If your organization operates in Bosnia and Herzegovina, you’ve probably heard about the EU’s NIS2 Directive and thought: “That’s an EU regulation. It doesn’t apply to us.” For many Bosnian companies, that assumption could cost real business.
NIS2 is already reshaping how companies across Europe approach cybersecurity. And while Bosnia and Herzegovina isn’t an EU member state, the ripple effects of this regulation are very real — especially if your clients, partners, or suppliers operate in the EU. Here’s what you need to know and, more importantly, what you can do about it right now.
Quick Overview: What is NIS2?
The NIS2 Directive (Network and Information Security Directive 2) is the EU’s updated cybersecurity regulation, replacing the original NIS Directive from 2016. Its goal is straightforward: raise the baseline level of cybersecurity across all EU member states.
NIS2 covers 18 critical sectors — a significant expansion from the original directive. We’re talking about energy, transport, banking, healthcare, digital infrastructure, telecom, cloud providers, ICT service management, manufacturing, food production, chemicals, postal services, and more. It applies to medium-sized and large organizations (generally 50+ employees or €10 million+ annual turnover), though some sectors — particularly digital infrastructure — are covered regardless of size.
In short: a very large number of EU companies are now regulated under NIS2. If you work with EU clients, chances are good that at least some of them fall within its scope.
The requirements focus on several key areas:
- Risk management and security policies
- Incident detection, response, and reporting (with strict timelines — often within 24 hours)
- Supply chain and third-party security
- Business continuity and crisis management
- Board-level accountability for cybersecurity
The enforcement is serious: fines of up to €10 million or 2% of global annual turnover, and — this is new — personal accountability for senior management. Under NIS2, cybersecurity is no longer just an IT issue. It’s a boardroom responsibility.
All EU member states are required to transpose NIS2 into national law. Croatia and Slovenia have already done so. Germany finalized its implementation in late 2025, with full enforcement rolling out through 2026. The same applies across the EU — from Austria to the Netherlands. This means the companies you work with in these markets are already adapting to NIS2 requirements.
Why NIS2 Directly Affects Bosnian Companies
This is the part many organizations in Bosnia and Herzegovina — and across the Western Balkans — overlook, so it’s worth being very clear about it:
NIS2 requires EU-regulated companies to manage cybersecurity risk across their entire supply chain. Not just within their own organization — across every supplier, service provider, and business partner they work with, regardless of where those partners are located.
In practice, this means that if your company provides any kind of service or product to an EU client in a regulated sector, that client is now legally obligated to verify that you meet certain cybersecurity standards. They will need to include specific security requirements in your contracts, assess your security posture, and potentially audit you. If they can’t demonstrate their supply chain is secure, they face the penalties.
You don’t need to be regulated by NIS2 to be affected by it. You just need to have EU clients who are.
Let’s make this concrete with a few examples of how NIS2 impacts typical Bosnian companies:
- A software development company in Sarajevo that builds and maintains applications for a German financial services firm. That German firm is now regulated under NIS2 and must ensure its IT suppliers have incident response procedures, access controls, and documented security policies in place.
- A BPO company in Banja Luka processing data for a Croatian insurance company. The Croatian insurer, now under NIS2 obligations, needs contractual guarantees about how that data is protected — and evidence to back it up.
- A manufacturing company in Zenica supplying components to a Slovenian energy company. Even though this isn’t an IT relationship, NIS2’s supply chain requirements extend to any supplier whose disruption could impact the regulated entity’s operations.
The same logic applies to companies in Serbia, Montenegro, and across the region. Anyone doing business with EU-regulated clients is in scope by extension.
What NIS2 Requires — and What ISO 27001 Already Covers
If your organization already has ISO 27001 certification, or is working toward it, you’re in a strong position. The overlap between NIS2 requirements and ISO 27001 controls is substantial.
| NIS2 Requirement | What ISO 27001 Already Provides | What You May Still Need |
|---|---|---|
| Risk management policies | Structured risk assessment and treatment process | Ensure scope explicitly covers ICT operational resilience |
| Incident handling and reporting | Defined incident management procedures | Formalize reporting timelines (24h early warning, 72h full report) aligned with EU client expectations |
| Supply chain security | Supplier assessment and monitoring controls | Strengthen contractual clauses with specific cybersecurity requirements your EU clients can reference |
| Business continuity | BCM planning and testing | Add scenario-based testing for ICT-specific disruptions |
| Governance and accountability | Management commitment and review | Document explicit board-level cybersecurity responsibilities |
| Training and awareness | Security awareness programs | Extend training to cover supply chain obligations and incident reporting procedures |
The bottom line: if you have a functioning ISMS built on ISO 27001, you’re not starting from zero. You’re adapting and extending what you already have. For organizations without ISO 27001, implementing it now gives you the most efficient, internationally recognized foundation that directly addresses what your EU partners will be asking for.
What Should You Do Right Now?
You don’t need to wait for a Bosnian NIS2 equivalent (though as an EU candidate country, something similar will likely come). The pressure is market-driven and it’s already here.
1. Understand your exposure. Map out which of your clients and partners operate in EU-regulated sectors. If you serve Croatian banks, German manufacturers, or Slovenian healthcare providers, you’re in scope by extension.
2. Review your contracts. Look at your existing agreements with EU clients. Are there cybersecurity clauses? Security assessment requirements? If not yet, expect them soon.
3. Assess your current security posture. If you have ISO 27001, review how well your ISMS covers the NIS2 areas outlined above. If you don’t, a gap analysis is the logical starting point.
4. Strengthen your incident response. NIS2’s strict reporting timelines will flow into supplier contracts. Make sure you can detect, respond to, and communicate about security incidents quickly and clearly.
5. Document everything. EU-regulated companies will need evidence that their supply chain is secure. Having well-documented policies, procedures, and audit results makes you an easy partner to work with — and a difficult one to replace.
Don’t Wait for the Regulation — Respond to the Market
The companies you work with are already adapting to NIS2. The question is whether you’ll be ready when they turn to their supply chain and start asking hard questions.
The good news: for organizations already following ISO 27001, the gap is manageable. For those just starting out, implementing ISO 27001 with NIS2 in mind means you build a security foundation ready for both today’s market demands and tomorrow’s regulatory landscape. If you’re interested in understanding how ISO 27001 aligns with other EU regulations, you may also find our post on ISO 27001 and DORA compliance useful.
At Consalta, we help organizations navigate exactly this kind of challenge — understanding where you stand today, identifying what needs to change, and building a practical path to compliance. If you’re unsure how NIS2 might affect your business relationships, feel free to contact us. No jargon, no pressure — just clarity on your next steps.
Would you like to start a project with us?
The initial consultation is free! We believe in truly helping our clients. You’ll talk with one of our consultants directly. No pushy sales – no strings attached.
Go ahead – check for yourself, now!