NIS-2 Guidelines for Law Firms – Everything Lawyers Need to Know Now

The Cybersecurity Directive That Changes Everything for Law Firms

The European Union's Network and Information Security Directive 2 (NIS-2), which came into force in January 2023 and required member state transposition by 17 October 2024, has fundamentally transformed the cybersecurity landscape for businesses across the EU. For law firms, this directive represents more than just another regulatory hurdle—it introduces personal liability for executives, mandatory cybersecurity training for management, and potential temporary bans from exercising management functions.

As of March 2026, 21 out of 27 EU Member States have now transposed NIS-2 into national law, with active enforcement underway in Germany, France, and the Netherlands—regulators are auditing, and fines are being applied. The era of voluntary cybersecurity compliance is over. NIS-2 penalties for noncompliance will become a reality across the EU, and the window for preparation is closing quickly.

Do Law Firms Fall Under NIS-2 Scope?

The question of whether law firms are directly covered by NIS-2 is complex and depends on several factors. Italy's implementation law captures legal services for large grocery retailers, while most member states have not explicitly included traditional legal services in their scope definitions. However, law firms may still be affected through several pathways:

Direct Coverage Scenarios

Law firms could fall under NIS-2 if they provide services classified as:

• Managed Service Providers (MSPs): Entities providing services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems

• ICT Service Management: NIS-2 adds 10 new sectors into scope, including a new 'ICT service management (B2B)' category

• Digital Services: If offering cloud-based legal platforms or data management services to other businesses

Size and Classification Thresholds

Business size is measured as: (1) large (more than 250 employees and more than €50 million annual revenue) (2) medium (50-250 employees and €10-50 million annual revenue) or (3) small/micro (less than 50 employees and less than €10 million annual revenue). The size classification has practical implications as 'essential' entities are subject to enhanced supervision and stricter enforcement than 'important'.

Indirect Impact Through Supply Chain Requirements

Even if not directly covered, law firms serving NIS-2 entities face indirect compliance pressure. Article 21 requires entities to address supply chain security, including security-related aspects concerning relationships between each entity and its direct suppliers or service providers, taking into account vulnerabilities specific to each direct supplier and service provider.

Sources: European Commission NIS-2 Directive; Kemp IT Law Analysis

The Revolutionary Change: Management Personal Liability

NIS-2's most significant innovation is Article 20, which marks NIS-2 as a landmark in global cyber regulation by requiring Member States to ensure that management bodies of essential and important entities approve the cybersecurity risk management measures, oversee their implementation, and can be held liable for infringements.

Article 20: Four Non-Negotiable Management Obligations

Article 20 of the NIS-2 Directive establishes three non-negotiable obligations for the management bodies of essential and important entities, creating four distinct obligations for management bodies:

1. Formal Approval: Management bodies must formally approve the cybersecurity risk-management measures adopted by the entity under Article 21. Security policies and procedures cannot be adopted by IT teams alone—Board or executive committee approval must be documented

2. Active Oversight: Management bodies must not only approve but also oversee the implementation of cybersecurity risk management measures

3. Mandatory Training: Management bodies must ensure they possess sufficient knowledge and skills to identify and assess cybersecurity risks, with Member States ensuring that members of management bodies are required to follow training on a regular basis

4. Personal Accountability: Personal liability under NIS-2 is not limited to cases of gross negligence or intentional misconduct. The directive enables liability for infringements—meaning a failure to comply with Article 21 measures, even if the failure was not deliberate

Enforcement Powers and Penalties

The consequences for management non-compliance are severe and personal:

• Temporary Management Bans: Under Article 32(5)(b), supervisory authorities can request that competent bodies or courts order a temporary ban of a natural person from exercising managerial functions at chief executive or legal representative level in essential entities

• Public Disclosure: Public disclosure and explicit naming of directors in enforcement actions

• Financial Liability: Civil liability and personal fines in some EU states, with organisational fines up to €10 million or 2% of global turnover for essential entities

• Insurance Exclusions: Directors & Officers insurance usually excludes compensation where there is clear negligence or breach—so personal assets are at stake

The 10 Mandatory Cybersecurity Measures (Article 21)

Article 21 is where "we take security seriously" becomes "prove it," setting the minimum cybersecurity risk-management measures that in-scope organisations must implement and be able to evidence in practice. It covers 10 mandatory areas requiring appropriate and proportionate cybersecurity risk-management measures.

Complete List of Required Measures

The measures must be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:

1. Risk Analysis and Information System Security Policies: Organizations must establish policies and procedures for conducting regular risk assessments, identifying vulnerabilities, and implementing appropriate security controls to manage identified risks

2. Incident Handling: Entities must have robust incident detection, analysis, and response capabilities, including defined roles and responsibilities, as well as processes for timely incident reporting to relevant authorities

3. Business Continuity and Disaster Recovery: Including crisis management plans and backup processes

4. Supply Chain Security: Entities must address supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers

5. Security in Acquisition, Development and Maintenance: Including vulnerability handling and disclosure processes

6. Policies and Procedures for Assessing Effectiveness: Entities must establish policies and procedures to assess the effectiveness of cybersecurity risk-management measures

7. Basic Cyber Hygiene and Training: Staff receive guidance on basic cyber risks and expected behaviour, with training delivered and completed, including dates and participants recorded

8. Cryptography and Encryption Policies: Organizations must ensure data confidentiality, integrity and availability by leveraging encryption and other data protection techniques

9. Human Resources Security and Access Control: Access rights are granted, changed, and revoked consistently throughout the employee lifecycle

10. Multi-Factor Authentication: Multi-factor authentication (MFA) is a pivotal cybersecurity risk-management measure that adds an additional protective layer on user accounts, making it mandatory for users to provide additional forms of verification to eliminate the chances of account compromise

Evidence Requirements for Law Firms

For SMEs, NIS-2 Article 21 compliance is about being able to demonstrate control in a credible, proportionate way. A Minimum Viable Evidence Pack is a focused set of policies, records, and technical proof that collectively show regulators you have implemented, operated, and reviewed the required cybersecurity risk-management measures.

Source: Sunbytes NIS-2 Article 21 Analysis

Incident Reporting: The 24-72-30 Timeline

NIS-2 introduces drastically tightened incident reporting timelines, requiring organizations to submit an "Early Warning" to the competent authority within 24 hours of becoming aware of a significant incident, rather than the previous 72-hour standard.

Three-Stage Reporting Process

Under NIS-2 there will be a three stage process for reporting security incidents to the relevant authorities. An "early warning report" must be submitted within 24 hours. Next, a fuller "incident notification" should be submitted within 72 hours.

1. Early Warning (24 hours): Entities must notify their Member State's competent authority (including the CSIRT) with an early warning no later than 24 hours after learning of the cyber incident

2. Incident Report (72 hours): They must also complete a full report no later than 72 hours after and a final report one month after submitting the initial document

3. Final Report (30 days): Comprehensive analysis including lessons learned and remediation measures

What Constitutes a "Significant" Incident

NIS-2 classifies a "significant" security incident as one that: Has caused or can lead to serious operational disruption to a critical sector; Has affected or can affect other natural or legal persons by causing considerable damage.

Current Implementation Status Across EU Member States

The implementation landscape has evolved rapidly throughout 2025 and into 2026. On 7 May 2025 the European Commission sent a reasoned opinion to 19 Member States for failing to notify full transposition of the NIS-2 Directive. The 19 Member States have two months to respond and take the necessary measures. Otherwise, the Commission may decide to refer the cases to the Court of Justice of the European Union.

Implementation Status by Country

Sources: ECSO Transposition Tracker; Passwork NIS-2 Status Update

Key National Variations

Reporting obligations under NIS-2 also vary significantly between countries, creating a fragmented compliance landscape. For example, entities in Germany must immediately inform individuals of an incident if instructed to do so by regulators. This divergence in national rules increases administrative and compliance burdens for organizations operating across multiple EU jurisdictions.

• Germany: Germany completed its NIS-2 implementation law in December 2025, with annual compliance costs estimated at roughly EUR 2.3 billion and one-time implementation costs of roughly EUR 2.2 billion

• Belgium: Belgium set the first NIS-2 enforcement deadline on April 18, 2026. Essential entities were required to submit verified documentation confirming that cybersecurity controls are in place, assessed by an accredited body or the Centre for Cybersecurity Belgium directly. Self-declarations were not accepted

• Italy: Italy's implementation law took effect in October 2024 and includes legal services for large grocery retailers and the cultural sector, capturing a large number of additional companies operating in Italy

Compliance Costs and Business Impact

Financial Impact Assessment

The financial burden of NIS-2 compliance extends far beyond initial technology investments. Early estimates for NIS-2 compliance costs significantly underestimated the true financial impact. Organizations are discovering that technical infrastructure upgrades represent only a fraction of total implementation expenses.

The EU impact assessment on NIS-2 suggested that in-scope companies "would need an increase of maximum 22% of their current ICT security spending for the first years following the introduction of the new NIS framework (this would be 12% for companies already under the scope of the current NIS Directive)".

Cost Breakdown by Category

Sources: Kiteworks Compliance Cost Analysis; Industry estimates from various compliance providers

Hidden Costs and Common Oversights

Beyond obvious technology investments, organizations face substantial ongoing costs for compliance monitoring, staff training, and regulatory reporting. Legal fees for interpreting complex requirements often exceed initial technology budgets, while specialized compliance personnel command premium salaries in a tight labor market. Small and medium enterprises face particular challenges, as they lack the economies of scale that larger organizations can leverage for compliance investments.

Practical Compliance Roadmap for Law Firms

Phase 1: Immediate Assessment (Weeks 1-4)

1. Scope Determination: Assess whether your firm falls under direct NIS-2 coverage or faces indirect requirements through client demands

2. Gap Analysis: Compare your current controls against the 10 minimum measures in Article 21 and identify gaps

3. Management Briefing: It is imperative that in-house counsel and compliance functions properly brief their management boards on the impending responsibilities and liabilities under NIS-2

4. Budget Planning: Develop initial cost estimates for compliance implementation

Phase 2: Foundation Building (Months 2-4)

1. Risk Assessment: Identify the most relevant cybersecurity risks to systems and services and prioritise them based on impact and likelihood, showing that security decisions are risk-based rather than generic

2. Policy Development: Create comprehensive cybersecurity policies covering all Article 21 requirements

3. Management Training: Training should be sufficient for management to identify and assess cybersecurity risks and evaluate their impact on the organization's operations. This could include board-level briefings, executive cybersecurity courses, sector-specific workshops, or guided exercises. The key is that training is regular, documented, and relevant

4. Incident Response Plan: Build or refine your incident detection, escalation, and reporting workflows to meet the 24-72-30 timeline

Phase 3: Implementation (Months 5-8)

1. Technical Controls: Implement MFA, encryption, monitoring, and backup systems

2. Supply Chain Security: Assess the security posture of your suppliers and service providers, and ensure contracts include cybersecurity clauses

3. Staff Training: Ensure your staff, management, and board understand their responsibilities under NIS-2

4. Documentation: Maintain evidence of your cybersecurity measures, risk assessments, incident logs, and training records. This documentation is critical for audits and regulatory inquiries

Phase 4: Ongoing Compliance (Months 9+)

1. Continuous Monitoring: Establish regular review cycles for all security measures

2. Management Oversight: NIS-2 does not specify a review frequency, but best practice suggests at least quarterly reviews of cybersecurity status and annual formal reviews of security policies and risk-management measures

3. Vendor Management: Implement ongoing supplier security assessments

4. Incident Preparedness: Regular testing of incident response procedures and reporting timelines

Leveraging Existing Frameworks

If you're already certified to ISO 27001 or have undergone a SOC 2 audit, you've got a head start. Organisations with an existing ISO 27001-certified ISMS already address a significant portion of Article 21, but gaps typically exist around supply chain security, management body accountability, incident reporting timelines, and explicit MFA requirements.

Framework Mapping

Source: Framework comparison based on Glocert International Analysis

Key Recommendations for Law Firms

Immediate Actions

1. Don't Wait for Clarity: Despite implementation variations, organizations operating in the EU shouldn't wait—they should proactively ensure their cybersecurity measures align with NIS-2. With enforcement expected to kick in as soon as national laws are passed, companies need to act now. Delaying compliance isn't an option

2. Focus on Article 21: Prioritize implementing the 10 mandatory cybersecurity measures, as these form the compliance foundation

3. Document Everything: Create a living, tamper-proof record: a digital "black box" for board activity on cyber-security with digital signatures, immutable training and participation logs, and incident and escalation registers

4. Board Engagement: Board-level cybersecurity governance is no longer optional—it is a legal obligation for all essential and important entities across the EU. Evidence of governance must be documented and available for regulators

Strategic Considerations

Successful budget approvals frame NIS-2 investments as operational resilience improvements, competitive advantages, and risk mitigation rather than pure regulatory overhead, demonstrating measurable business benefits beyond compliance requirements. Well-planned compliance programs often streamline security procedures, optimize vendor management, enhance data governance, and create operational improvements.

The Road Ahead: 2026 Reforms and Beyond

On 20 January 2026, as part of a new cybersecurity package, the Commission proposed targeted amendments to the NIS-2 directive to increase legal clarity. The amendments will simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU. They will ease compliance for 28,700 companies, including 6,200 micro and small-sized enterprises.

Proposed Amendments Include

• Ransomware Reporting: New ransomware reporting obligations

• Representative Requirements: Expanding representative appointment requirements

• Scope Clarifications: Addressing ambiguities in entity classification

Conclusion: The New Reality of Legal Practice

NIS-2 represents a fundamental shift in how the EU approaches cybersecurity governance. The NIS-2 Directive represents a step-change in how the EU approaches cybersecurity. It broadens the scope, tightens requirements, and enforces accountability at the board level. For SaaS and tech teams, compliance isn't optional—it's a legal obligation with serious financial and reputational consequences.

For law firms, the message is clear: cybersecurity is no longer a back-office technical issue. The Directive's intent is clear: cybersecurity is no longer a back-office technical issue—it is a board-level accountability matter and a core element of operational risk management. Whether directly covered by NIS-2 or facing indirect pressure through client requirements, legal professionals must treat cybersecurity as a strategic business imperative.

The enforcement landscape is rapidly maturing, with 22 of 27 member states having completed NIS-2 transposition, enforcement active in Germany, France, and the Netherlands, while 84% of organizations facing active enforcement are, by their own admission, not ready. The window for preparation is closing, but the opportunity to turn compliance into competitive advantage remains open for those who act decisively now.

As the cybersecurity landscape continues to evolve, law firms that proactively embrace NIS-2 compliance will not only meet their regulatory obligations but also strengthen their market position, enhance client trust, and build operational resilience that serves them well beyond any single directive.