NIS2 for the digital media sector: What is it and how can you prepare?

As a digital media company, you have undoubtedly heard a lot about NIS2 in recent months, the new European cybersecurity legislation. Many media organisations are asking themselves the same question: “Does NIS2 apply to us?” The short answer is: yes, most likely it does.

The NIS2 Directive has a significantly broader scope than its predecessor. Digital service providers, online platforms and media organisations play an increasingly important role in the digital society and are therefore firmly in the focus of regulators.

For organisations responsible for continuity, compliance and digital services, NIS2 is not a topic that can be postponed. The European implementation deadline has passed, and the Netherlands is working on national implementation through the Cybersecurity Act. It is time to take action.

Why NIS2 also affects your media organisation

NIS2 significantly expands the scope of cybersecurity obligations. While the original NIS Directive mainly focused on traditional critical infrastructure, NIS2 now also covers:

• digital service providers
• online platforms
• cloud and hosting environments
• software and SaaS dependencies

This means that many digital media organisations, such as online news platforms, streaming services, content management systems and distribution platforms, may fall within the scope of NIS2.

The directive distinguishes between essential and important entities, based on size and impact. If your organisation:

• has more than 50 employees, or
• has an annual turnover and balance sheet total exceeding €10 million,
• and provides digital services or infrastructure,

then there is a strong likelihood that you will be classified as an important entity under NIS2.

For medium-sized and larger media organisations, this means in practical terms that NIS2 is very likely to apply and brings binding obligations.

The main NIS2 obligations for media organisations

NIS2 is not a voluntary guideline. Non-compliance can lead to significant sanctions and board-level liability. The most important obligations include:

Risk management and cybersecurity measures

Organisations must be able to demonstrably control their digital risks. This includes:

• conducting structural risk assessments
• identifying vulnerabilities
• implementing appropriate technical and organisational measures

Examples include multi-factor authentication, access control, encryption, monitoring, and timely system updates.

Incident reporting

In the event of a significant cyber incident, strict reporting obligations apply:

• an initial notification within 24 hours
• a follow-up report within 72 hours

This requires a well-designed incident response process that is not only documented, but also tested and exercised in practice.

Management responsibility

One of the key differences compared to earlier regulations is that senior management and the board are explicitly responsible. Cybersecurity is no longer purely an IT issue, but a strategic governance topic. Directors can be held personally liable in cases of negligence.

Supply chain security

Organisations are not only responsible for their own systems, but also for the risks within their supplier and partner ecosystem, including:

• software vendors
• SaaS platforms
• cloud and hosting providers

Incidents at suppliers can have a direct impact on your operations, service availability and regulatory compliance under NIS2.

Practical steps towards NIS2-compliance

1. Determine whether NIS2 applies to your organisation

Use a quick scan or decision tree (for example via the NCSC) and assess your organisation’s size, turnover and type of digital services.

2. Perform a NIS2 gap analysis

Identify where your organisation currently stands in relation to the NIS2 requirements. This forms the basis for prioritisation and implementation planning.

3. Establish structured risk management

Document risks, mitigating measures and responsibilities. Look beyond technology alone; processes and human behaviour are equally important.

4. Strengthen your incident response

Ensure clear procedures, defined responsibilities and regular testing. An incident response plan that is not exercised will not work in practice.

5. Secure your supplier chain

Map out critical dependencies. What happens if a supplier fails, goes bankrupt or discontinues its services?

By putting escrow arrangements in place with critical software and SaaS suppliers, you ensure continued access to source code, data and documentation. This provides demonstrable support for:

• business continuity
• supply chain security
• exit and fallback scenarios

These are exactly the areas that NIS2 explicitly addresses.

6. Train employees and management

Awareness is essential. NIS2 requires involvement across the entire organisation, from IT teams to senior management.

7. Document and provide evidence

Compliance must be demonstrable. Document policies, risk assessments, training activities and incidents, and prepare for regulatory supervision and audits.

Time to take action

NIS2 implementation is not a sprint, but a structural, long-term process. Organisations that start now are not only working towards compliance, but also building resilience and trust. By taking the first steps today in gaining insight, planning effectively and implementing the right continuity measures, you demonstrate that your media organisation is prepared for the future: secure, resilient and reliable.

Would you like to learn how escrow solutions can support NIS2 compliance and risk management in the digital media sector? Feel free to contact Escrow4all or read more about digital escrow solutions for media organisations.