
NIS2 has crossed from the legal team's inbox into the investor's risk framework. Once a regulation carries personal liability for executives, fines up to 2% of global turnover, and enforcement across 27 member states. It stops being a compliance nuance and becomes a business variable.
Here is what that actually means in practice.
The NIS2 Directive (EU) 2022/2555 expanded the EU's cybersecurity obligations from a narrow set of critical infrastructure operators to an estimated 160,000 entities across 18 sectors. Manufacturing, logistics, food production, waste management, postal services, public administration - all in scope for the first time, alongside traditional players like energy, health, and finance.
The size threshold is straightforward: medium and large companies (50+ employees, €10M+ turnover) operating in covered sectors fall under NIS2 automatically. No opt-in, no grey areas. Certain digital infrastructure providers are covered regardless of size.
Belgium enforced NIS2
Germany passed its law with BSI registration deadlines into 2026
European Commission proposed targeted amendments to simplify compliance for smaller companies
France still in legislative process. The direction is fixed, the timeline depends on jurisdiction.
Energy, health, digital infrastructure, financial markets
Whichever is higher
All other covered sectors
Whichever is higher
These are not theoretical maximums - they are the documented enforcement tools national authorities are now being empowered to use.
Beyond fines, regulators can issue binding corrective orders, mandate public disclosure of violations, and impose temporary operational restrictions. For companies that rely on licences, certifications, or regulated market access, those tools carry consequences that go well beyond a penalty notice.
Russell Reynolds Associates interviewed senior cyber operating partners across leading private equity firms throughout 2025. Their finding: "Value protection is becoming inseparable from value creation." The most sophisticated firms no longer start cyber diligence at close, they embed it throughout the investment lifecycle.
Conducted during due diligence — not to fill a checklist, but to identify inherited risk that affects deal pricing.
Reviewing cloud environments for misconfigurations that could expose the portfolio company to breach risk.
Assessing who has access to what — a key vector in credential-based breaches.
Several interviewees confirmed that cyber issues rarely kill a deal outright, but increasingly shape valuation and day-one priorities.
The IBM Cost of a Data Breach Report 2025 puts a number on what's at stake: the average credential-based breach costs $4.45 million. For a mid-market portfolio company, that is enough to materially impact first-year performance. It also affects exit multiples — companies with demonstrably mature security programs command stronger positions in exit negotiations.
NIS2 does not stop at the company's own perimeter. It explicitly requires organisations to assess and manage cybersecurity risks from vendors, cloud providers, and third-party digital partners. A company with strong internal controls but a dependency on a non-compliant supplier still carries NIS2 exposure.
ENISA published detailed technical implementation guidance covering 13 areas of required cybersecurity risk management, including supply chain. This guidance is the reference document regulators will use in audits. It defines what "adequate measures" means in operational terms:
These are now legitimate deal-table questions, not just IT hygiene observations.
There is a subtler point underneath all of this. A company that has genuinely worked through its NIS2 obligations — mapped its assets, built a documented risk framework, established incident reporting procedures, positioned cybersecurity at board level — has done serious operational housekeeping that reveals something about how it is run.
Treated as a one-time compliance exercise to be completed and filed away.
Treated as an ongoing capability to be built — revealing disciplined decision-making, clear internal accountability, and operational resilience under pressure.
Investors who have learned to read that difference are finding it correlates with other signals of management maturity: disciplined decision-making, clear internal accountability, and operational resilience under pressure.

Tech entrepreneur, Ph.D. in Computer Science (Cybersecurity), 15+ years in senior tech leadership. Designed Ukraine’s national digital signature and alignment with EU standards
Why cyber compliance is becoming a new due-diligence layer for investors