The half of NIS2 that does not sit on the network

The NIS2 Directive is now an active regulatory framework across most of the EU. Twenty-one of twenty-seven member states have transposed it into national law as of May 2026. Most NIS2 readiness work, by both compliance vendors and in-house security teams, focuses on what runs on the corporate network: firewall posture, MFA coverage, incident response, encryption at rest, vendor attestation. That work is necessary.

It is also only half of what the directive names. Article 21(2) of Directive (EU) 2022/2555 lists ten categories of risk-management measures, and at least two of them — supply-chain security under 21(2)(d) and basic cyber hygiene plus training under 21(2)(g) — reach into territory that no firewall covers. Both categories track what is findable in public about the people the organisation runs on. That is the layer most readiness programmes leave under-mapped, and it is the layer PI Solutions exists to assess.

What the directive requires beyond IT controls

Article 20 of the directive places cybersecurity governance on the boardroom agenda. Management bodies of essential and important entities must approve the organisation’s risk-management measures, oversee their implementation, and follow training sufficient to identify the risks they are approving. Article 21 enumerates the measures themselves. Two are quoted in full because they are the categories most often mis-scoped:

21(2)(d) — “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers”

21(2)(g) — “basic cyber hygiene practices and cybersecurity training”

Neither of these resolves to a network control. Supply-chain personnel are findable through chamber-of-commerce filings, signed annual accounts, vendor press releases, and named LinkedIn timelines — the raw material a business-email-compromise operator collects before the first message goes out. Cyber hygiene at the board level depends on what is already public about the people attending the board meeting: home addresses on people-search platforms, old passwords in breach corpora, family connections on social surface.

We have written separately on how those vectors connect to the categories the directive names — see our analysis of NIS2 as a digital exposure risk vector.

The personnel exposure layer most NIS2 audits miss

A NIS2 readiness review will commonly inventory technical controls down to the endpoint and out to the third-party register. It will less commonly answer three questions:

• What is findable about each named member of the management body of the organisation engaging us — across data brokers, breach corpora, registry systems, and social surface?
• At the supplier-organisation layer: what does standard public-record due diligence on each supplier (registry filings, signed accounts, press, sanctions and adverse-media) reveal about their resilience to the same reconnaissance pattern?
• What patterns inside the engaging organisation — addresses, family ties, conference travel, shared advisers, public filings — would an OSINT-driven adversary assemble before attempting a pretext attack?

These are not vendor-risk questions answered by a SOC-2 report. They are reconnaissance questions answered by sitting in the seat of someone preparing a targeted approach. PI’s Mirror methodology runs that reconnaissance deliberately and reports its findings against the categories the directive already names, so that a board can document — in its own minutes, not a vendor’s marketing — what was assessed, what was found, and what was acted on.

For an in-depth view of how this reconnaissance work compares to what a controller already holds about a given person, see our analysis of right of access as reconnaissance under GDPR Article 15.

Article 21 obligations and the OSINT lens

The European Union Agency for Cybersecurity (ENISA) published its NIS2 Technical Implementation Guidance on 26 June 2025, mapping the security measures defined in Commission Implementing Regulation (EU) 2024/2690 across thirteen practice areas. ENISA’s guidance is a primary reference for any readiness programme.

It is also explicit, in its Q1 2026 update, that “where appropriate” in the multi-factor-authentication clause means a documented risk assessment per account class — not an optional control. That clarification cuts directly into the personnel-exposure question. The accounts most likely to satisfy the “appropriate” threshold are the ones whose holders are most exposed in public sources, because the threat model is no longer hypothetical for them. Mapping the exposure is what makes the risk assessment defensible.

For the governance side of Article 20 — what the directive requires of boards specifically and how personal liability flows through national transposition — see our piece on NIS2 personal liability for management bodies.

Which entities fall under NIS2?

The directive divides covered entities into two classes. Essential entities sit in sectors of high criticality (energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space). Important entities sit in other critical sectors (postal and courier, waste management, manufacture and distribution of chemicals, food production, manufacturing, digital providers, research). Annex I and Annex II of the directive list them in full.

The size threshold is broadly 50 employees or €10 million turnover for medium entities, 250 employees or €50 million for large. Smaller entities can also fall in scope where they are sole providers of an essential service or where a member state designates them. If your organisation is in scope, the personnel-exposure question applies regardless of which sector you sit in — the categories Article 21 names do not change with vertical.

Timeline and enforcement state

The transposition deadline was 17 October 2024. As of May 2026, twenty-one member states have adopted national implementing measures; the remainder are in legislative finalisation (see the European Commission’s NIS2 transposition tracker). Administrative fines under the directive sit at the entity level: up to €10 million or 2% of global annual turnover for essential entities, €7 million or 1.4% for important entities. Personal consequences for board members flow through the national transposition rather than directly from the directive’s fine schedule, and their form varies by jurisdiction (see our analysis of NIS2 personal liability for boards).

Public enforcement actions began in early 2026. Belgium’s Centre for Cybersecurity has the most advanced supervisory posture among early implementers; Germany’s BSI is auditing registration compliance. The window for unobserved readiness work is closing.

What a Corporate Audit covers under NIS2

PI’s Corporate Audit is an OSINT-driven exposure assessment scoped against the categories the directive names. It is not a controls audit and it is not a certification exercise. It is what a determined adversary would have already assembled about your organisation before attempting to approach it.

A typical scope covers four layers:

• Named-executive exposure. Each member of the management body and each senior officer of the engaging organisation who would be addressed in a pretext attack: data broker presence, breach-corpus credentials, registry data, social surface, family-circle exposure where relevant. The engaging organisation contracts for this directly, and consent is established at intake.
• Supplier-side public-record review. Standard due diligence on direct suppliers and service providers using public-record sources (registry filings, signed accounts, press, sanctions and adverse-media checks). This level of review concerns the supplier as an organisation and the publicly disclosed officers of record. Deeper named-individual OSINT on supplier-side personnel is out of scope without separate consent — see the boundary note at the end of this section.
• Public-filing pretext library. What is reconstructable about the engaging organisation’s own structure, reporting lines, M&A history, board appointments, and communication patterns from open registry and press sources.
• Reportable artefacts. Findings tied to the Article 21 categories that cover them, in a format the management body can include in board minutes and the risk register.

Pricing is from €5,000, scoped at intake. Payment terms are 50% on engagement and 50% on delivery. Where ongoing posture is needed beyond the audit delivery, that is scoped as a separate engagement at the close of the initial work; pricing depends on the cadence and scope agreed.

What this service is not

PI Solutions does not provide legal advice, regulatory interpretation, or compliance certification. We are not a law firm and we are not an audit firm in the regulatory sense. Decisions about how a given finding maps to a specific obligation under your national transposition of NIS2 — including whether a given exposure constitutes a deficiency requiring formal disclosure or remediation — should be taken with qualified legal counsel and, where relevant, your regulatory consultancy or supervisory authority.

What we provide is the analyst-led OSINT layer that supports those decisions. We map what is findable; we do not opine on what is required of you. That distinction is deliberate. It is also the line that separates exposure assessment from the regulated-audit lane Big-4 firms and accredited certification bodies occupy, and we hold to it explicitly.

NIS2 supply-chain risk under Article 21(2)(d)

Vendor-risk questionnaires are not the same instrument as supply-chain OSINT. A questionnaire asks the supplier what controls it claims to have. OSINT asks what the public record reveals about the people running it — the same question an attacker preparing a supplier-side pretext is already asking.

The 2018 Pathé case in the Netherlands is a useful European reference. The Dutch subsidiary wired roughly €19 million in a CEO-fraud sequence to operators impersonating the Paris-based parent. Every detail the operators needed — the parent-subsidiary structure, the executive names, the reporting line, the wire pattern — was a matter of public record before the first email went out. The supply-chain category in Article 21(2)(d) is exactly where that hand-off lived: the subsidiary CFO’s vendor contact, the M&A adviser copy chain, the wire window the attacker already knew about.

A scoped supply-chain pass under Corporate Audit operates at two distinct depths. At the supplier-organisation layer — registry filings, signed accounts, sanctions and adverse-media checks, public press, the publicly disclosed officers of record — the work is standard due diligence and is in scope without further authorisation. At the named-individual layer — deeper OSINT on specific people at the supplier — the work is only undertaken where consent is in place, either from those individuals or from the supplier organisation engaging us directly. The directive’s 21(2)(d) supply-chain category sets the obligation; it does not extend a basis for depth investigation of third parties without that gate. For depth on the human-factor vectors as they apply within the engaging organisation, see our analysis of NIS2 as a digital exposure risk vector.

UK and Ireland scope note

NIS2 itself does not apply to the United Kingdom or, in its current form, to Ireland on the same timeline as the rest of the EU. Both jurisdictions are worth tracking separately because the personnel-exposure question is jurisdiction-agnostic and the regulatory frameworks around it are moving.

The United Kingdom continues to operate under the Network and Information Systems Regulations 2018 — the NIS1 transposition, retained post-Brexit. The Cyber Security and Resilience Bill, introduced to Parliament on 12 November 2025, completed its second reading in January 2026 and is in Public Bill Committee scrutiny as of February-March 2026. The bill amends the 2018 Regulations rather than replacing them and is expected to be enacted later in 2026. Daily fines of up to £100,000 for failure to act on identified threats have been signalled. UK organisations whose customers, suppliers, or board members operate in EU member states already in NIS2 scope are exposed to NIS2 directly through those relationships, irrespective of UK statute.

Ireland missed the 17 October 2024 transposition deadline. The National Cyber Security Bill 2024 is the intended transposition vehicle and will also place the National Cyber Security Centre on a statutory footing for the first time. Pending enactment, Irish operators continue to follow the existing NIS1 framework (S.I. 360 of 2018). The European Commission’s transposition tracker records Ireland’s status as in progress (see the NCSC Ireland NIS2 page for the national status).

For organisations with cross-border footprints, the practical reading is that the personnel-exposure surface is one continuous question, even where the statutory triggers vary. A Corporate Audit reports findings against the directive’s categories regardless of which national framework will eventually apply to the entity that engages us.