Regulators Expect You to Have
Sorted This by Now.

There’s a special kind of panic that sets in when you realise a regulation has already taken effect and you’re not quite sure if you’re compliant.

Welcome to NIS2, the Network and Information Security Directive 2, which came into force in October 2024. If you’re in finance, healthcare, transport, energy, digital services, or any other critical sector, you should already be doing this.

But let’s be honest. For many organisations, the reaction to NIS2 has been a mix of confusion, blind optimism, and a quiet hope that no one will check too closely.

Unfortunately, that hope is fading fast.

What NIS2 Actually Requires (And Why It’s a Headache)

NIS2 isn’t just another cybersecurity box-ticking exercise. It forces organisations to:

• Know where their critical data is – And secure it properly.
• Report cyber incidents within hours, not weeks – 24 to 72 hours, to be exact.
• Prove their suppliers aren’t a security risk – If your third-party provider is compromised, so are you.
• Hold senior execs accountable – Ignorance is no longer a defence. If it all goes wrong, someone at the top will have to explain why.

Which is all well and good—if you actually know what’s in your data estate.

If you don’t? Well, that’s where things get interesting.

The Problem: You’re Hoarding Data, and Now You Have to Explain It

A data lake sounds like a good idea. A vast, centralised repository where all your structured and unstructured data can live, ready to be analysed, searched, and used when needed.

That was the theory.

In reality? Most data lakes are now digital swamps—a chaotic mess of logs, emails, transactions, documents, and customer records, scattered across multiple storage systems, with no real classification or lifecycle management.

We once spoke to a financial institution who estimated they had 70 petabytes of data. The key word here is estimated—because no one was entirely sure.

And now, thanks to NIS2, regulators might ask you to find something in all of that.

The Question No One Wants to Hear: "Can You Prove You’re Compliant?"

NIS2 doesn’t care if you’re trying your best. It expects you to be able to:

• Locate specific data, quickly – No more “we’re looking into it” excuses.
• Report security incidents within 72 hours – If your data is a mess, how exactly do you detect a breach in time?
• Prove your suppliers are secure – If you don’t know where your data is, how do you know who has access to it?

If you’re guessing at any of this, you’ve already got a problem.

The Cost of Doing Nothing (or Hoping for the Best)

The companies that ignored GDPR in 2018 got a very rude awakening when regulators started handing out fines. NIS2 will be no different.

• Fines of up to €10 million or 2% of global turnover – whichever is higher.
• Board-level accountability – No more hiding behind “technical teams”. Senior leadership is now personally responsible.
• Regulatory scrutiny & investigations – If an incident happens and you can’t explain what went wrong, expect a full-blown audit.

In short: if you haven’t taken NIS2 seriously yet, you’re already running out of time.

The Solution: Get Control Before Regulators Ask

If you’re still relying on manual data management, ad-hoc security policies, and blind optimism, you’re in trouble. The only way to handle NIS2 at scale is through:

This is not a future problem anymore. It’s a now problem.

If reading this has made you realise your data estate is a giant, ungoverned mess, it might be time to take a look at Lightning IQ—because the only thing worse than being non-compliant is realising it when it’s too late to fix.

Nick Pollard is Managing Director (EMEA) for Harmony House Technology. He works in real-time investigation, legal and compliance workflows across highly regulated environments.

Connect