NIS2 enforcement in 2026 is no longer a compliance planning exercise. It is an operational reality. National competent authorities across Europe have moved from transposition and entity registration to active supervision, and the pattern of supervisory interactions is becoming clear enough to prepare for. Boards have shifted their NIS2 questions from "Are we in scope?" and "Have we started a program?" to harder questions: "Can we demonstrate our controls work under pressure?" and "What happens if we get a supervisory request next week?" This guide covers the enforcement landscape as it stands in early 2026, the supervisory interaction patterns that are emerging, the specific questions boards are asking their CISOs, and how to prepare for the first NIS2 supervisory review.
The Enforcement Landscape: Which National Competent Authorities Are Active
NIS2 required Member States to transpose the directive into national law by 17 October 2024. The transposition process has been uneven across the EU, but enough Member States have completed transposition that enforcement is now active in the jurisdictions where most essential and important entities operate.
Germany's BSI has been among the most active authorities, leveraging its existing mandate under the IT Security Act 2.0 and the enhanced powers granted by the NIS2 implementing legislation. BSI has issued guidance on entity registration, reporting obligations, and minimum security standards, and has begun proactive outreach to entities in the energy, transport, and digital infrastructure sectors.
France's ANSSI, building on its long-standing role as a national cybersecurity authority, has integrated NIS2 requirements into its existing regulatory framework. ANSSI's supervisory approach emphasizes operational capability over documentation, reflecting the French regulatory tradition of technical assessment.
The Netherlands' NCSC has published detailed guidance on NIS2 obligations and has begun sector-specific supervisory programs, particularly in critical infrastructure sectors where the Netherlands has significant concentration (port operations, energy, digital services).
Italy's ACN (Agenzia per la Cybersicurezza Nazionale), established in 2021, has used NIS2 transposition as an opportunity to build supervisory capacity. ACN has focused on entity identification and registration as a precursor to active supervision.
The Nordic authorities (Sweden's MSB, Finland's Traficom, Denmark's CFCS) have adopted coordinated approaches to NIS2 supervision, reflecting the cross-border nature of Nordic infrastructure and digital services.
For multi-jurisdiction entities, the enforcement landscape creates a practical challenge: different national competent authorities have different supervisory approaches, different evidence expectations, and different enforcement priorities. An entity operating in five Member States may face five different supervisory interactions with five different evidence standards. Building a compliance program that can satisfy the most demanding NCA while maintaining consistent operations across all jurisdictions is the pragmatic approach.
What Supervisory Interactions Look Like
NIS2 Article 32 grants national competent authorities extensive supervisory powers over essential entities, including on-site inspections, security audits, requests for evidence, and requests for access to data. Article 33 provides similar but somewhat reduced powers for important entities. Article 34 outlines enforcement measures including binding instructions, implementation orders, and administrative fines.
In practice, supervisory interactions in early 2026 are following predictable patterns.
Entity registration verification. The baseline supervisory activity is verifying that entities have registered with the relevant NCA and have designated a contact point for cybersecurity matters. Entities that have not registered are receiving formal notifications with deadlines. This is the lowest-friction supervisory interaction, but failure to register creates immediate regulatory exposure.
Evidence requests for specific Article 21 measures. NCAs are requesting evidence that entities have implemented the measures specified in Article 21(2). These requests are typically sector-targeted (energy sector entities receiving requests about operational technology security, financial sector entities about supply chain risk) and measure-specific (not a general "show us your program" request but a focused "show us your incident handling procedures and evidence of their execution").
Incident reporting compliance. NCAs are monitoring whether entities comply with Article 23 notification timelines: initial notification within 24 hours of becoming aware of a significant incident, intermediate report within 72 hours, and final report within one month. Entities that experience incidents and fail to meet notification timelines face the most immediate enforcement attention, because notification compliance is binary and easily verified.
Supply chain risk management inquiries. Several NCAs have prioritized Article 21(2)(d) supply chain security in their supervisory programs, reflecting the legislative emphasis on supply chain risk and the high-profile supply chain incidents of recent years. These inquiries ask entities to demonstrate that they assess the security practices of their direct suppliers and service providers, that they include cybersecurity requirements in contracts, and that they monitor vendor risk on an ongoing basis.
Management body accountability checks. Under Article 20, management bodies must approve cybersecurity risk-management measures and oversee their implementation. Some NCAs are beginning to request evidence of board-level engagement: minutes of cybersecurity briefings, evidence of management body training in cybersecurity, and records of management body approval for specific security measures. This is the most uncomfortable supervisory pattern for organizations where cybersecurity governance has been delegated entirely to the CISO without genuine board engagement.
The Questions Boards Are Asking Their CISOs
Board-level NIS2 conversations in 2026 have matured beyond awareness and scoping. The questions that boards are asking reflect a growing understanding that NIS2 creates personal accountability for management body members and that superficial compliance will not survive supervisory scrutiny.
"Can we produce evidence of our Article 21 compliance within 48 hours of a request?" This question reflects the practical reality that NCAs can request evidence at any time and that the response window is typically days, not weeks. An organization that needs two weeks to assemble its evidence package is operationally unprepared for supervision, regardless of how strong its controls are. The board wants to know whether the evidence is ready or whether a request would trigger a scramble.
"Who is personally accountable for each element of our cybersecurity program?" Article 20's management body accountability provisions have made boards acutely aware that diffuse responsibility is a liability. If the board asks who owns incident handling and the answer involves three teams with overlapping mandates, the accountability structure is unclear and the board is exposed. Boards want named individuals with clear mandates for each Article 21 measure.
"What would our first supervisory review reveal?" Sophisticated boards are asking for a mock supervisory review: pretend the NCA arrives next week and examine what they would find. This exercise is uncomfortable because it surfaces the gaps between documented program and operational reality. It is also the single most valuable preparation activity because it reveals the same gaps the NCA would find.
"How do we compare to our sector peers?" Boards want context for their risk posture. Are peer organizations further along in NIS2 implementation? Are they investing more? Have they experienced supervisory interactions, and what was the outcome? This benchmarking request is difficult to satisfy with precision, but sector-level ENISA reporting and industry working group information provide directional guidance.
"What is the maximum fine exposure and the realistic enforcement scenario?" Article 34 specifies maximum administrative fines of at least 10 million EUR or 2% of total worldwide annual turnover for essential entities (whichever is higher). Boards want to understand not just the theoretical maximum but the realistic enforcement scenario: what level of non-compliance triggers fines versus binding instructions versus public disclosure? The honest answer is that enforcement practice is still establishing precedent, but the direction of travel based on early supervisory actions suggests that NCAs will escalate incrementally: guidance, then binding instructions, then fines, with immediate fines reserved for egregious failures or repeat non-compliance.
"Are our management body members trained as Article 20 requires?" Article 20(2) requires management body members to "follow specific training" and to "offer similar training to their employees on a regular basis." Boards are asking whether this training has occurred, what it covered, and whether it satisfies the regulatory expectation. Generic cybersecurity awareness training does not satisfy Article 20. The training should cover NIS2-specific obligations, the management body's supervisory responsibilities, and the entity's specific risk landscape.
Preparing for the First NIS2 Supervisory Review
Preparation for a supervisory review is not a compliance documentation exercise. It is an operational readiness exercise. The NCA will assess not whether documents exist but whether the organization can demonstrate operational capability.
Build a standing evidence pack. For each Article 21(2) measure, maintain a current evidence package that can be produced within 48 hours. The evidence should include the policy or procedure, evidence of its implementation (not just its existence), evidence of its effectiveness (metrics, test results), and evidence of management body awareness or approval. This evidence pack should be a living system, not a document prepared before the audit. Continuous control monitoring platforms generate this evidence as a byproduct of normal operations.
Run a mock supervisory review. Engage an independent assessor (internal audit, external advisor, or peer CISO) to simulate a supervisory review. Use Article 32 powers as the framework: the assessor should request specific evidence, examine its completeness and timeliness, interview key personnel about their responsibilities, and assess whether the organization can respond to the request within a realistic timeframe. Document the findings and remediate gaps.
Verify incident reporting capability. Simulate a significant incident and test the organization's ability to meet Article 23 timelines. Can the organization detect a significant incident, assess its impact, draft an initial notification, and submit it to the relevant CSIRT within 24 hours? Can it produce an intermediate report within 72 hours? This is the most time-sensitive NIS2 obligation and the one most likely to be tested by an actual incident before a supervisory review.
Audit supply chain documentation. Review contracts with direct suppliers and service providers for cybersecurity requirements. Verify that the organization has assessed the security practices of critical vendors, that contractual requirements for security are in place, and that vendor risk is monitored on an ongoing basis. Supply chain security under Article 21(2)(d) is a supervisory priority in 2026 and a frequent gap area.
Document management body engagement. Compile evidence of board-level cybersecurity engagement: meeting minutes where cybersecurity risk was discussed, records of management body approval for security measures, training records for management body members, and evidence that the board receives regular cybersecurity risk reporting. If this evidence is thin, the management body accountability provisions of Article 20 create direct exposure for board members.
Map to the national implementation. While Article 21 provides the EU-level framework, the national transposition may include additional or more specific requirements. Verify that the compliance program addresses national-level specificities, not just the directive text. ENISA's NIS2 implementation guidance provides a reference, but the national law is the binding obligation.
Art. 32-34: Understanding Supervision and Enforcement Powers
Understanding the NCA's powers helps organizations calibrate their preparation.
Article 32 (Essential entities). NCAs may conduct on-site inspections and off-site supervision including random checks, regular security audits, ad hoc audits (triggered by incidents or evidence of non-compliance), security scans, and requests for information and evidence. NCAs may also request access to data, documents, and information necessary to carry out their supervisory tasks. The scope of these powers is broad and allows for intrusive examination of an entity's cybersecurity posture.
Article 33 (Important entities). Supervisory measures for important entities are "ex post" rather than "ex ante," meaning NCAs generally supervise important entities after an incident or evidence of non-compliance rather than proactively. However, the measures available are similar: NCAs may conduct on-site inspections, request evidence, and order security audits.
Article 34 (Enforcement measures). When an NCA determines non-compliance, it may issue binding instructions requiring the entity to remedy the non-compliance, implement the recommendations of a security audit, bring security measures into compliance, or inform the natural or legal persons to whom they provide services of the nature of the threat. NCAs may also impose administrative fines: up to 10 million EUR or 2% of total worldwide turnover for essential entities, and up to 7 million EUR or 1.4% of total worldwide turnover for important entities.
The escalation model in practice follows a pattern: guidance and recommendations first, binding instructions if guidance is not followed, administrative fines for persistent non-compliance or egregious failures. NCAs have discretion in enforcement and are likely to apply proportionality in early supervision. However, entities that demonstrate clear disregard for their obligations (failure to register, failure to report incidents, absence of basic security measures) should expect more aggressive enforcement.
Building Board Confidence Through Operational Evidence
The common thread across board questions and supervisory expectations is evidence. Not policy documents, not slide decks, not intentions, but operational evidence that controls exist, function, are tested, and are supervised by an accountable management body.
Board confidence in NIS2 readiness comes from four evidence streams running continuously:
Control effectiveness evidence. Automated monitoring of critical controls with evidence freshness SLAs, drift detection, and exception management. The board should see a control confidence metric that reflects the current operational state, not last quarter's attestation.
Incident readiness evidence. Documented, tested incident response procedures with evidence from tabletop exercises or simulations demonstrating that the organization can meet Article 23 timelines. The board should see the results of the most recent incident response test and any remediation actions taken.
Supply chain oversight evidence. Current vendor risk assessments for critical suppliers, contractual security requirements, and ongoing monitoring data. The board should see which critical vendors present elevated risk and what actions are being taken.
Management body engagement evidence. Training records, meeting minutes, and approval records demonstrating that the board is fulfilling its Article 20 responsibilities. This is the evidence stream most often neglected and most likely to create personal liability exposure for board members.
How FortisEU Supports NIS2 Enforcement Readiness
FortisEU maps the complete NIS2 framework to operational controls, generating continuous evidence for each Article 21(2) measure. The platform maintains a standing evidence pack that can be produced for supervisory review within hours rather than weeks, with evidence freshness tracking that ensures every artifact is current.
For boards, FortisEU provides an executive risk view that translates operational control data into board-grade metrics: control effectiveness trends, incident readiness status, supply chain risk posture, and management body compliance. The platform's compliance management connects regulatory requirements to operational evidence, eliminating the gap between documented program and demonstrated capability that supervisory reviews expose.
Key Takeaways
- NIS2 enforcement in 2026 is active across multiple jurisdictions. NCAs are conducting entity registration verification, requesting Article 21 evidence, monitoring incident notification compliance, and inquiring about supply chain risk management and management body engagement.
- Board questions have matured from "Are we in scope?" to "Can we produce evidence within 48 hours?", "Who is personally accountable?", and "What would a mock supervisory review reveal?" These questions reflect Article 20's management body accountability provisions.
- Preparation for supervisory review is an operational readiness exercise, not a documentation exercise. Build a standing evidence pack, run mock reviews, test incident reporting capability, audit supply chain documentation, and verify management body engagement evidence.
- Article 32-34 powers are broad for essential entities and include on-site inspections, security audits, and administrative fines up to 10M EUR or 2% of global turnover. Enforcement follows an incremental model but NCA discretion allows aggressive action for egregious failures.
- Board confidence comes from four continuous evidence streams: control effectiveness, incident readiness, supply chain oversight, and management body engagement. Weakness in any stream creates both supervisory risk and personal liability exposure for management body members.