The NIS2 Directive was created to raise the cybersecurity standards across the European Union, especially where a digital failure isn’t just a technical issue but a real risk to the economy and essential services. But as the “real” compliance phase approaches—with supervision, audits, and sanctions looming—an unintended side effect is starting to emerge within the sector: a Europe divided between those who can meet standards confidently and those who struggle to keep up.
This is precisely one of the main conclusions highlighted by insurtech Stoïk. Its Chief of Cybersecurity, Vincent Nguyen, warns of a compliance clash: on one side, critical sectors with strong financial resources and dedicated teams; on the other, suppliers, subcontractors, and small-to-medium enterprises (SMEs) pressed into a race to meet requirements they may not be able to adhere to at the same pace.
NIS2: More Than a Directive, a Culture Shift (and Budget Overhaul)
NIS2 strengthens the European cybersecurity framework for networks and systems, with a straightforward yet challenging goal: ensuring that vital services like energy, transportation, banking, and healthcare can continue functioning even under attack, with clear obligations for prevention, response, and reporting to authorities.
In practice, compliance goes beyond “having antivirus software” or a security provider: it demands risk management, organizational and technical measures, traceability, and, most importantly, the ability to demonstrate that necessary actions are being taken. The directive also introduces more demanding notification timelines: early alerts followed by detailed communications within a formal schedule.
This is where the friction point arises, as Stoïk emphasizes: compliance costs, and not just in technology. It involves executive time, consulting, processes, audits, and training. Nguyen also points to a direct consequence: many companies are redirecting investments toward certifications and compliance evidence, which may leave less room for other internal priorities like infrastructure modernization or digital transformation projects.
“Europe at Two Speeds”: The Risk of a Supply Chain Divide
Stoïk’s analysis relies on a stark reality: an organization’s cybersecurity no longer depends solely on what it does internally, but also on its ecosystem of third parties. A major player may have teams, SOCs, insurance, red teams, and continuity plans… but if a smaller supplier falls short of minimum standards, risk sneaks in through the back door.
In this context, “Europe at two speeds” is not just a social metaphor; it’s an operational scenario where regulatory requirements increase for everyone, but execution capacity varies. From a market perspective, this also introduces a competitive element: organizations that can demonstrate maturity and compliance win contracts, while those that can’t lose out.
Moreover, with the transposition deadline for NIS2 already passed within the EU, the regulatory environment is becoming more stringent: compliance is no longer a “future project”, but an immediate concern with accountability implications.
Eight Trends to Watch for 2026 According to Stoïk: From Ransomware to “360° Cybersecurity”
Against this backdrop, Nguyen shares eight trends that, in his view, will shape cybersecurity in 2026. These predictions blend technical threats, criminal behavioral shifts, and collateral effects stemming from the accelerated deployment of Artificial Intelligence.
1) NIS2 and the Compliance Clash: The Starting Point
The first trend is precisely the capability-based divide in compliance: critical sectors versus SMEs and resource-constrained providers. For Stoïk, this imbalance may turn regulation into a new market filter.
2) Ransomware as a “Silent Threat”
Nguyen describes ransomware as an increasingly stealthy threat that’s harder to detect early. The core message: ransomware not only encrypts data; it also infiltrates, waits, and targets peak pressure points.
3) The “CEO 2.0 Era”: AI-enabled Impersonations (Vishing and Deepfakes)
Generative AI has made previously artisanal techniques cheaper and scalable. Stoïk warns of rising impersonation attacks: voice cloning, video deepfakes, and vishing scams, particularly targeting executives and financially impactful operations.
4) Disinformation in European Election Campaigns
Nguyen predicts greater influence of disinformation in electoral contexts. The risk isn’t limited to viral falsehoods: it also encompasses content manipulation, fake evidence, and confusion campaigns meant to strain institutions and reputations.
5) Major Events in the Crosshairs: 2026 World Cup and Winter Olympics
Large sporting events concentrate audiences, transactions, and critical systems (ticket sales, access control, streaming, public Wi-Fi, logistics). Stoïk warns that this digital dependency can make them attractive targets for visibility and opportunity.
6) The Supply Chain, the “Weakest Link”
Nguyen highlights attacks targeting third parties and dependencies, including open-source libraries and browser extensions. The known issue: compromising a small, widely used component can have widespread impact.
7) “Mature” Cybercriminals
Stoïk describes an evolution in adversaries: a generation of actors testing technologies like AI, IoT, and automation, combining professionalism and pragmatism. Less noise, more business focus, increased specialization.
8) “360° Cybersecurity”: The New Paradigm in the AI Era
Nguyen concludes with a paradigm shift: security can no longer be siloed. It calls for an integrated cybersecurity approach, covering perimeter security, identity, data, third-party providers, AI models, internal flows, and coordinated incident response.
The Dilemma: Comply to Be Safer… or Just to “Pass the Audit”
Stoïk issues a caution: the industry risks turning NIS2 into a checklist exercise. Nevertheless, compliance has a virtue: it forces order. In a landscape where attacks are becoming increasingly automated, impersonal, and cost-effective, defenses require the opposite: discipline, processes, and swift response capabilities.
The lingering question for 2026 isn’t whether NIS2 “will work” in the abstract—it’s whether Europe will succeed in elevating actual security through compliance without cutting off a significant segment of the ecosystem, including many critical service providers.
FAQs
Which types of companies will face the greatest pressure from NIS2 in 2026?
Those involved in supply chains of regulated sectors (energy, transportation, healthcare, banking, digital infrastructure) that must demonstrate controls, processes, and incident notification capabilities.
Why does Stoïk describe a “Europe at two speeds” with NIS2?
Because not all companies have the same resources for compliance: large critical entities typically have budgets and dedicated teams, whereas many SMEs and providers face greater challenges.
What is the “CEO 2.0” threat that Stoïk warns about?
An environment where AI-driven frauds targeting executives—such as voice cloning (vishing) and deepfakes—are growing, potentially allowing attackers to authorize payments, change banking details, or manipulate internal decisions.
Why is the supply chain considered the “weakest link”?
Because an attacker can compromise a provider, an open-source library, or a browser extension—and escalate impact across multiple dependent organizations.