How the NIS2 Directive is redefining data intelligence and security

The 2026 perspective: Beyond the deadline

The grace period for the NIS2 Directive has long passed. The estimated 160,000 European companies originally impacted are no longer "preparing"—they should be now operating under a regime of active supervision and enforcement. In this article, we provide an updated, in-depth analysis of the NIS2 Directive, its realized impact on data security and how data teams are leveraging Collibra to maintain continuous compliance.

Why was the NIS2 Directive established?

The NIS2 Directive was adopted in 2022 in response to the increasing digitization and the resulting changes in the cybersecurity threat landscape. The original NIS Directive, which was issued in 2016, was no longer considered to sufficiently protect the EU from the new cybersecurity threats.NIS2 is not just an update; it's an expansion. Many organizations exempt from the first directive now fall under these new, stricter requirements.

What has changed in the NIS2 Directive?

Scope: The number of entities and sectors covered by the directive has expanded

Requirements: The requirements for cybersecurity risk and incident management are more comprehensive

Fines: Sanctions have been increased and senior management can be held liable

Who has to comply?

The NIS2 Directive applies to companies where a security breach can have a significant impact on the European economy, which significantly extends the scope of the original NIS Directive that only applied to operators of essential services and relevant digital service providers. This difference might sound like pure semantics, but an estimated 160,000 companies will have to comply with the NIS2 Directive. Among the companies it will regulate, the NIS2 Directive makes a distinction between “essential” and “important” entities based on their size and sector.

Essential entities are large entities that are part of sectors of high criticality listed below.

‍Important entities are medium-sized enterprises* operating in the sectors of high criticality of Annex I of the Directive, OR large* or medium-sized* enterprises in the sectors of Annex II of the Directive that do not fall into the essential entity category (due to their size or the type of entity involved).

The NIS2 Directive can even apply to small enterprises depending on the type of services they offer, when they have a monopoly, or when their services are critical to economic stability or national security.

Essential companies will be proactively audited for NIS2 compliance as of its ratification into regulation, where important entities will only be audited when an incident has occurred.

‍For a more detailed description of the sectors, refer to the NIS2 Directive.

‍What this means for data security

Zero-trust access management

Article 21 of the NIS2 Directive dictates that organizations must implement appropriate and proportionate technical, operational and organizational measures to manage the cybersecurity risks such as MFA, encryption and access controls. Recital 82 of the Directive also says that organizations have to apply the zero-trust principles to access management where access to data is limited to what is absolutely needed (“just enough”) for the time it is needed (“just in time”).

This means limiting user access to the data, reports and AI models they have legitimate access to and only for the time they need that data to perform their tasks.

It is important to notice that senior management will have to approve the cybersecurity risk management measures, oversee the implementation and can be held liable in case of a breach.

Audits

Article 32 of the Directive gives the authorities the mandate to perform regular and ad hoc audits and security scans of essential entities. Among others, they will look for the presence and proof of implementation of data security policies. It will be important to make sure these audits go smoothly, and have this information readily available, as you will bear the full costs of the audit.

Incident reporting

Organizations have to report security incidents to the supervisor and all affected natural and legal persons within 72 hours of becoming aware of the significant incident. This report shall have an initial assessment of the incident, including its severity and impact. Within the month, the organization shall provide a detailed report on the incident.

Regulatory fines for non-compliance

Art 34 specifies penalties for non-compliance, including fines of up to 2% of an entity's annual turnover.

• Essential entities: Administrative fines of a maximum of at least EUR 10,000,000 or of a maximum of at least 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher.
• Important entities: Administrative fines of a maximum of at least EUR 7,000,000 or of a maximum of at least 1.4% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the important entity belongs, whichever is higher.

Navigating the NIS2 compliance journey with Collibra

The digital landscape is shifting. With the arrival of the NIS2 Directive, the stakes for data security and operational resilience have never been higher. For data teams, the challenge is twofold: meeting stringent new regulatory requirements while maintaining the speed of innovation.

Without a strategic approach, NIS2 compliance can become a "resource sink", diverting focus from AI/ML initiatives and self-service analytics for months. Even worse, poorly designed security workflows can kill productivity, making your data scientists feel like they’re navigating an endless maze of red tape.

With Collibra’s acquisition of Raito, the transition of its pioneering technology into Collibra Data Access further enables the Collibra Platform to serve as a unified command center, allowing organizations to move past regulatory hurdles and leverage compliance as a true competitive advantage.

The core pillars of NIS2 success

Collibra Data Access assists data, AI and security teams through every phase of the NIS2 journey:

Assessment and gap analysis

You cannot protect what you cannot see. Collibra provides the "X-ray vision" needed to map your risk surface.

• Identify critical assets: Automatically discover data across your stack that are vital to the organization in terms of sensitivity and usage
• Gap analysis: Evaluate current access patterns for users and AI models and discover discrepancies between your actual data footprint and your security policies
• Breach impact modeling: Analyze the "blast radius" of a potential incident, assessing the damage to confidentiality and availability before a crisis hits

Remediate and implement

Once gaps are identified, the platform moves from observation to action.

• Precision remediation: Instantly remove excessive privileges, unused permissions and "ghost" data that create unnecessary risk
• Implement least privilege access: Adopt a "just-in-time" approach. Grant users and AI models only the access they need, for the exact duration they need it. This minimizes the attack surface and bolsters defenses against ransomware.
• Monitor Maturity: Track your security posture score in real-time as you execute remediation tasks

Continuous monitoring and improvement

NIS2 is a marathon, not a sprint. The platform ensures you stay compliant as your data scales.

• Regular audits: Conduct automated audits of access rights and data usage to ensure alignment with the Directive
• Access reviews: Periodically review machine and service accounts, revoking unused credentials and resolving policy conflicts automatically

The Collibra advantage: Beyond just access

While Data Access provides the technical "locks" on the doors, the Collibra Platform also provides the governance framework that NIS2 mandates for corporate accountability.

Data lineage and incident response

NIS2 requires rapid reporting of incidents. Collibra’s automated data lineage maps exactly how data flows from source to report. If a system is compromised, you can instantly see which downstream AI models or business dashboards are affected, meeting the 24-hour notification window with confidence.

AI Governance

As AI agents become part of your workforce, they must be governed. Collibra allows you to catalog AI models and their training data, ensuring that the same "security by design" principles applied to humans are applied to your algorithms.

Data quality and integrity

Security isn't just about privacy; it's about integrity. Collibra Data Quality & Observability uses ML to detect anomalies in your data. Collibra flags quality issues immediately, ensuring the information your business relies on remains trustworthy.

Accountability and stewardship

NIS2 places heavy responsibility on top-level management. Collibra serves as the "system of record" for your data policies, assigning clear roles (owners, stewards and guardians) so there is never a question of who is responsible for a specific data domain.

Compliance without compromise

The addition of Data Access to the Collibra Platform creates a seamless bridge between governance (knowing what to do) and execution (doing it automatically). By automating the heavy lifting of NIS2, your data teams are free to go back to what they do best: driving value through AI and analytics.

Ready to see how Collibra can accelerate your NIS2 roadmap? Request a demo to learn more about our unified approach to data access and governance.

• 

  Bart Vandekerckhove

  Bart Vandekerckhove

  Principal Product Manager

  Collibra

• 

  Frederiek Van Hoornick

  Frederiek Van Hoornick

  Director, Customer Engineering

  Collibra