across the supply ecosystem.
• Prepare contingency plans in case a third party becomes the entry point for a breach, as seen in multiple high-profile cyberattacks in recent years.

This requirement forces organisations to shift from focusing solely on internal systems to securing the full digital and operational ecosystem.

Business continuity and crisis management

Cyberattacks do not just steal data – they disrupt services. NIS2 requires that entities:

• Develop comprehensive business continuity plans (BCPs) and Disaster Recovery plans (DRPs) that consider cyber-specific scenarios, such as ransomware, data corruption, and extended service disruptions.
• Conduct periodic exercises and simulations to ensure the readiness of crisis teams and validate recovery procedures.
• Ensure backup systems and redundancy are in place, tested, and secured to prevent data loss or compromise.
• Embed communication strategies in crisis planning – both for internal coordination and for managing external stakeholders such as customers and regulators.

Resilience is not just about surviving the attack – it’s about resuming operations quickly and with minimal disruption.

 
Governance, accountability, and leadership responsibility

NIS2 establishes clear expectations that cybersecurity is a board-level issue, not just an IT concern. This includes:

• Holding executive leadership accountable for ensuring the organisation is compliant with NIS2 requirements.
• Mandating that senior management receives cybersecurity awareness and risk training, enabling them to make informed decisions.
  
  
  
  
  
• Encouraging boards to appoint dedicated roles or committees to oversee security governance, performance, and strategy.
• Requiring that cybersecurity be embedded in strategic planning, procurement, and investment decisions.

This shift ensures that cybersecurity becomes an integral part of organisational culture and leadership accountability.

These requirements represent a modern, comprehensive approach to cyber resilience. They reinforce that cyber security must be treated as a strategic function—built into operations, not bolted on after the fact. TAPA members, particularly those in transport, logistics, and digital infrastructure, are well-positioned to act now by integrating these principles through existing frameworks like the TAPA Cyber Security Standard (CSS), creating a direct path to NIS2 readiness.

Leveraging TAPA CSS for NIS2 compliance

TAPA’s Cyber Security Standard (CSS) serves as a practical framework that aligns closely with the requirements of the NIS2 Directive, offering organisations a structured approach to enhance their cybersecurity posture. TAPA CSS provides organisations with a systematic, well-structured approach to cybersecurity management, offering practical guidelines and specific controls that can be strategically deployed to strengthen digital defences across various operational domains, and simultaneously supporting the organisations in their effort to align with the NIS2 requirements.

Risk management and information security policies

NIS2 mandates that organisations implement comprehensive risk management measures and establish robust information security policies. CSS addresses this by requiring entities to conduct regular risk assessments and develop policies that safeguard sensitive data, ensuring the integrity, availability, and confidentiality of information within the supply chain. NIS2 establishes clear regulatory requirements that mandate organisations to develop and maintain extensive, thorough risk management frameworks and protocols. Additionally, it mandates the creation and implementation of comprehensive information security policies designed to protect critical systems and data. 

In response to these regulatory demands, CSS provides a structured approach that fully addresses these requirements through specific, actionable guidelines. Under the CSS framework, organisations are required to perform systematic, documented risk assessments on a regularly scheduled basis. These assessments must identify potential vulnerabilities, evaluate the likelihood and potential impact of various threat scenarios, and prioritise remediation efforts based on risk severity. This methodical approach to risk management is in alignment with NIS2 expectations for proactive threat identification and mitigation planning.

Incident Handling and Reporting

The NIS2 Directive establishes stringent requirements for organisations regarding cybersecurity incident management, specifically mandating the implementation of comprehensive incident handling protocols and formal reporting mechanisms. 

These requirements necessitate that entities develop and maintain well-documented procedures for detecting, analysing, containing, and remediating security incidents across their digital infrastructure. Additionally, NIS2 imposes a legal obligation for organisations to promptly notify designated regulatory authorities when significant cybersecurity incidents occur, ensuring proper oversight and coordinated response to potential threats.

On the other hand, CSS requires organisations to develop, document, and regularly test formal incident response plans that encompass the entire incident lifecycle. These plans must include specific procedures for the timely identification of security events through monitoring systems and anomaly detection mechanisms, systematic analysis of potential incidents to determine scope and severity, immediate containment strategies to limit potential damage, and thorough remediation processes to restore normal operations.

Supply chain security

Related to supply chain security, the NIS2 Directive places substantial emphasis on the critical importance of establishing and maintaining comprehensive security measures throughout the entire supply chain ecosystem. This regulatory framework requires organisations to implement structured, methodical approaches for identifying, evaluating, and actively managing the diverse range of risks that may emerge from relationships with third-party suppliers, vendors, service providers, and other external entities that have access to critical systems, infrastructure, or sensitive data.

On this specific topic, CSS provides a highly compatible and comprehensive framework that directly addresses these supply chain security mandates through its detailed specifications and structured methodology. The standard establishes clear, actionable requirements for organisations to conduct thorough, documented vendor risk assessments before establishing business relationships and on a recurring basis throughout the engagement lifecycle.

Business continuity and crisis management

In the Business Continuity and Crisis Management areas, the NIS2 Directive establishes critical regulatory requirements focused on ensuring organisational resilience and operational continuity in the face of cybersecurity incidents and other disruptive events. This framework mandates that organisations develop robust strategies and documented procedures to maintain essential business functions during crisis situations, facilitate rapid recovery following incidents, and minimise potential operational disruptions that could impact critical services or infrastructure. 

Here, CSS offers a comprehensive framework that directly addresses all these business continuity and crisis management requirements through detailed specifications and structured methodologies. The standard mandates that organisations develop, implement, and regularly test formal business continuity plans that identify critical business processes, establish recovery time objectives, define resource requirements, and outline specific procedures for maintaining operational continuity during various disruption scenarios. 

Governance and accountability

The NIS2 Directive establishes a clear regulatory framework that explicitly places the ultimate responsibility and accountability for cybersecurity compliance directly on the management bodies and senior leadership of organisations. This approach recognises that effective cybersecurity requires commitment and engagement from the highest levels of organisational hierarchy, with executive leadership bearing specific legal obligations for ensuring appropriate security measures are implemented and maintained. The directive mandates that senior management must be actively involved in approving cybersecurity strategies, allocating sufficient resources, and establishing clear lines of accountability throughout the organisation.

In the same concept, CSS provides a comprehensive governance framework that directly supports and reinforces these accountability requirements through detailed specifications for organisational security governance structures and leadership responsibilities. The Standard requires the establishment of formal governance mechanisms where executive leadership demonstrates visible commitment to cybersecurity through documented policies, strategic decision-making, and regular oversight activities. These governance structures must include designated security leadership roles with clearly defined responsibilities, authorities, and reporting relationships that ensure security considerations are integrated into business planning and operational decisions.

Actionable steps for TAPA members

Understanding the NIS2 Directive is only the first step. The real challenge – and opportunity in this case – lies in implementation. While many TAPA members may already have foundational security practices in place, aligning with NIS2 requires refining and formalising them into a cohesive, risk-driven cybersecurity management system.

Here are five pragmatic steps TAPA members can take now to move from awareness to action:

Perform a targeted applicability assessment

Before committing resources, organisations must determine with certainty whether NIS2 applies to them – and in what capacity.

• Map your core services and operations against the NIS2 sector lists (Annex I and II) and size thresholds.
• Identify whether you fall under the “Essential” or “Important” entity category, which determines the level of regulatory oversight.
• Review contracts with clients and public authorities to understand if third-party obligations may indirectly impose NIS2 compliance expectations (e.g., subcontractor requirements).
• Document your applicability status, even if you are out of scope – this may become valuable for audits, stakeholder queries, or future strategic planning.

Map current controls to NIS2 requirements

Conduct an internal review of your existing cybersecurity and risk management practices, focusing on:

• Policies and procedures (e.g., access control, incident handling, vendor management, management of technical vulnerabilities, etc).
• Technical infrastructure (e.g., firewalls, encryption, endpoint detection).
• Organisational roles and responsibilities (e.g., cybersecurity governance and leadership accountability).
• Training, awareness, and response capabilities.

This exercise should help identify what is already aligned and where meaningful gaps remain – not only in documentation, but in operational execution.

 Design a Prioritised Implementation Roadmap

Once gaps are identified, do not try to fix everything at once. Instead, create a phased improvement plan:

• Classify actions by risk exposure and compliance urgency.
• Schedule high-impact, low-complexity improvements early (e.g., formalising existing practices, enabling multi-factor authentication).
• Assign owners and timelines and integrate the roadmap into ongoing risk management or quality system processes.
• Make the roadmap visible to leadership, with regular status updates and key performance indicators.

Engage the broader organisation

Cybersecurity cannot succeed in isolation. To build an organisation-wide security culture:

• Roll-out tailored training and awareness programmes for leadership, operations, IT, and logistics staff.
• Run tabletop exercises to simulate realistic cyber or supply chain disruption scenarios.
• Encourage business units to own parts of the implementation plan – this builds accountability and accelerates execution.

 Adopt the TAPA CSS as a strategic anchor

Rather than creating a compliance system from scratch, leverage the CSS as a recognised baseline for:

• Structuring policies, controls, and audits.
• Demonstrating readiness and good faith efforts to regulators and clients.
• Aligning cybersecurity with physical security and transport risk disciplines already familiar to TAPA members.

The CSS offers a sector-relevant approach that reduces complexity and increases internal alignment.

Conclusion: Building resilient supply chains through strategic action

The clock is ticking. With NIS2 transposition into national law overdue since October 17, 2024, organisations across Europe must move beyond awareness and into action. Some countries have already aligned their national legislation to the Directive whereas most of the remaining countries are close to finalising legislative compliance.

Next, we present the 10 guiding rules for good preparation of your organisation in relation to meeting the requirements of the NIS2:

• If your organisation has not assessed whether NIS2 applies to you, now is the time.
• Do not wait to be told you are in scope – anticipate it.
• NIS2 covers extensive sectors with low size thresholds, that is likely to include many TAPA members.
• Conducting a straightforward scoping analysis is a critical first step.
• CSS offers an industry-focused framework and can serve as a stepping stone toward NIS2 compliance.
• Adopting CSS implements security practices that improve your cyber defence posture immediately.
• CSS builds a culture of resilience – precisely what NIS2 demands. This enables a strategic approach to compliance.
• Regulatory pressure can become an opportunity to enhance operational reliability, stakeholder confidence, and competitive standing.

The question is not: “Will we be affected?” – the question is “Are we ready?” 

For those who act now, using CSS as a launchpad, NIS2 is not a burden – it is a catalyst for long-term value.

Resources and further reading…

TAPA CSS 2025 Standard 

NIS2 Directive Overview  

NIS2 Directive Documents  

ENISA Implementation Guidance

NIS2: Where do European Countries Stand on Implementing Cybersecurity Strategies?  

For further assistance, TAPA members are encouraged to contact the TAPA Standards Team a standards@tapaemea.org