Enforcing EU’s NIS2 Directive: How It Strengthens Cybersecurity for Critical Sectors

NIS2’s Hidden Compliance Risk: How Undiscovered Shadow IT Accounts Are Exposing EU Businesses to Legal Liability

As the European Union’s NIS2 Directive fully takes effect across member states, a growing compliance gap is emerging in the form of shadow IT—unauthorized or undocumented technology systems used within organizations. Security experts warn that these hidden accounts and tools, often deployed by employees without IT oversight, are creating a liability trap for businesses required to meet NIS2’s strict cybersecurity and incident-reporting obligations. With enforcement mechanisms now active in several EU countries—including Germany, where the directive’s national implementation entered force in late 2025—companies risk fines, legal action against management, and reputational damage if they fail to detect and remediate these risks.

The problem stems from NIS2’s expanded scope, which now mandates cybersecurity measures for 15 critical sectors—ranging from energy and healthcare to digital services and public administration—rather than the seven sectors covered under its predecessor, NIS1. Under NIS2, organizations classified as essential or important operators must implement risk-management frameworks, report incidents within strict deadlines, and ensure their supply chains adhere to baseline security standards. Yet, a recent analysis by German cybersecurity firm it-daily.net highlights that many companies remain unaware of shadow IT deployments—such as personal cloud storage, unsanctioned SaaS tools, or rogue accounts—until a breach or audit exposes them.

Why Shadow IT Poses a Direct Threat to NIS2 Compliance

Shadow IT poses a dual risk: it introduces vulnerabilities that could trigger a cyber incident under NIS2’s definition, and it undermines an organization’s ability to demonstrate compliance during regulatory audits. The directive’s reporting obligations require entities to disclose incidents within 24 to 72 hours, depending on severity, but undocumented systems may delay detection—or worse, allow attackers to exploit them without the IT team’s knowledge.

For example, an employee using an unapproved collaboration tool to share sensitive data could inadvertently create a compliance violation if that tool lacks encryption or fails to log access. Under NIS2, such an oversight could be interpreted as negligence, particularly if the organization cannot prove it conducted appropriate technical and organizational measures to prevent unauthorized systems. The directive explicitly states that management may face legal consequences for non-compliance, including criminal liability in cases of gross negligence.

Implementation Challenges Across the EU

While NIS2’s legal framework is now in place—with member states such as the Czech Republic having transposed the directive into national law by late 2025—its enforcement remains uneven. According to the European Commission, only 23 of the 27 EU member states had fully implemented NIS2 by April 2026, leaving a patchwork of standards and reporting requirements. This fragmentation complicates cross-border operations for multinational companies, which must navigate differing interpretations of what constitutes a cyber incident or a critical asset.

Germany, where the directive’s enforcement is among the strictest, has seen early cases where companies faced scrutiny for failing to detect shadow IT during internal audits. A spokesperson for the German Federal Office for Information Security (BSI) noted in a recent statement that many organizations underestimate the scale of their shadow IT footprint until This proves too late. The BSI has begun issuing guidance on asset discovery tools and continuous monitoring to help entities comply with NIS2’s Article 21, which requires operators to maintain an up-to-date inventory of their IT systems.

Technical and Operational Solutions

To mitigate the risk, cybersecurity vendors and consultants recommend a combination of proactive measures:

• Automated discovery tools: Platforms that scan networks for unauthorized devices, accounts, or software—such as those from CrowdStrike, Microsoft Defender for Cloud, or Palo Alto Networks—are being deployed to close visibility gaps.
• Policy enforcement: Integrating allow-listing policies, where only pre-approved applications are permitted to run, reduces the risk of shadow IT proliferation.
• Employee training: NIS2’s Article 24 mandates cybersecurity awareness programs for staff, including guidance on recognizing and reporting unauthorized tool use.
• Third-party risk management: Extending supply chain security assessments to vendors and partners, as required by NIS2’s Article 4, helps identify external sources of shadow IT.

However, these solutions require significant investment in technology and personnel—a challenge for smaller organizations in sectors like waste management or postal services, which were newly included under NIS2. The directive’s proportionality principle allows for scaled compliance based on an entity’s size and risk profile, but experts warn that even minimal shadow IT could still trigger enforcement actions if it leads to a breach.

What’s Next for NIS2 Enforcement

Looking ahead, the European Commission has signaled that it will prioritize enforcement actions against systemic non-compliance in high-risk sectors. While no major fines have been publicly announced as of June 2026, industry observers expect the first high-profile cases to emerge in the latter half of the year, particularly in sectors with historically weak cybersecurity postures—such as healthcare or critical infrastructure.

For now, the key takeaway for EU businesses is clear: NIS2’s compliance is not just about deploying security tools or drafting incident response plans. It demands full visibility over every IT asset, authorized or not. Organizations that fail to address shadow IT risk finding themselves in a liability trap—where undetected vulnerabilities become evidence of negligence under EU law.

As one cybersecurity attorney specializing in NIS2 put it: Compliance is no longer about checking boxes. It’s about proving you’ve done everything humanly possible to see what you can’t see.