tl;dr: NIS2 was made to make Europe safer on the internet; however, many firms still find it hard to meet the rules. The reasons include wide scope, differences between countries, unclear local rules, legacy systems, staff gaps, and complex supply chains. Automation helps, yet it cannot fix weak policies, unclear responsibilities, or poor data. Below I explain the full picture, show current numbers from 2024 and 2025, give realistic next steps, and end with five FAQs, including how Atlas Compliance can help.
What is NIS2 and why it matters
NIS2 is the EU law that raises the bar for cyber security across many sectors. It asks companies to have better risk management, stronger incident reporting, clear roles, and secure supply chains. The aim is simple, lower the risk that a single cyber event harms citizens or critical services.
Importantly, the law covers many more sectors and far more companies than the previous rule. This means more businesses must act now, even if they never faced such rules before.
Quick facts that matter today
The new rule expands coverage to many sectors, and estimates put the number of companies affected around 160,000 organizations across the EU.
Many member states were slow to put NIS2 into national law, creating uncertainty for companies that operate across borders. As of mid 2025, roughly 14 of 27 EU member states had transposed the directive into local law.
Independent research shows only a small share of organizations are fully ready for NIS2, for example one study reported just 14 percent of firms were fully ready, while the majority were only partly ready.
Other surveys show an overall readiness gap, with average scores around the mid fifty percent range on key measures. This means many basics are still missing.
These numbers explain why many organizations are anxious, even when they buy automation tools.
Why automation alone does not solve NIS2
Automation tools are useful, however they are not a full answer. Here are the main reasons.
1. Scope and complexity of rules
NIS2 applies rules to different types of organizations with different expectations. Some sectors face tighter rules, some have extra reporting duties. Because national laws may define scope differently, a company that is in scope in one country may be treated differently in another. This legal patchwork makes a single automation setup risky.
2. Transposition delays and legal uncertainty
Many EU countries delayed making the local laws. When laws are not yet final, companies cannot know exactly how to prove compliance. Consequently, firms hesitate to change core systems until rules are clear, even if they have automation tools ready.
3. People and process gaps
Technology cannot replace weak processes or unclear roles. NIS2 requires that top managers and boards take responsibility. If responsibility is not clear, automated alerts pile up without decisions. In short, automation generates data, but organizations still need people who know what to do with that data.
4. Legacy systems and poor asset data
Many companies run older systems that cannot be easily monitored or integrated. Automation tools need accurate asset lists, inventories, and network maps. If a firm lacks that basic data, tools cannot give reliable outputs. ENISA and other reports show technical maturity is uneven across sectors, which slows effective automation.
5. Third party and supply chain risks
NIS2 demands that organizations control risks in their supply chains. Automation inside a company does not automatically cover dozens of suppliers, partners, and cloud vendors. Each third party may have different logging, different security maturity, and different legal obligations. Without coordinated contracts and shared controls, automation will only show part of the risk.
6. Audit and evidence needs
Regulators do not only want tools, they want proof. Automated logs must be accurate, tamper resistant, and linked to governance. Many firms have automated alerts, but they lack the audit trails, internal policies, and documented reviews that regulators ask to see. Tools help collect data, yet companies must still prepare evidence packages with context and sign off.
Where automation helps a lot
Even with limits, automation is strong where used the right way. When combined with clear policies and people, tools can deliver most of the required controls quickly.
Central benefits of automation
-Faster detection and response so teams spot incidents sooner, and meet the NIS2 reporting windows.
-Streamlined access controls which help enforce the least privilege and reduce insider risk.
-Single view of key assets and dependencies which helps in impact analysis and reporting.
-Faster evidence collection because logs and change histories become easier to assemble.
-Continuous checks and trend reports to show regulators that improvement is not one-time but ongoing.
Best simple roadmap for firms that want to fix the gap
-Confirm scope and name a senior person who owns compliance.
-Build a living list of hardware, software, cloud services, and suppliers.
-Set basic security rules before buying tools.
-Apply automation to detection, access, logging, and incident handling.
-Add supplier controls into contracts and check compliance regularly.
-Run practice drills and keep the evidence.
-Track metrics like time to detect, contain, and supplier risk scores.
Real-life examples and sector gaps
Healthcare and public services often use old devices that cannot be patched. Hospitals are therefore less ready for NIS2 rules.
ICT service providers host many clients, but their supply chains can be complex. Small errors in vendor management can spread widely.
SMEs often lack budgets and staff. They now find themselves in scope, making automation alone ineffective. Governments are urged to provide guidance and support.
Cost and impact estimates
>Around 160,000 to 300,000 organizations are expected to be covered under NIS2 depending on scope.
>Only about 14 percent of organizations are fully ready. Average readiness scores hover around 50 to 55 percent across sectors.
This shows many businesses will need sustained investment through 2025 and 2026.
Future expectations through 2026 and beyond
-As more countries finalize laws, compliance will stabilize and become easier to plan.
-Boards and supply chains will face the most regulatory scrutiny.
-RegTech solutions will grow, combining automation with governance and audit evidence.
Practical checklist
Name a compliance owner.
Make an asset list.
Identify and check critical suppliers.
Enable basic logging and retention.
Run a tabletop incident drill.
Ensure automation produces tamper-proof logs.
Report top risks to the board.
Final thoughts- Automation is not enough on its own. NIS2 is as much about leadership, supplier controls, and documented proof as it is about technology. Companies that combine automation with governance will succeed. Those that expect tools alone to solve compliance will continue to struggle.
Five FAQs
1. How soon must my firm act if NIS2 might apply to us
Act now. Start with basics like roles, assets, and suppliers even before your national law is final.
2. Can automation tools make us NIS2 compliant by themselves
No. Tools help, but compliance also needs clear policies, responsibilities, and supplier oversight.
3. What do regulators want to see in an inspection or audit
They want documented policies, assigned accountability, incident logs, supplier evidence, and proof of regular reviews.
4. How big is the readiness gap across Europe right now
Studies show only 14 percent of organizations are fully ready, and average readiness is around 50 percent.
5. Does Atlas Compliance help with NIS2 and how
Yes. Atlas Compliance provides real time regulatory news, a large database of inspection findings, and an AI copilot to speed evidence collection. It helps firms monitor relevant updates, compare cases, and prepare audit proof documentation. Still, Atlas works best when combined with clear processes and supplier controls. Learn more at Atlas Compliance.