Redesigning Business Continuity: NIS2 Calls for a New Approach

In 2022, cyber-attacks impacted millions. Today, they affect over a billion people worldwide (1). As this threat continues to grow, how can we effectively counter it? The new European NIS2 Directive — a non-prescriptive yet demanding regulation — seeks to strengthen resilience by making cybersecurity a strategic, organization-wide priority, particularly for entities critical to the economy. In this article, we explore how the introduction of NIS2 calls attention to cyber risks, business continuity, and third-party security, encouraging organizations to make these areas a priority

Introducing NIS2

The EU recently introduced NIS2 as a cornerstone of its resilience strategy — a critical regulation designed to strengthen protection against cyberattacks by enforcing a minimum security standard for all organizations, based on a single governance framework for risk management. Currently, NIS2 is already law in several European countries, with the Dutch implementation expected to come into force in Q3 of 2025 (2).

The Need for Action

As businesses are using more IT, vulnerabilities are increasing, expanding the threat landscape. Unfortunately, while digital adoption might be accelerating, security awareness and actions are falling behind. NIS2 calls on companies to address this mismatch and integrate cybersecurity into their broader business strategies before it is too late.

The Driving Forces Behind NIS2

In a nutshell, NIS2 seeks to:

Set a Europe-Wide Security Standard: NIS2 implements cybersecurity strategies across Europe, requiring all essential and critical organizations to comply — no exceptions.

Make Cybersecurity a Business Priority: Business leaders are personally accountable for protecting the company’s digital assets. Know your risks. Act on them.

Boost EU-Wide Cooperation: EU countries must collaborate and share information to build a more robust, united defense against cyber threats.

A Unique Risk-Based Approach

NIS2 is a unique regulation. Sven de Bruin, Security Consultant at Xebia, explains, “Rather than prescribing specific actions, NIS2 takes a risk-based approach, urging companies to design and test their own processes based on their unique operational scale and threat exposure.” In other words, while it tells businesses what they need to achieve, like incident response timelines, it doesn’t prescribe how to get there. Francisco Dominguez, Research & Innovation Lead at Hunt & Hackett, provides an analogy: “Let’s say you’ve bought a bike and are looking for a lock. Depending on how much you spent on the bike and your monthly income, you can determine the best lock for your situation. NIS2 applies the same logic to business — evaluate what’s at stake and implement security measures that match your risks and resources.”

What Does NIS2 Require?

Beyond its risk-based approach, NIS2 stands apart from most compliance norms in several other ways. First, it sets explicit and short incident response timelines. Second, it emphasizes the importance of supply chain interdependencies. Third, it holds executives personally liable for ensuring compliance, using this as a strong incentive to drive implementation.

Incident Response

Under the NIS2 Directive, serious cybersecurity incidents must be reported quickly. De Bruin explains, “Organizations have 24 hours to submit an initial report with basic details on the impact and cause. Within 72 hours, they must provide a full update on the damage and how they’re handling it. A final, detailed report is due within one month, explaining what happened, why, and how it will be prevented in the future. This tight timeline demands that companies act quickly and have all necessary information readily available. As you can imagine, this can place significant strain on in-house teams.”

Supply Chain Risk Management

NIS2 is not just a compliance requirement; it's a strategic initiative to foster a proactive security culture — especially since businesses risk losing clients if their security posture falls below industry standards. Dominguez explains, “NIS2 is an N+1 law, meaning it applies to you and your first-line suppliers. If your supplier fails to meet the requirements, you must make a risk-based decision. Is he the only one who can supply your goods? Are there others? Non-compliance could put the supplier at risk of losing business. In this way, NIS2 introduces a strong business incentive for compliance." The numbers don’t lie — 98% of Europe’s top 100 companies faced third-party breaches in 2024 (3), making it clear that companies can no longer afford to ignore their suppliers' security standards.

Accountability & Liability

NIS2 introduces strict accountability, holding companies — and, for the first time, their executives — personally responsible for compliance. Like GDPR, non-compliance with NIS2 can lead to hefty penalties: up to €10 million or 2% of global annual turnover, whichever is higher. For context, GDPR violations have led to massive fines, such as Uber’s €290 million penalty for mishandling EU driver data — one of the largest penalties levied under the European Union’s GDPR since its inception (4). Beyond financial consequences, NIS2 violations can also cause significant reputational damage.

NIS2 Compliance: Rethinking Business Continuity

Preparing for NIS2 compliance starts with a review of your current plans. If you already have a Business Continuity Plan (BCP), it’s time to reassess. If not, it’s crucial to create one. As De Bruin explains, “Many businesses assume their risks are covered because they have a BCP. However, without cybersecurity integration, your risk analysis is incomplete. NIS2 demands a comprehensive risk assessment, with cybersecurity fully embedded.” Wilfred Vos, Security Engineer at Hunt & Hackett, adds, “Without cybersecurity in your BCP, you won’t be prepared to recover fast enough, especially under NIS2.”

Examples

Traditional Business Continuity Plans often focus on physical recovery, such as dealing with a collapsed building, rather than addressing the unique challenges posed by cyberattacks. The 2017 WannaCry ransomware attack highlighted this gap when many organizations were left paralyzed because their plans didn't account for the fast spread of malware or the infection of operational technology (OT) networks, leaving them unprepared to recover (5). Similarly, the 2021 cyberattack on the Irish Health Service Executive led to the complete shutdown of critical hospital systems. Ransomware from the hacker group 'Wizard Spider' encrypted sensitive data and caused financial losses exceeding €600 million (6).

These examples show why NIS2 matters — to protect your business continuity and data. Requiring strong incident response, supply chain security, and executive accountability, NIS2 reshapes how you handle disruptions, making cybersecurity a core part of your BCP. With NIS2, your plan must not only cover physical recovery but also address cyber threats, ensuring you're ready for both digital and physical risks.

How to Transition to a Cybersecurity Business Continuity Plan

Conduct a Business Impact Analysis

De Bruin, “Before building your Business Continuity Plan (BCP), it's crucial to first understand the impact of potential disruptions. This begins with a Business Impact Analysis (BIA) to understand, for instance, how much a day of downtime or data loss cost the business. This process helps the board set priorities and allocate resources effectively to ensure resilience. Once you have clear recovery time objectives (RTO) and recovery point objectives (RPO), your BCP can be structured to meet those goals.”

Protect What Matters Most

After you’ve quantified your risks, identify your most critical assets and ask, "If we were fully compromised, what must remain protected at all costs?" De Bruin explains, “For example, pinpointing data that is highly sensitive and critical to your operations and understanding the associated risks will lead to more targeted security measures."

“But remember," Dominguez adds, "If you can access it, so can the attacker. That’s why, for instance, your backup should be a one-way street. Once you've backed it up, you should not have access to modify it.” He continues, “Critical data and systems must be securely backed up and completely isolated from operational systems. To strike a balance between isolation and efficiency, you can use tiered backup strategies — offline, immutable backups for critical data and faster-access backups for less sensitive information. In the past, offline backups like tape storage achieved this by being physically and functionally disconnected. Today, cloud backups offer convenience but require extra security precautions since they are always connected.”

Shift Left and Move Up

“Alongside the shift-left approach in security, regulations like NIS2 are driving a critical ‘move up’ to the board level,” says Filip Chyla, Security Consultant at Xebia. He adds, “Boards must be involved not only because they set business goals and timelines for recovery but also because they need to understand the link between operations — like the production line — and the technology that powers it. Without this connection, your BCP will fail to address modern cybersecurity threats, especially in Operational Technology (OT).”

A Risk-Based Plan

Developing a risk-based plan is a collaborative effort. With the right team or partner, you can identify who might target your business, why, and the potential impact of such an attack. This enables you to align security measures with the most probable threats. A comprehensive plan should include:

Threat Profiling: Identify potential threat actors and the assets they might target. Consider risks posed by third-party vendors, suppliers, and contractors with access to sensitive data, and evaluate their cybersecurity practices and breach history.

Technology Assessment: Assess your technology infrastructure to identify critical systems and vulnerabilities. Link these systems to business processes and understand the impact of failure on operations.

Security Posture Assessment: Review your current security measures, focusing on prevention, detection, and any gaps in compliance. Ensure current practices align with NIS2 requirements for cybersecurity risk management, incident reporting, and supply chain security.

Once you have mapped out these risks, you're ready to build actionable plans, including Incident Response (IR) strategies, to respond effectively to potential cyber threats.

Act Now to Secure Your Future

Cyberattacks like ransomware, data breaches, and supply chain attacks consistently and successfully exploit even the slightest security vulnerabilities to inflict great damage. With Operational Technology (OT) systems now more connected to IT networks than ever, the attack surface has only expanded, leaving organizations more vulnerable to threats often aimed at disrupting critical services. Unfortunately, most traditional BCPs leave businesses with a false sense of security, because the recovery steps for a cyber threat are different than the traditional recovery steps. With cyberattacks growing in both frequency and severity, companies must act now. New regulations like DORA, CRA, and NIS2 offer a roadmap for strengthening cybersecurity. NIS2, for example, stresses the need for a risk-based, cybersecurity-driven approach to business continuity. By strengthening your cybersecurity measures, you not only comply with these regulations but also build resilience against emerging threats. The time to redesign business continuity is now. Integrate cybersecurity into every layer of your operations to protect your business, your customers, and your future.