By 2026, the European Union’s Network and Information Security Directive (NIS2) will have moved decisively from legislative framework to enforcement reality. Most regulated organisations now understand what the directive requires in theory. The harder question and the one supervisory authorities are increasingly focused on is whether those requirements translate into real operational capability.

The era of policy alignment is over. What matters now is evidence: can organisations detect incidents, contain them, report them, and prove under scrutiny that their controls, governance, and suppliers actually work?

NIS2 has been in force long enough for the conversation to shift from “what is it” to “show me.”In 2026, supervisory authorities across the Union will intensify oversight. The task for essential and important entities is straightforward to state and hard to execute: demonstrate that your detection, response, and third-party controls actually work. Paper will not pass.

Governance you can audit

Board accountability under NIS2 is not a figurehead clause. It requires demonstrable oversight: risk registers that connect business services to assets, funding decisions tied to exposure, and executive-level acceptance of residual risk. Training is not a slide deck; it is a cadence of exercises and decisions that leave a trail. Expect authorities to ask who decided what, on which evidence, and when.

Reporting that does not break the team

The directive’s early-warning and incident-reporting timelines are challenging under stress. Build muscle memory now. Automate the first-24-hour data pack: impact hypotheses, service dependency graphs, credential exposure assessment, regulator-friendly summaries, and a working theory of compromise with confidence levels. Tie this to your case system so you can submit updates at 72 hours and a final report at closure without rewriting history.

Controls that matter (and how to prove them)

Asset and exposure: You cannot defend what you cannot see. Maintain an authoritative inventory of internet-facing assets, exposed credentials, and third-party dependencies with owners and patch SLAs.

Identity: MFA coverage is table stakes; strong phishing-resistant factors for admins and high-risk workflows should be your norm. Session lifetime, step-up triggers, and device health must be policy, not suggestion.

Detection and logging: Prove that critical paths are observable. Show log retention, time synchronisation, and coverage for auth, network egress, and sensitive data stores. Demonstrate at least one recent case where telemetry led to a real control response.

Vulnerability and patch: Publish internal timelines that beat vendor advisories and the public KEV list. Have an exception process with compensating controls and an expiry clock.

Suppliers: Classify vendors by blast radius. Require signed SBOMs and update provenance for those in critical paths, and test your ability to revoke access keys and rotate secrets at speed.

Audits without the dread

Treat audits as live-fire exercises. Build an audit pack that you can refresh quarterly: policies, architecture diagrams, evidence samples, penetration-test findings with remediation status, tabletop outcomes, and supplier attestations. Link each artefact to a control objective so you are not re-explaining context at every meeting.

Where identity meets NIS2

The identity layer is where many NIS2 programmes will succeed or fail. If you operate in Europe, wallet-based credentials and verifiable claims are converging with IAM. That matters for NIS2 because step-up logic, least privilege, and operator accountability depend on clean, evidence-backed identity decisions. Expect supervisors to ask how you bind human and machine actors to actions, how you revoke them, and how you prove it later.

A 90-day action plan

Run a readiness drill against one realistic incident class. Measure time-to-detect, time-to-contain, report completeness, and leadership decision latency. Close the identity gap: ensure phishing-resistant MFA for admins, service accounts on managed secrets, and emergency break-glass with monitoring. Supplier triage: identify top ten high-blast-radius suppliers and get updated attestations, SBOMs, and key-rotation proofs. KEV discipline: declare a standing exception to change freezes for KEV-listed bugs; publish last-mile remediation metrics. Evidence automation: turn recurring outputs (patch status, IDS alerts, signing logs) into signed, time-stamped artefacts.

The TQS Takeaway

NIS2’s centre of gravity in 2026 is proof of capability. If you can demonstrate that your controls, teams, and suppliers work under load—and produce trustworthy artefacts on demand—you will be fine. If not, fix that before someone else tells you to.