Why NIS2 Is Still Hard for Companies, Even With Automation Tools

NIS2 raised the cybersecurity bar across the EU, but many organizations still struggle to meet it. The reasons: wide scope, differences between countries, unclear local rules, legacy systems, staff gaps, and complex supply chains. Automation tools help, but they can't fix weak policies, unclear ownership, or bad asset data.

Below: what NIS2 covers, why automation alone isn't enough, current readiness numbers, and a practical roadmap.

What Is NIS2 and Why It Matters

NIS2 is the EU directive that raises the cybersecurity bar across many sectors. It requires better risk management, stronger incident reporting, clearer roles, and secure supply chains. The aim is to lower the risk that a single cyber event harms citizens or critical services.

The directive covers many more sectors and far more companies than the original NIS rule. Many businesses now have to act, even if they never faced such requirements before.

Quick Facts

• Roughly 160,000 organizations across the EU fall under NIS2 coverage.
• As of mid-2025, about 14 of 27 EU member states had transposed the directive into national law.
• Independent research reports only 14% of organizations are fully ready. Average readiness scores land around 50 to 55% on key measures.

Those numbers explain the anxiety, even at companies that have already bought automation tools.

Atlas

FDA Inspection Intelligence Digest

We track every 483, EIR, and warning letter the moment it happens. Get the signals before they hit the FDA website.

Subscribe

Why Automation Alone Doesn't Solve NIS2

Automation is useful, but it isn't a full answer. Here's why.

1. Scope and complexity of rules

NIS2 applies different expectations to different types of organizations. Some sectors face tighter rules, some face extra reporting duties. Because national laws may define scope differently, a company in scope in one country may be treated differently in another. A single automation setup can't cover that legal patchwork.

2. Transposition delays and legal uncertainty

Many EU countries delayed national laws. When rules aren't final, companies can't know exactly what evidence they'll need. That hesitation slows core system changes, even where automation is ready.

3. People and process gaps

Technology can't replace weak processes or unclear roles. NIS2 puts responsibility on top managers and boards. If ownership is unclear, automated alerts pile up without decisions. Automation generates data. Organizations still need people to act on it.

4. Legacy systems and poor asset data

Many companies run older systems that can't be easily monitored or integrated. Automation needs accurate asset lists, inventories, and network maps. Without that baseline, tools can't produce reliable output. ENISA reports show technical maturity is uneven across sectors.

5. Third-party and supply chain risks

NIS2 demands that organizations manage supply chain risk. Automation inside a company doesn't automatically cover suppliers, partners, and cloud vendors. Each third party has different logging, different security maturity, and different legal obligations. Without coordinated contracts and shared controls, you only see part of the risk.

6. Audit and evidence needs

Regulators want proof, not just tools. Automated logs must be accurate, tamper-resistant, and tied to governance. Many firms have automated alerts but lack the audit trails, policies, and documented reviews regulators will ask for.

Where Automation Helps

Used with clear policies and trained people, automation delivers most of the required controls quickly:

• Faster detection and response so teams meet NIS2 reporting windows.
• Streamlined access controls that enforce least privilege and reduce insider risk.
• A single view of assets and dependencies for impact analysis and reporting.
• Faster evidence collection, since logs and change histories become easier to assemble.
• Continuous checks and trend reports that show regulators improvement is ongoing, not one-time.

A Simple Roadmap to Close the Gap

• Confirm scope and name a senior owner for compliance.
• Build a living list of hardware, software, cloud services, and suppliers.
• Set basic security rules before buying tools.
• Apply automation to detection, access, logging, and incident handling.
• Add supplier controls into contracts and check compliance on a schedule.
• Run practice drills and retain the evidence.
• Track metrics: time to detect, time to contain, supplier risk scores.

Sector Gaps

• Healthcare and public services often run older devices that can't be patched. Hospitals are typically less ready for NIS2.
• ICT service providers host many clients, but their supply chains are complex. Small errors in vendor management can spread widely.
• SMEs often lack budget and staff. They now find themselves in scope, which makes automation alone ineffective. Governments should provide guidance and support.

Cost and Impact Estimates

• 160,000 to 300,000 organizations are expected to fall under NIS2, depending on how scope is interpreted.
• Only about 14% of organizations are fully ready. Average readiness hovers between 50 and 55% across sectors.

Most businesses need sustained investment through 2025 and 2026.

Practical Checklist

• Name a compliance owner.
• Build an asset list.
• Identify and check critical suppliers.
• Enable basic logging and retention.
• Run a tabletop incident drill.
• Ensure automation produces tamper-proof logs.
• Report top risks to the board.

Final Thought

Automation isn't enough on its own. NIS2 is as much about leadership, supplier controls, and documented proof as it is about technology. Companies that combine automation with governance will succeed. Those that expect tools alone to solve compliance will keep struggling.