Complying with the NIS2 directive requires significant time, resources, and staff involvement, often supplemented by external support. For large and medium-sized organisations, the process to achieve full compliance can take six to twenty-four months, mainly due to the complexity of internal processes and the number of supply chain partners. Smaller businesses typically complete the process within four to six months.
Even after implementation, ongoing efforts are required, as cybersecurity is constantly evolving. Organisations must continuously update policies, procedures, and incident management to meet the NIS2 duty of care.
The time and cost impact varies by organisation type. Large enterprises are estimated to require 3,500 to 5,000 hours per year, with associated costs of around €50,000 annually. Medium-sized businesses may need 1,250 to 2,500 hours per year, with annual costs of approximately €30,000. Small SMEs are estimated at 300 to 800 hours per year, with costs ranging from €1,000 to €20,000 annually. These figures are indicative and depend on the organisation and its existing level of security.
Starting early is advisable. Many of the required measures, such as supply chain security and incident management, require extensive preparation and coordination with customers and suppliers. Early action allows businesses to spread the investment, reduce peak workload, and ensure compliance by the statutory deadline.
