NIS2 and the Data Deluge

Regulators Expect You to Have Sorted This by Now

There’s a special kind of panic that sets in when you realise a regulation has already taken effect and you’re not quite sure if you’re compliant. 

Welcome to NIS2, the Network and Information Security Directive 2, which came into force in October 2024. If you’re in finance, healthcare, transport, energy, digital services, or any other critical sector, you should already be doing this. 

But let’s be honest. 

For many organisations, the reaction to NIS2 has been a mix of confusion, blind optimism, and a quiet hope that no one will check too closely. 

Unfortunately, that hope is fading fast. 

What NIS2 Actually Requires (And Why It’s a Headache) 

NIS2 isn’t just another cybersecurity box-ticking exercise. It forces organisations to: 

• Know where their critical data is – And secure it properly.
• Report cyber incidents within hours, not weeks – 24 to 72 hours, to be exact.
• Prove their suppliers aren’t a security risk – If your third-party provider is compromised, so are you.
• Hold senior execs accountable – Ignorance is no longer a defence. If it all goes wrong, someone at the top will have to explain why. 

Which is all well and good—if you actually know what’s in your data estate. 

If you don’t? Well, that’s where things get interesting. 

The Problem: You’re Hoarding Data, and Now You Have to Explain It  

A data lake sounds like a good idea. A vast, centralised repository where all your structured and unstructured data can live, ready to be analysed, searched, and used when needed. 

That was the theory. 

In reality? Most data lakes are now digital swamps—a chaotic mess of logs, emails, transactions, documents, customer records, and backups. 

We once spoke to a financial institution who estimated they had 70 petabytes of data. The key word here is estimated—because no one was entirely sure. 

To put that in context: 

• 1 petabyte = 500 billion pages of documents. 

• 70 petabytes = Enough paperwork to fill Lake Michigan. 

And now, thanks to NIS2, regulators might ask you to find something in all of that. 

The Question No One Wants to Hear: "Can You Prove You’re Compliant?"  

NIS2 doesn’t care if you’re trying your best. It expects you to be able to: 

• Locate specific data, quickly – No more “we’re looking into it” excuses. 
• Report security incidents within 72 hours – If your data is a mess, how exactly do you detect a breach in time? 
• Prove your suppliers are secure – If you don’t know where your data is, how do you know who has access to it? 

If you’re guessing at any of this, you’ve already got a problem. 

The Cost of Doing Nothing (or Hoping for the Best)  

The companies that ignored GDPR in 2018 got a very rude awakening when regulators started handing out fines. 

NIS2 will be no different. 

• Fines of up to €10 million or 2% of global turnover – whichever is higher. 
• Board-level accountability – No more hiding behind “technical teams”. Senior leadership is now personally responsible for compliance failures. 
• Regulatory scrutiny & investigations – If an incident happens and you can’t explain what went wrong, expect a full-blown audit. 

In short: if you haven’t taken NIS2 seriously yet, you’re already running out of time.

The Solution: Get Control of Your Data Before Regulators Start Asking Awkward Questions 

If you’re still relying on manual data management, ad-hoc security policies, and blind optimism, you’re in trouble. 

The only way to handle NIS2 at scale is through: 

• Automated Data Discovery & Classification – If you don’t know what’s in your estate, now’s the time to find out. 
• Real-Time Risk Monitoring – Cybersecurity incidents don’t happen on a neat schedule. If your response time isn’t immediate, you’re already too slow. 
• Supply Chain Security Auditing – You need to know that your vendors aren’t your biggest risk. 
• Regulator-Ready Reporting – If an incident happens, you need to prove exactly what was impacted, how you responded, and what you’re doing to stop it happening again—within days, not months. 

This is not a future problem anymore. It’s a now problem. 

If reading this has made you realise your data estate is a giant, ungoverned mess, it might be time to take a look at Lightning IQ—because the only thing worse than being non-compliant is realising it when it’s too late to fix. 

 Nick Pollard is a Managing Director (EMEA) for One Discovery.  He is a seasoned leader with more than 20 years of experience working in real-time investigation, legal and compliance workflows across highly regulated environments like banking, energy and healthcare as well as national security organizations. You can contact at nick.pollard AT onediscovery.com