Most organisations treat NIS2 as a one-time implementation challenge. The ones who get it right treat it as an ongoing operational responsibility — and subscribe to having it managed for them.
If you work in IT, security, or operations at a mid-sized or large organisation anywhere in the EU, you have almost certainly heard of NIS2 by now. You may have even started thinking about what it means for your organisation. Perhaps you've sat in a meeting where someone said: "We need to get compliant." And then everyone nodded, and nothing happened for three months.
That is not a criticism. It is an entirely predictable response to a genuinely complex challenge. NIS2 is broad, technically demanding, and — crucially — it never ends. That last part is what most organisations miss entirely.
NIS2 is not a project with a finish line. It is a permanent operational obligation that your organisation must continuously meet.
The Network and Information Security Directive 2 (NIS2) came into force across EU member states in October 2024. It applies to any medium or large organisation — 50 or more employees, or over €10 million in annual revenue — operating in a covered sector. That list is long: energy, transport, healthcare, digital infrastructure, financial services, manufacturing, food, waste management, and more.
The obligations fall into four broad areas:
The penalties for non-compliance are not theoretical. Essential entities face fines of up to €10 million or 2% of global annual turnover — whichever is higher. More significantly, senior executives can face personal sanctions, including temporary bans from their roles across the EU.
The board is not just responsible for compliance. Under NIS2, they are personally liable for it.
When most organisations respond to NIS2, they do what they always do with regulatory requirements: they scope a project. They hire a consultant, run a gap analysis, build some policies, tick some boxes, and declare themselves compliant. Then they move on.
The problem is that NIS2 does not work like that. Compliance is not a state you reach and then hold. It is something you must actively maintain — every month, every quarter, every year — as your technology changes, your supplier relationships evolve, new threats emerge, and the regulatory guidance itself continues to develop.
Consider what maintaining NIS2 compliance actually requires on an ongoing basis:
If you have completed a NIS2 implementation project, congratulations — you were compliant on the day it finished. What happens next month?
A compliance project gets you to the starting line. A compliance service keeps you running.
The answer to the "what happens next month" problem is not to hire a full internal compliance team — though some organisations will do that. It is to subscribe to compliance as a managed service.
Compliance as a Service (CaaS) is exactly what it sounds like: your NIS2 compliance posture is managed on your behalf, on an ongoing basis, for a predictable monthly subscription. Instead of a one-off project that leaves you holding a folder of policies and hoping for the best, you have a dedicated function that is always active, always current, and always accountable.
With CaaS, regulatory change is our problem, not yours. Your subscription keeps pace with the regulation automatically.
The business case for Compliance as a Service is straightforward. Consider the alternatives:
A dedicated NIS2 compliance manager or CISO with the right experience will cost €90,000–€140,000 per year in salary alone — before benefits, tools, training, and management overhead. And one person cannot cover everything NIS2 demands.
Bringing in consultants annually to "refresh" your compliance posture is expensive, disruptive, and creates dangerous gaps between engagements. It is also exactly the wrong mental model.
A CaaS subscription gives you the expertise, tooling, and ongoing management at a fraction of the cost of an internal team — with none of the recruitment risk and no re-engagement cycles.
One subscription. Full coverage. No compliance team required.
For organisations already using ServiceNow, now2value offers something no generic compliance provider can: the ability to run your entire NIS2 compliance function natively inside your existing platform.
That means your risk registers, incident classification and reporting workflows, policy distribution, third-party assessments, and board reporting dashboards all live in the same environment your teams already use every day. No new tools to adopt, no parallel systems to maintain, no data sitting in an external platform you do not fully control.
As a specialist ServiceNow partner, we build compliance into your platform — not alongside it.
NIS2 applies to your organisation if you have 50 or more employees or exceed €10 million in annual EU revenue, and you operate in any of the following sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal services, waste management, chemicals, food, manufacturing, or digital services.
If you are unsure whether NIS2 applies to you, the answer is almost certainly yes. The directive was deliberately designed to be broad, and the national implementations across EU member states have, if anything, expanded the scope further.
Most organisations are asking: "How do we become NIS2 compliant?" That is the right question, but it is only half of it.
The full question is: "How do we become NIS2 compliant — and stay that way, continuously, without it consuming our team's time and energy?"
The answer is not a project. It is a subscription.
One subscription. Full coverage. No compliance team required. Get in touch to understand how it works for your organisation.
Start the conversationnow2value is an Obsero partner delivering NIS2 and DORA Compliance as a Service, with a ServiceNow-native compliance option for platform customers.