News Flash

NIS2, extra time until July 31st but only for a few: opportunity or boomerang?

 ACN's extension on NIS2 data update offers a competitive advantage to only some companies. Here's what's changing and how to take advantage of it.

The National Cyber Security Agency (ACN)

9 June 2025

Table of contents

  • Why ACN decided to give more time
  • Benefits for those who make good use of extra time
  • Final recommendations
  • Strategic vision: beyond compliance

Why ACN decided to give more time

The National Cyber Security Agency (ACN) has decided to extend the deadline for submitting information required by the NIS2 directive to July 31, 2025 , but only for organizations that have formally requested technical support .

A move that reflects institutional awareness of the difficulties that many companies, especially SMEs, are facing in adapting to a regulatory framework that is as ambitious as it is complex.

The sectors involved in the extension

The sectors affected by the measure are those with a high systemic impact . We are talking about:

  • Energy and utilities (electricity, gas, water)
  • Transport (air, rail and sea)
  • Digital healthcare
  • Banks and Finance
  • Digital infrastructure (cloud and data center)

All areas where a computer breach can turn into a national disaster .

What changes on an operational level

Those who fall under the extension have two more months to:

  • Strengthen governance
  • improve monitoring systems
  • train staff on incident management

But be careful: this window is not a break , but rather a chance to methodically accelerate and fill the most serious gaps.

Benefits for those who make good use of extra time

For virtuous companies, this extension means:

  • more time to invest in SIEM and threat intelligence technologies
  • targeted staff training
  • ability to set up true cyber resilience

An opportunity to transform regulatory obligation into competitive leverage .

But there is also a concrete risk

Those who see the extension as a pretext to postpone are at great risk. Cyber threats do not wait for bureaucratic deadlines and any delay can mean violations, sanctions and reputational damage .

How to get organized: a three-step strategy

  1. Assessment: Map gaps against NIS2 requirements.
  2. Planning: Create a concrete plan, with clear timeframes and budgets.
  3. Implementation: Gradually activate the most urgent countermeasures.

Where to invest now

Among the technological priorities:

  • SIEM Systems
  • Backup and disaster recovery solutions
  • Automation in security processes
  • Incident Response Plan with realistic scenarios

After July 31st: what to expect

Once the grace period expires, ACN will step up its controls . Companies that are prepared will be able to face inspections with confidence and leverage compliance to stand out .

Final recommendations

Every company should immediately activate a multidisciplinary NIS2 team , with cyber , legal and business continuity skills , in direct contact with top management.

Strategic vision: beyond compliance

Those who consider NIS2 compliance only as a duty risk missing its potential. Investing in cyber security today means reputation, trust and privileged access to new markets .

The ACN extension is an opportunity, but only for those who experience it as an accelerator of digital maturity . Otherwise, it will be a boomerang.

2
To top