NIS2 and modern IT systems — what changes in practice
20 January 2026 · 7 min read
The NIS2 directive affects providers and organisations using cloud and integration services. Areas worth addressing in your architecture.
Key takeaways
- NIS2 broadens the scope of entities with obligations — not only “critical infrastructure” in a narrow sense.
- Leadership must understand cyber risk; technical controls without governance will not pass audit.
- Supply chain (SaaS vendors, integrators) is in scope — contracts and monitoring must reflect that.
- Segmentation, MFA, backups and incident registers are architecture elements, not a later side project.
- Compliance can align with agile delivery when requirements are in DoD and reference architecture.
In this article
Who is affected and what changes
NIS2 sets a common baseline for cyber risk management in the EU. It applies to digital service providers, high-risk sectors and organisations with extensive cloud and integration landscapes. In practice that means auditable processes, not only “we have a firewall”.
Organisational requirements
Security policies, risk analysis, training, incident management and reporting to authorities — with clear timelines. Align with an existing ISMS (ISO 27001) or build a lean NIS2-oriented ISMS instead of duplicating paperwork.
Technical requirements in systems
Access control (MFA, least privilege), encryption in transit and at rest, backups with recovery drills, security logging and monitoring, API and admin hardening. On Next.js/PostgreSQL stacks we add security headers, rate limiting and CMS change audit trails.
Supply chain and contracts
Critical vendor list, security clauses in contracts (SLA, breach notification, data location). For API integrations — contracts, versioning and dependency register to understand impact when a vendor fails.
Next steps
- Determine if your organisation is an essential or important entity under NIS2.
- Compare current policies with NIS2 and ISO 27001 Annex A.
- Complete asset register and integration map (including SaaS).
- Schedule backup recovery test and incident exercise.
- Book an architecture review with product and security teams.