The European directives NIS2 (Network and Information Security Directive 2) and Critical Entities Resilience (CER) Directive have rapidly sharpened the conversation around digital resilience. While many organizations initially viewed these directives as an extension of their cybersecurity obligations, it is becoming increasingly clear that much more is at stake. These directives require a strategic transformation in how organizations manage risks, processes, and responsibilities. They compel CIOs, IT managers, and other IT leaders not only to reassess their security strategies to prevent data loss, but also to rethink their role as guardians of continuity, transparency, and trust. In short, resilience goes beyond cybersecurity.

In this blog, I’ll highlight the five biggest risks organizations must address in light of NIS2 and CER, and explain how focusing on these areas leads to a stronger, future-proof digital foundation.

What are NIS2 and CER?

As “directives”, NIS2 and CER provide goals and objectives that EU member states must achieve. These require transposition into national law by each member state, allowing flexibility in how the objectives are met.

NIS2

The NIS2 Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU. It also calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement.

Here, in the Netherlands, the NIS2 directive is being implemented into national legislation through the Cybersecurity Act (Cyberbeveiligingswet – Cbw). Its goal is to create greater consistency and coherence in European network and information security policy by increasing digital resilience and reducing the impact of cyber incidents.

Learn more: NIS2 Directive: securing network and information systems | Shaping Europe’s digital future.

CER

The CER directive is designed to ensure that organizations delivering essential services, in 11 key sectors, can continue operating during major disruptions. It focuses on strengthening resilience not only against cyber threats, but also against physical, operational, and environmental risks such as natural disasters, supply-chain failures, terrorism, or system outages.

The CER directive is being implemented in the Netherlands through the Critical Entities Resilience Act (Wet weerbaarheid kritieke entiteiten – Wwke). The purpose of this law is to increase the resilience of organizations that provide essential services in the Netherlands.

Clickable banner to access a blog titled "What is NIS2 Compliance? And How to Use Proactive Monitoring to Automate Compliance"

The 5 Biggest Risks You Need to Address Now for NIS2 and CER

I’ll now cover the 5 key risks associated with the NIS2 and CER directives that you need to consider, namely:

  1. Governance and responsibility
  2. Business continuity
  3. Supply chain responsibility
  4. Compliance and transparency
  5. Trust and reputation

Risk #1 – Governance and Responsibility: From Compliance to Demonstrable Control

icon representing governance for NIS2 and CEROne of the most discussed aspects of NIS2 is that responsibility for cyber resilience is explicitly placed with executive management, and that individual board members can be held personally liable. While CER does not (as yet) prescribe legal or personal liability for directors in the same way, boards are still required to take ownership and provide policy-level direction for digital resilience.

Executives and boards can no longer shield themselves behind the IT organization or external suppliers. They must demonstrate active governance, oversight, and an understanding of risks at a strategic level.

For IT leaders, this represents a fundamental shift: from operational executor to strategic advisor and risk manager. This raises an unavoidable question: how does an IT leader demonstrate that they are truly “in control”? This is where a major risk lies. When responsibilities are unclear and governance structures are insufficient, blind spots emerge that make organizations vulnerable.

A mature governance structure begins with clear roles and accountability. Everyone must know who makes decisions, who provides oversight, and how incidents are escalated. A shared language between IT, security, legal teams, and executive leadership is essential to understand and manage risks effectively. Transparency in decision-making and risk acceptance is not optional; it is a strategic necessity.

Risk #2: Business Continuity – Resilience as a Core Capability

icon representing business continuity for NIS2 and CERBoth NIS2 and CER emphasize operational continuity and resilience: the ability of organizations to continue delivering essential services even under disruptive conditions. Cybersecurity, business continuity planning, and disaster recovery are no longer optional—they are core elements of operational strategy.

Business continuity under NIS2 and CER is not just about recovery after an incident, but also about preventing outages and minimizing recovery time. Organizations cannot respond effectively if they lack real-time insight into what is failing. Those with visibility into critical processes, systems, and services are far better equipped to withstand disruptions.

This requires investment in proactive detection and scenario-based stress testing. The future of resilience lies in continuous awareness—the ability to see where threats are emerging before users are impacted.

Risk #3: Supply Chain Responsibility – The Weakest Link Determines Resilience

icon representing supply chain continuity for NIS2 and CERUnder NIS2 and CER, responsibility extends beyond the boundaries of the organization itself. Suppliers, partners, and IT service providers are explicitly included in risk assessments. Organizations remain responsible for the security of their supply chain and must gain visibility and control through screening, monitoring, and contractual obligations.

A significant risk lies in hidden dependencies. Many organizations do not fully understand which third parties have access to their core systems or data. CIOs and IT managers must therefore develop a holistic view of their digital ecosystem. This requires data-driven insight into dependencies, vulnerabilities, and performance across external parties.

Supply chain transparency becomes not only a compliance requirement, but a prerequisite for trust. Regulators under NIS2 and CER will expect organizations to demonstrate control over their supply chains—not merely rely on contracts with vendors and partners.

Risk #4: Compliance and Transparency – Evidence Does Not Come From Spreadsheets

icon representing compliance for NIS2 and CERNew regulations often prompt organizations to focus on policies, documentation, and audit preparation. However, NIS2 and CER demand more than periodic compliance—they require continuous demonstrability.

The risk is treating compliance as an end goal rather than a component of good governance. Organizations that only react to external requirements remain perpetually behind. When compliance is approached as an ongoing process of transparency, the focus shifts from hindsight to foresight.

Organizations must be able to prove they are in control of risks by providing transparent, verifiable evidence. Automation enables continuous assurance, ensuring that controls remain effective and compliance becomes a trust-building mechanism for boards, regulators, and customers alike.

Risk #5: Trust and Reputation – Digital Resilience as the Foundation for Continuity and Market Position

icon representing trust for NIS2 and CERIn the digital age, trust is a critical prerequisite for business continuity and competitive positioning. When digital incidents can make headlines within minutes, the response is as important as the incident itself. Restoring services is essential, but preventing long-term reputational damage is equally critical.

A single incident can erode the confidence of customers, shareholders, and partners. Trust cannot be rebuilt through technical fixes or marketing campaigns alone—it requires sustained trust management. NIS2 and CER make trust tangible and measurable by requiring organizations to demonstrate control, transparency, and accountability in protecting critical services.

Clickable banner to download a free eBook about eG Enterprise and AIOps

The Connecting Factor: Observability as the Foundation for Trust and Resilience

The common thread across all five risks is visibility—the ability to continuously understand what is happening, where risks are emerging, and how controls are performing. This is where observability becomes essential.

A modern observability solution provides contextual insight across the entire digital chain, from infrastructure and applications to user experience and compliance. By combining technical data with business context, organizations gain a unified view of digital health and risk.

With observability, CIOs and IT leaders can substantiate governance with real-time insight, strengthen continuity through early detection, fulfil supply chain responsibility with full ecosystem visibility, automate compliance reporting, and protect trust through transparency and rapid incident response.

Ultimately, observability is a strategic instrument for complying with NIS2 and CER and for achieving true digital resilience—today and in the future.

Conclusion

NIS2 and CER mark a turning point. What were once IT concerns are now board-level responsibilities and benchmarks for trust. CIOs and IT managers operate at the strategic core of their organizations.

The five risks—governance, continuity, supply chain responsibility, compliance, and trust—define the arena in which digital leaders make the difference. Observability is the key enabler, making risks visible, manageable, and provable.

Investing in observability today is an investment not just in technology, but in digital credibility. And that is ultimately the broader purpose served by NIS2 and CER: a resilient, transparent, and trustworthy digital society.

Learn more about the practicalities of NIS2 and how the eG Enterprise observability platform is helping organizations implement workflows and strategies to address the demands from NIS2, see: What is NIS2 Compliance? And How to Use Proactive Monitoring to Automate Compliance | eG Innovations.

eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.

Free Trial  See the platform

Related Information