This week, the UK Cyber Security and Resilience Bill completes its final Commons reading. In three weeks, the first wave of NIS2 compliance audits reaches its deadline. For security leaders across Europe, the window for treating these obligations as a future problem has closed.
When the EU’s NIS2 Directive came into full force at the end of 2024, it did something no European cybersecurity regulation had done before: it made cybersecurity failure personal.
Under Article 20, the management body — not the CISO, not the security team, but the CEO, the board, the directors — is personally accountable for cybersecurity governance. In the most serious cases, regulators can temporarily suspend individuals from management functions. Germany’s BSI issued 47 formal enforcement notices in Q4 2025. France’s ANSSI issued remediation orders to 23 entities in energy and transport. The European Commission referred seven member states to the Court of Justice for failing to transpose. The first round of NIS2 compliance audits is now underway.
This is not a framework in transition. It is a regulation in enforcement.
And yet, the most consequential challenge facing the 160,000+ entities now in scope — a tenfold expansion from NIS1 — is not the one being discussed in most compliance conversations. The conversations are focused on the deadlines. The real problem is the assumption buried inside them.
What “Become Aware” Actually Requires
NIS2 Article 23 sets a three-stage reporting obligation: a 24-hour early warning, a 72-hour incident notification including indicators of compromise, and a comprehensive final report within one month. All three clocks start from the same trigger: the moment the entity becomes aware of a significant incident.
That framing is deceptively simple. Before you file a 24-hour early warning, you have to know the incident occurred, determine whether it meets the “significant” threshold, characterize it to a national regulator with enough detail to be useful, and include available indicators of compromise. For the 72-hour notification, regulators expect an initial severity assessment and the indicators behind it. The one-month report demands a full accounting of what happened, how it was handled, and what changed.
None of this is unreasonable when you have the intelligence infrastructure to support it. Most organizations don’t. ENISA received over 2,400 incident reports in the first six months after NIS2’s enforcement deadline — a 340% increase from the prior year. That surge is not evidence the system is working. It is evidence that incidents are happening at scale while detection architectures remain fragmented, manual, and slow.
The regulation has set the clocks. It has not provided the architecture that makes those clocks achievable.
The Asymmetry of Early Detection
The “become aware” framing contains an important asymmetry. Organizations that detect threats later don’t get more time to comply — they face the same clocks from a worse position. Organizations that detect earlier don’t just reduce compliance risk. They may prevent the incident from reaching the reportable threshold at all.
In the data we tracked for the Fortinet FortiWeb vulnerability (CVE-2025-64446), Dataminr’s AI systems detected early exploit activity on October 7, 2025. There was no published CVE, no vendor advisory, no CSIRT alert. The vulnerability was added to known exploited catalogs on November 14 — 38 days later. Organizations that received our early intelligence spent those 38 days hardening defenses and validating controls. When the formal advisory arrived, they weren’t beginning their response. They had already completed it. Under NIS2, that meant the context, documentation, and control validation needed for a defensible early warning was already in place — not being assembled under a 24-hour deadline.
This is what preemptive architecture actually delivers. And it is what AI-accelerated adversaries are making mandatory: in the threat data we analyze, the window between vulnerability disclosure and active exploitation has compressed from weeks to hours for a growing category of threats. Faster adversary timelines and slower detection architectures mean the window in which organizations can meaningfully respond is narrowing on both ends simultaneously.
What NIS2 Is Actually Mandating — and What Gartner Has Named
Article 21 requires essential and important entities to implement proactive threat detection and monitoring as a legal obligation — one of ten mandatory risk management measures. The ENISA Technical Implementation Guidance published in June 2025 is explicit: “prevention, detection, monitoring, analysis, and mitigation” must function as an active capability, not a reactive posture. Article 21 also requires continuous supply chain security monitoring — ongoing surveillance of supplier-specific vulnerabilities at a scale that cannot be done manually.
Europe faces a structural cybersecurity workforce gap of approximately 274,000 professionals. Fewer than one in three organizations plan to add headcount. For the 145,000+ organizations newly in scope under NIS2, most of which have no dedicated threat intelligence function, this is not a staffing gap. It is a structural incompatibility between what the regulation requires and what their teams can operationally deliver.
Two Gartner frameworks define what the answer looks like. Unified Cyber Risk Intelligence (UCRI) defines what must be connected: external threat signals, internal exposure data, and business risk, fused into a shared decision model. Continuous Threat Exposure Management (CTEM) defines how it must operate: continuously identifying, validating, and prioritizing exposure as conditions change — not in quarterly assessment cycles. Together, they describe the same architecture NIS2 effectively mandates. Dataminr for Cyber Defense is built to operationalize both — end to end, from first signal to risk-prioritized action.
Three Capabilities That Close the Gap
Dataminr for Cyber Defense delivers this as an integrated system. Three capabilities work together, each addressing a specific dimension of what NIS2 requires.
Client-Tailored Threat Intelligence
Client-Tailored Threat Intelligence uses more than 100 specialized AI models to continuously monitor over one million public sources across 150 languages — assembling early indicators of emerging threats and filtering them through each organization’s specific assets, technologies, and supply chain exposure. The difference between a generic threat feed and what this delivers is the difference between knowing a vulnerability exists and knowing whether it matters to you right now. That distinction is what makes a 24-hour NIS2 early warning substantive rather than a placeholder filed under deadline pressure.
Agentic TI Ops
Agentic TI Ops transforms early signals into structured, lifecycle-managed intelligence — automatically enriched with actors, TTPs, and indicators of compromise, maintained as situations evolve, and reusable across detections, response, and reporting. The one-month NIS2 final report requires comprehensive, documented intelligence. Organizations running Agentic TI Ops produce it from their existing intelligence record, because the assembly work was being done continuously — not triggered by the reporting obligation.
Predictive Threat Exposure Management
Predictive Threat Exposure Management continuously measures whether defenses are actually enforced across critical assets using live telemetry, then translates that exposure into financial risk. Article 21’s proportionality principle requires security measures to match actual risk exposure. The board members now personally liable under Article 20 need that risk expressed in financial terms they can act on and defend. The CISO who walks into a board meeting with quantified, evidence-backed risk data is the CISO whose board can demonstrate active cyber governance to any regulator who comes asking.
What the Enforcement Trajectory Tells Us
The organizations that will face the most significant enforcement exposure are not necessarily those that have had incidents. They are the organizations that cannot demonstrate proactive, continuous threat monitoring; cannot produce evidence of structured intelligence operations; and cannot show board-level engagement with financially grounded risk. All three are what NIS2 requires. All three are what auditors are now looking for.
The Directive has set the clock for 160,000 entities across Europe. The goal should not be to comply with a 24-hour deadline. The goal should be to build a defense architecture so well-connected that when the clock starts, the work of understanding exposure and documenting risk has already been done — because it was being done continuously, at the speed of the threat, not the speed of the audit cycle. That is the architecture Dataminr for Cyber Defense is designed to provide.
The June 30, 2026 NIS2 audit deadline and the UK bill’s final passage are not separate events on separate timelines. They are two signals of the same shift: European cybersecurity regulation has moved from preparation to enforcement, and the personal accountability it carries is real. If your organization cannot yet demonstrate proactive threat monitoring, structured intelligence operations, and financially grounded risk oversight to a regulator, the time to build that capability is now — not after the first audit finding.
Dataminr for Cyber Defense
Explore how Dataminr for Cyber Defense helps organizations meet NIS2 and UK CSR Bill requirements.
Learn More
