The Network and Information Security Directive 2 (NIS2) entered into force in the EU in January 2023 and member states were required to transpose it into national legislation by October 2024. But legislation alone changes nothing. What changes outcomes is the recognition that technology alone cannot secure an organization whose people remain unaware, unprepared, or untrained.

The attackers who breached MGM Resorts International in September 2023 did not exploit a software vulnerability. They picked up the phone, impersonated an employee, and talked their way past the IT helpdesk in under 10 minutes. The resulting disruption cost the company an estimated $100 million in operational losses. Technology controls were in place. The human layer was not.

NIS2 is the European Union's direct legislative response to a decade of evidence that has reached the same conclusion over and over again: the human being is both the most exploited attack surface and the most powerful security asset any organization possesses. The directive does not merely ask you to install better firewalls. It demands that you measure, manage, and continuously improve the security behaviors of every individual in your workforce.

What NIS2 Actually Requires and Why It Is Different from NIS1

The original NIS Directive, adopted in 2016, was groundbreaking at the time but left enormous gaps. NIS1 covered a narrow set of operators of essential services and digital service providers, and enforcement across member states was inconsistent. A 2021 European Commission review found that the impact of NIS1 had been "limited" and that the threat landscape had "fundamentally changed." NIS2 addresses those failures decisively. The scope is vastly wider, the obligations are more specific, and the consequences for non-compliance are severe enough to demand board-level attention.

• Who Is Now in Scope
  NIS2 classifies every in-scope organization into one of two tiers. The tier applied to your organization determines how closely regulators will watch you, how quickly they can act against you, and how large a financial penalty you could face.
  

• 
  
  
  
  • Essential entities are those operating in the eleven highest-criticality sectors listed in Annex I of the directive. These organizations are subject to proactive supervision. Competent authorities do not need to wait for an incident to act. They can conduct on-site inspections, demand documentation, commission independent security audits, and issue binding instructions at any time. The maximum penalty for essential entities is €10 million or 2% of global annual worldwide turnover, whichever is higher. For a large multinational, that percentage-based ceiling can dwarf the fixed figure significantly.
    
    
  • Important entities cover the seven sectors in Annex II. These organizations face reactive supervision, meaning regulators will typically engage following a reported incident, a complaint, or intelligence that compliance may be deficient. The maximum penalty is €7 million or 1.4% of global annual turnover, whichever is higher. The lower ceiling does not imply lighter obligations.
    
    
• The Size of the Entities
  The size threshold matters too. Under NIS2, medium-sized entities (50 or more employees, or annual turnover exceeding €10 million) in covered sectors are automatically in scope. This brings tens of thousands of organizations into the regulatory framework that previously had no formal EU cybersecurity obligations at all.
  
  
• Article 21: The Practical Core of the Directive
  Article 21 is the heart of the directive from a practical standpoint. It mandates that covered entities adopt "appropriate and proportionate technical, operational and organizational measures" to manage cybersecurity risks. Those measures must include, among other things, policies on the use of cryptography, access control, multi-factor authentication, awareness and training for all staff, and incident handling procedures.  
  
  • Note the explicit inclusion of awareness and training. NIS2 does not treat staff education as a box to tick. It treats it as a core risk management measure, at the same level as encryption and access controls. That is a legislative statement about where cyberattacks actually begin.
    

• Personal Liability for Senior Leaders
  Senior management accountability is another significant departure from the original directive. Under NIS2, management bodies can be held personally liable for cybersecurity failures. They can be required to undergo specific cybersecurity training and can be temporarily banned from managerial roles following severe breaches.

The Human Attack Surface: Where Breaches Actually Start

Before exploring what Human Risk Intelligence (HRI) looks like in practice, it is worth dwelling on why the human element warrants its own strategic framework, distinct from conventional security tooling.

• 82% of breaches trace back to a human element, according to Verizon's 2023 Data Breach Investigations Report.
• 3.4 billion phishing emails are sent every day globally (Statista, 2023), and the median time for a recipient to click a malicious link is just 60 seconds after it arrives in their inbox (Verizon DBIR 2024).
• When a breach does occur, the average global cost now stands at €4.45 million, a 15% rise over three years (IBM Cost of a Data Breach Report 2023).

These numbers do not tell the full story, however. Raw statistics about phishing or breach costs miss the subtler point: human behavior in cybersecurity is not random. It is predictable, measurable, and evitable.

• Certain individuals are more likely to click a malicious link.
• Certain teams consistently fail to report suspicious emails.
• Certain departments handle sensitive data in ways that create exposure.

Human Risk Intelligence is the discipline of understanding these patterns at the individual and organizational level, and then acting on that understanding systematically.

The Anatomy of a Human-Initiated Breach

The attack chain that begins with a human error or deception rarely ends with that single act. It cascades. A credential phished from a junior accounts payable employee becomes lateral movement across the network. An unpatched endpoint used by a remote worker becomes the foothold for ransomware. An accidental email to the wrong recipient becomes a reportable data breach under GDPR. Each of these scenarios is also a NIS2 incident.

The 194-day average dwell time referenced above is not a theoretical horror story. It is a median figure from Mandiant's 2024 M-Trends report, reflecting real investigations across real organizations. By the time the alarm sounds, the attacker has often already achieved their objective. The only reliable way to compress that window is to prevent the initial human-layer breach from succeeding in the first place.

‍

The NIS2 Article 21: What HRI Looks Like in Practice

Human Risk Intelligence is not a product category. It is a methodology. It combines continuous behavioral assessment, targeted intervention, and measurable improvement into a coherent program that treats every person in the organization as a dynamic risk variable.

NIS2 Article 21 implicitly describes the outputs of a Human Risk Intelligence program without naming the discipline: when the directive requires organizations to maintain "policies and procedures to assess the effectiveness of cybersecurity risk-management measures," it is describing risk scoring; when it mandates "human resources security, access control policies and asset management," it is describing the behavioral layer of identity risk; when it requires "awareness raising, education and training," demanding evidence-based learning.

• Individual Risk Profiling

Traditional security awareness programs treat the entire workforce as a single homogeneous group. Everyone gets the same phishing simulation on the same day. Everyone watches the same 15-minute video. This approach produces comfortable reporting metrics and almost no meaningful behavior change.

Human Risk Intelligence begins instead with differentiated risk profiling. An accounts payable clerk who processes wire transfer requests carries a categorically different risk profile from a developer with administrative access to production systems, who in turn differs from a warehouse supervisor whose email account is primarily used to receive shift schedules. Each profile attracts different attack vectors, different required knowledge, and different acceptable risk thresholds.

NIS2's proportionality principle is important here. Article 21(1) requires measures that are "appropriate and proportionate" to the risk. A risk profiling capability allows organizations to demonstrate to regulators not just that they have a training program, but that their training program is calibrated to actual risk exposure. That is a fundamentally different, and far more defensible, compliance posture.
‍

• Continuous, Realistic Simulated Attacks

The phishing simulation market has matured significantly over the past decade, but many organizations still treat it as a once-a-year exercise. One simulated attack per year measures approximately nothing. It does not capture seasonal vulnerability (tax season produces measurably higher click rates on financial-themed lures), departmental variation, or the effect of recent training on behavior.

Under NIS2, proportionate and appropriate risk management implies that your understanding of human risk is current, not twelve months old. Continuous phishing simulation campaigns, varying in technique across email, SMS (smishing), and voice (vishing), produce the longitudinal data that a Human Risk Intelligence program requires. They also produce the documented evidence that regulators may request to verify that an organization's awareness measures are operational rather than theoretical.
‍

• Adaptive, Role-Based Microlearning

The evidence on security awareness training is clear: long-form, infrequent training does not produce lasting behavior change. A two-hour annual compliance session followed by eleven months of silence is not a training program. It is a liability documentation exercise.

Effective HRI delivers short, targeted learning interventions at the moment of relevance. When an employee clicks a simulated phishing link, they receive immediate, non-punitive learning about why that link was dangerous and what they should have looked for. When a new threat type emerges, such as QR code phishing (quishing), the employees most likely to encounter it receive a short module within days, not at the next annual review cycle.

Role-based microlearning is essential for NIS2 compliance for two reasons. First, Article 21 specifically requires that organizations ensure staff have "adequate knowledge" to manage their specific risk exposure. Second, the management liability provisions in Article 20 require that board-level personnel themselves receive cybersecurity training appropriate to their decision-making responsibilities. Executives need to understand governance frameworks, supply chain risk, and regulatory obligations. They do not need to watch the same phishing awareness video designed for junior employees.

‍

• Building A Reporting Culture

NIS2's 24-hour early warning requirement is one of the most operationally demanding aspects of the directive. It requires that organizations detect incidents quickly and report them faster than almost any previous regulatory framework required. For that to be achievable, the people closest to the evidence of an incident must feel empowered and obligated to report what they see.

In many organizations, the culture around security incidents is precisely the opposite. Employees who click a suspicious link often say nothing for fear of embarrassment or reprimand. IT teams that identify anomalies sometimes rationalise them away rather than escalate. This silence is where the 194-day dwell time is born.

Building a genuine reporting culture means making it psychologically safe to report errors, creating frictionless channels for doing so, and treating every report, including those that turn out to be false alarms, as a positive contribution to the organization's security posture. HRI provides a practical mechanism to achieve NIS2's notification obligations.
‍

• Measurement and Evidence

One of the most significant practical implications of NIS2 is that organizations must be able to demonstrate their cybersecurity posture, not merely assert it. National supervisory authorities have powers of on-site inspection, off-site supervision, and targeted security audits under Article 32. They can require organizations to provide evidence of compliance with specific provisions.

The ability to produce the evidence on demand is not a nice-to-have. Organizations that rely on spreadsheets, email threads, and manually compiled training records will struggle to produce coherent evidence under audit pressure. A platform that automatically generates audit-ready reports is a must under NIS2.
‍

Is Your Organization NIS2 Ready?

NIS2 is the most significant cybersecurity regulatory development in the European Union since GDPR. Its expanded scope, specific technical obligations, personal liability provisions, and strict enforcement powers create a compliance environment in which "we have a firewall and an antivirus" is simply not an adequate answer.

The directive's explicit inclusion of awareness and training as a mandatory security measure is not incidental language. It reflects fifteen years of post-breach analysis reaching the same conclusion: sophisticated technical controls fail when an untrained employee clicks, types, speaks, or shares at the wrong moment. Human Risk Intelligence is the strategic response to that reality.

Organizations that implement a genuine Human Risk Intelligence program will not merely achieve NIS2 compliance. They will build a workforce that is genuinely harder to compromise, a culture that surfaces incidents faster, and a measurable evidence base that demonstrates their security posture to regulators, insurers, customers, and partners. Want to know more about NIS2 and turn human risk into human resilience? Explore the demo hub to see our security awareness solution and the wider human risk suite in action.

‍