New EU cybersecurity requirements are taking effect – but this is only the beginning

1 July 2025 marks a key milestone for cybersecurity in Denmark. Today, the EU’s new rules – the NIS2 directive – officially take effect. That is cause for celebration. But it is also a moment to look ahead.

While we welcome NIS2 today, we must also acknowledge that it is unlikely to stand alone for long. Cybersecurity threats are constantly evolving, and technology is advancing faster than any legislation can keep pace. This makes it all but inevitable that, before long, we will also be introducing a new wave of regulation: NIS3.

NIS2 significantly expands the scope compared to its predecessor – covering more sectors, more organisations, and introducing tougher requirements. This is necessary. But it is not sufficient. For every new security measure we implement, threat actors adapt in kind. And while we are still in the process of rolling out NIS2 – with some countries even falling behind schedule – experts are already highlighting the gaps.

Where NIS2 already falls short

One area where NIS2 is lacking is in its coverage of critical infrastructure based on operational technology (OT). There is still far too little concrete guidance and too few binding requirements. The directive is also still limited to medium-sized and large organisations, meaning many smaller – yet societally critical – actors fall outside the scope of the regulation.

Moreover, the legislation remains a directive, which means significant national differences in interpretation. This results in an uneven threat landscape and varying levels of security across the EU. Many experts are already arguing that the next step should be a regulation – ensuring a uniform set of rules across member states.

The European Commission is required to evaluate NIS2 by 2027 at the latest. But even now, before the ink is dry on national implementation, professionals and member states alike are discussing the need for a tightening of the rules. If there’s one lesson we’ve learned from NIS1 and NIS2, it’s that cybersecurity never stands still. The threats certainly don’t – and so the legislation cannot either.

So the question isn’t whether we’ll get NIS3. It’s when. And the most realistic answer is: soon. While it may feel overwhelming to already be talking about the next wave of regulation – before NIS2 has been fully implemented – it’s nonetheless necessary. Because NIS2, and the regulation that will soon follow, is not just about compliance. It’s about resilience. About business continuity. About national and societal security.

Three things to improve – starting now

There are three things that should be improved as soon as possible. First, it’s important to take NIS2 seriously, even if your organisation is not directly affected (yet). Many of the requirements will reach you indirectly – via supply chains, contracts, or customer demands.

Second, you should begin building structures and governance frameworks that can scale. Make it easy to expand your risk assessments and technical controls when – not if – the requirements are broadened.

Finally, cybersecurity must be treated as a strategic core function. NIS2 – and eventually NIS3 – are not isolated legal exercises. They are fundamental conditions for doing business in the 21st century.

Let’s welcome NIS2 today – but let’s do so with open eyes. The future is already approaching, and it most likely goes by the name of NIS3.

Read the original article in Finans in Danish here.