Challenges of the NIS2 Directive for Large Enterprises (LE) and SMEs (SME)

The NIS2 Directive (Network and Information Security Directive) introduces new obligations to strengthen cybersecurity across the European Union, setting stricter requirements for risk management, incident reporting, and the protection of critical infrastructure. The complexity of compliance varies significantly between large enterprises (LE) and small and medium enterprises (SME).

According to a report by ENISA (European Union Agency for Cybersecurity), which serves as a leading authority in the cybersecurity sector, the data highlights the key challenges organizations face in complying with NIS2. ENISA’s analysis provides a detailed overview of the operational, technological, and organizational difficulties that companies of different sizes must address to meet the directive’s requirements.

Incident Reporting

Incident reporting is not considered a significant challenge for most organizations. Only 4% of large enterprises and SMEs identified this activity as a major difficulty. This suggests that most organizations have already implemented systems to detect and report security incidents. However, the NIS2 Directive introduces the obligation to notify incidents within 24 hours of discovery, which may pose operational challenges, particularly for SMEs with limited resources.

Incident Handling (Prevention, Detection, Response)

Incident handling is one of the areas where the gap between large enterprises and SMEs is most pronounced.

Only 12% of large enterprises reported difficulties in incident management, highlighting a greater capacity for response and prevention due to dedicated internal resources and advanced monitoring tools.
Conversely, 20% of SMEs reported difficulties, indicating that a lack of resources and technical expertise remains an obstacle to implementing effective response and detection strategies.

Supply Chain Security Risk Management

Supply chain security management is a particularly complex challenge for SMEs, with 46% reporting difficulties compared to 28% of large enterprises.

Large enterprises generally have greater control over suppliers and can implement advanced security measures across the supply chain.
SMEs, however, often depend on external suppliers without direct control over their security protocols, making it harder to monitor and manage risks along the supply chain.

Business Continuity and Crisis Management

Business continuity and crisis management emerge as one of the most critical challenges for both categories of organizations.

48% of large enterprises and 53% of SMEs reported difficulties in implementing business continuity and crisis management plans.
SMEs often struggle due to a lack of resources to create and test effective emergency plans.
Large enterprises face complexity due to the need to integrate business continuity on a global scale, coordinating subsidiaries, suppliers, and strategic partners.

Vulnerability Handling (Patching and Disclosure)

Managing and disclosing vulnerabilities is a major challenge for both categories of organizations.

50% of large enterprises and 47% of SMEs reported difficulties in vulnerability handling and communication.
The main difficulty lies in the speed of patch deployment and the coordination among different teams to avoid operational disruptions.
The NIS2 Directive requires organizations to implement a vulnerability management system that ensures fast response times, increasing pressure on already overstretched IT teams.

Security Awareness and Training

Surprisingly, security awareness and training were not considered a challenge by the organizations surveyed.

No large enterprise or SME reported difficulties in this area (0%).
This may reflect that many organizations have already invested in training programs and security awareness campaigns.
However, keeping staff skills up to date in a constantly evolving threat environment remains a strategic priority.

Multifactor Authentication (MFA)

The implementation of multifactor authentication (MFA) is seen as a greater challenge for SMEs than for large enterprises.

47% of SMEs reported difficulties in implementing MFA, compared to 36% of large enterprises.
SMEs often face technological and budgetary constraints when adopting MFA.
Large enterprises, on the other hand, have already adopted MFA on a large scale, often through integrated solutions with identity management systems.

Data Encryption

The adoption of encryption systems presents a moderate challenge for both categories of organizations.

29% of large enterprises and 30% of SMEs reported difficulties in implementing encryption systems.
The main challenge lies in the complexity of integrating encryption with existing systems and ensuring data protection without compromising operational efficiency.

Lack of Analysis and Planning

Only 1% of large enterprises and SMEs reported that they had not yet conducted a detailed analysis of NIS2 compliance.

This indicates that most organizations have already started the process of evaluation and planning to comply with the directive.
However, SMEs may struggle to translate this analysis into an effective operational plan due to limited resources and technical expertise.

Conclusions and Outlook

Adapting to NIS2 represents a significant challenge, particularly for SMEs, which face budget and expertise limitations. Large enterprises, while having more resources, must tackle the complexity of implementing new measures on a global scale and coordinating response strategies across multiple operational sites.

Vulnerability management, business continuity, and supply chain security emerge as the most critical areas for organizations of all sizes.
SMEs need support in implementing MFA, encryption, and rapid incident response strategies.
NIS2 compliance is not only a regulatory obligation but also a strategic lever to strengthen business resilience and customer trust.

Prompt compliance with NIS2 requirements not only reduces the risk of sanctions but also strengthens organizations’ competitive positions in the European digital landscape.