NIS2: From Compliance to Competitive Advantage

Over the past few years, the European Union has significantly intensified its focus on cybersecurity. The journey began with the original NIS Directive in 2016, whose objective was primarily to raise cybersecurity maturity in critical sectors such as energy, transport and healthcare. Since then, the EU has introduced a much broader regulatory framework, including DORA, the Cyber Resilience Act (CRA) and NIS2, which greatly expands the scope of NIS to many additional industries and digital service providers.

While the Cyber Resilience Act (CRA), which we covered in a previous post, focuses on products and imposes secure-by-design requirements on software and hardware vendors, NIS2 focuses on organizations. It applies to companies delivering critical or important services in the EU and obliges them not only to secure themselves, but also to ensure that their suppliers, partners, and cloud providers are secure.

This creates a fundamental shift: cybersecurity is no longer a technical discussion. It becomes a commercial and contractual one. Vendor due diligence, security questionnaires, and proof of compliance are now direct parts of sales and procurement.

What is NIS2?

NIS2 (Network and Information Security Directive 2) entered into force in 2023 and must be transposed by EU member states by October 2024. Unlike the CRA, which focuses on product security, **NIS2 focuses on operational risk management across essential and important sectors:

• Finance and insurance
• Cloud computing and data centers
• Healthcare and biotech
• Energy, transport, logistics
• Digital infrastructure and managed service providers

NIS2 enforces a cybersecurity maturity level that is verifiable, trackable, and documented. For the first time, executives can be held personally accountable for cybersecurity failures, including enforcement of training and risk governance.

The biggest shift: supply chain responsibility

Under NIS2, responsibility for cybersecurity robustness now extends far beyond internal systems. Organizations are explicitly accountable for the cybersecurity posture of the vendors and services they rely on, including SaaS solutions, cloud providers, subcontractors, and any external party with access to their infrastructure or data. In other words: your security is no longer defined by what you control only, but also by who you work with. A single weak supplier can put an entire ecosystem at risk, and under NIS2, that risk becomes your responsibility.

Consider a simple example: an organization may have perfectly configured access control on its cloud infrastructure, but a third-party SaaS tool connected via API may store credentials improperly or expose an insecure integration. If that SaaS vendor is compromised, attackers can use the trusted connection to enter the organization’s environment. Under NIS2, the organization must still report the incident and prove they had performed due diligence on that supplier.

Some of the new obligations introduced by NIS2 include:

This shift is already visible in how organizations evaluate their suppliers, particularly in finance and other highly regulated industries. Security questionnaires that used to include 20 or 40 questions now routinely exceed 200, sometimes even 500. Procurement cycles that once took weeks can now stretch over several months, and companies increasingly request technical evidence rather than relying solely on policies, ISO certificates, or self-declarations.

For SaaS providers and cloud-native companies, this is transformational. Security is no longer a box to tick in the background, it has become a core stage of the sales cycle. The ability to demonstrate security posture, with clear and verifiable proof, now influences customer acquisition cost, deal velocity, and even whether a company is allowed to participate in a tender at all.

Being secure is no longer enough. You must be able to prove it - clearly, transparently, and quickly.

NIS2 as a differentiator, powered by PanIAM

NIS2 is often seen as a burden: more controls, more documentation, more supplier oversight. But for organizations that embrace it proactively, NIS2 becomes a commercial advantage.

Instead of asking: “How do we comply?” Leading organizations ask: “How do we use this to win?”

Companies that can prove cybersecurity, not just claim it, gain a decisive edge: they become easier to buy from.

PanIAM uses symbolic-reasoning AI to map your cloud infrastructure end-to-end and identify the specific identities, permissions, or resources that create real risk, not theoretical noise. This enables CISOs to:

• document cloud risk posture for audits and board reporting
• produce evidence for due diligence and certifications (NIS2, CRA, DORA, ISO27001, etc.)
• prioritize fixes that meaningfully reduce attack surface and blast radius
• focus vendor due diligence where it matters most, by knowing exactly which suppliers have access to critical resources and which pose minimal risk.

Instead of generating thousands of generic findings, PanIAM provides clear, visual, and auditable proof of control, the exact evidence procurement teams, auditors, and regulators ask for.

With PanIAM, security isn’t just stronger - it becomes demonstrable.

Final takeaway: preparation starts now

NIS2 is more than just another cybersecurity law, it reshapes how companies buy, sell, and build trust. The winners won’t be those who claim they are secure, but those who can prove it.

Start early: map your critical suppliers, implement governance, and document controls before a customer or regulator asks. Remember, your supply chain is already part of your attack surface, and the sooner you manage it, the stronger your resilience and competitive edge will be.