COMMENTARY: The EU’s
NIS2 Directive, which came into effect in October, introduced stricter regulations and compliance requirements for entities operating critical infrastructure within the EU.
While NIS2 primarily targets organizations within Europe, its reach extends well beyond EU borders – impacting U.S. companies’ operations, compliance, and trade.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
For U.S. organizations, navigating overlapping regulations has become increasingly challenging, especially for stretched security teams. CISOs face growing accountability, with rising stakes as bodies like the SEC pursue
legal action. Building a culture of accountability and leveraging data are now essential to ensure adherence and avoid penalties.
Expanding compliance obligations for U.S. businesses
The NIS2 directive exists as part of a broader EU regulatory framework reshaping cybersecurity standards for U.S. businesses. Alongside the Digital Operational Resilience Act (
DORA), which sets strict requirements for financial institutions and suppliers, and the
Cyber Resilience Act, mandating security assessments for software and hardware, these laws signal a tightening web of extra-territorial compliance obligations.
Specifically, NIS2 applies to any medium-to-large organization that provides critical services within the EU – regardless of where the company is headquartered. This means that U.S.-based companies operating in sectors deemed critical by the directive – now including digital services, public administration, and manufacturing – are required to comply.
Auditors from EU member states can proactively assess compliance for organizations designated “essential entities” or investigate concerns for those classified as “important.” The penalties for non-compliance are severe, with fines reaching up to 2% of global turnover for essential entities and 1.4% for those classified as “important.” For multinational corporations, these penalties could translate into hundreds of millions of dollars, making compliance not just a regulatory obligation, but a financial necessity.
Supply chain scrutiny and vendor accountability
A great deal of NIS2 focuses on supply chain security. EU-based organizations must demonstrate that their third-party suppliers meet the directive’s stringent cybersecurity standards. For U.S. businesses that serve as vendors to EU entities, this translates into increased scrutiny.
Companies unable to prove their compliance risk losing EU clients or being excluded from lucrative contracts. It’s particularly concerning for medium-sized enterprises or those in less-regulated industries now falling under the NIS2 umbrella. Achieving and demonstrating compliance – through robust controls and comprehensive monitoring – has become essential for business success.
Will NIS2 impact our trade with the EU?
While the NIS2 directive doesn’t directly impose tariffs, it introduces cybersecurity requirements and vendor screening processes that could act as non-tariff trade barriers – limiting market access for non-compliant U.S. companies. A recent Frontier Economics
report highlights how these stricter obligations may increase operational costs for exporters, affecting pricing and competitiveness in EU markets. On top of this, the directive’s emphasis on supply chain security could slow trade flows, especially in industries reliant on complex global networks, potentially escalating trade tensions.
For U.S. companies, they have to prove that robust cybersecurity controls are both in place and effective – a daunting task for those lacking mature monitoring processes. Gaining full visibility into assets, controls, and coverage gaps has become crucial. To meet these demands, security leaders must cultivate a data-driven culture that prioritizes compliance and minimizes risk.
Unlike finance or HR, where centralized analytics tools are the norm, cybersecurity teams often operate with fragmented, siloed data. This leaves CISOs struggling to address risks and regulatory requirements effectively. But by investing in comprehensive data solutions, U.S. companies can enhance security, demonstrate compliance, and safeguard their business relationships in the EU.
Why U.S. companies can’t ignore NIS2
NIS2 represents a paradigm shift in cybersecurity compliance. Its extraterritorial reach, stringent requirements, and severe penalties make it a critical priority for U.S. companies operating within or doing business with the EU. But beyond compliance, the directive’s indirect impact on trade and tariffs underscores the broader economic stakes.
U.S. companies must recognize that compliance is no longer confined to local laws. EU regulations increasingly demand proactive measures, with significant financial and operational stakes for those falling short. By investing in the right tools, fostering a culture of accountability, and embracing data-driven decision-making, U.S. companies can turn the challenges of NIS2 into opportunities.
Ensuring compliance is not just about avoiding fines: it’s about maintaining trust, securing market access, and positioning for success in a rapidly-evolving global landscape.
Leila Powell, head of data, Panaseer SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
