Högskolan i Skövde

The recent NIS2 Directive raises cybersecurity expectations for essential and important companies within the European Union. However, empirical evidence on the implementation process of NIS2 in these companies remains scarce. This study addresses that gap by examining two Belgian medical-supply manufacturers through a mixed-methods case-study design.

First, each company completed a self-assessment from the CyFun framework, a framework created by the Centre of Cybersecurity Belgium. The assessments were performed by rating both documentation and implementation of NIS2 related security measures. The results of these assessments showed that the implementation scored significantly better than the documentation in both organisations.

Second, to contextualise these scores, seven stakeholders participated in semi-structured interviews. Thematic analysis revealed four dominant barriers: (1) unstructured security management, (2) awareness of the NIS2 directive, (3) lack of understanding of some parts of the directive, and (4) lack of resource including financial, human, and knowledge-based resources. Collectively, these factors hinder systematic compliance with NIS2, despite the reasonable technical practices that are already implemented within these companies.

The findings suggest that policy makers and responsible parties should complement the existing regulations and guidance with scalable templates, funding incentives, and targeted training. This will further help resource-constrained business formalise their security governance in the best way possible. While the small sample limits generalisability, this work offers one of the first insights into the practical application of NIS2 in Belgian companies.