⚠ NCSC: Week 23: Job seekers in the crosshairs – phishing, scams and malware in the application… 🔴 CVE: CVE-2026-44643 (CVSS 10) — Angular Expressions provides expressions for the Angular.JS web framework as … 📰 New article: Exchange OWA CVE-2026-42897: Swiss On-Prem Alert 2026 ⚠ NCSC: Week 23: Job seekers in the crosshairs – phishing, scams and malware in the application… 🔴 CVE: CVE-2026-44643 (CVSS 10) — Angular Expressions provides expressions for the Angular.JS web framework as … 📰 New article: Exchange OWA CVE-2026-42897: Swiss On-Prem Alert 2026
← Back to articles
Best Practices 24 May 2026 8 min read

NIS2 Enforcement 2026: Swiss EU Subsidiary Guide

With 22 EU states transposed and supervisory audits live, Swiss companies whose subsidiaries are in NIS2 scope face binding remediation orders — and personal management liability.

MS

Marco Scarito

24 May 2026

8 min read

Twenty-two of the European Union's twenty-seven member states have now transposed NIS2 into national law, and the first supervisory audits under the directive are underway in France, the Netherlands, and Germany. For Swiss holding companies with subsidiary operations in EU markets — a structural characteristic of virtually every Swiss bank, insurer, pharmaceutical group, and industrial conglomerate of material size — NIS2 is no longer a future compliance project. It is a current enforcement environment. The assumption that FINMA-aligned governance, ISO 27001 certification, or general information security maturity provides sufficient coverage for NIS2 obligations is incorrect, and it is being tested in supervisory interactions that produce binding remediation orders with defined timelines, not advisory recommendations. This article provides a practical guide to where Swiss-parented groups are most commonly falling short and what the NIS2 Article 21 requirements demand in practice.

Scope Determination — The First Question Swiss Groups Get Wrong

NIS2 applies to entities that operate in sectors listed in Annexes I and II of the directive — essential entities (Annex I: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space) and important entities (Annex II: postal services, waste management, chemicals, food, manufacturing, digital providers, research). The critical point for Swiss holding companies is that scope is determined at the EU subsidiary level, not at the group level. A Swiss parent company that operates a German banking subsidiary, a Dutch logistics entity, or a French healthcare services provider will have each subsidiary assessed independently for NIS2 classification based on the subsidiary's sector, size, and revenue.

Size thresholds matter: entities with more than 250 employees or more than €50M in turnover in Annex I sectors are classified as essential entities; entities with more than 50 employees or more than €10M in Annex II sectors are classified as important entities. Many Swiss corporate groups have EU subsidiaries that meet important entity thresholds without their security teams having identified this. The Germany registration failure rate — only approximately one-third of entities subject to mandatory registration had done so by the March 6, 2026 deadline — reflects widespread scope underidentification, not deliberate non-compliance. Swiss-parented groups should assume their EU subsidiaries include unidentified NIS2 scope entities until they have conducted a systematic mapping exercise.

What NIS2 Article 21 Actually Requires — Beyond Policy Documentation

NIS2 Article 21 requires covered entities to implement "appropriate and proportionate technical and organisational measures" across ten specific domains: risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; network and information systems acquisition and development; effectiveness assessment of cybersecurity risk management measures; basic cyber hygiene practices and training; cryptography and encryption policies; human resources security; and multi-factor authentication and continuous authentication solutions.

The ten domains are not a checklist of policy documents. NIS2 supervisors — national competent authorities in each member state — assess whether the measures are implemented and effective, not whether policies exist. The German Federal Office for Information Security (BSI), the Dutch NCSC-NL, and the French ANSSI have each published supervisory guidance indicating that entities relying primarily on documented policies without evidence of operational implementation will receive remediation orders in their first assessment cycle. Swiss security teams that have exported their parent company's ISO 27001 policy framework to EU subsidiaries without verifying implementation at the operational level are at risk of exactly this outcome.

Supply chain security under Article 21(2)(d) is the requirement generating the most supervisory discussion. NIS2 requires entities to address cybersecurity risks in the supply chain — including relationships with direct suppliers and service providers. For EU subsidiaries of Swiss groups, this includes assessing the cybersecurity practices of the Swiss parent as a service provider: if the parent provides shared IT infrastructure, security operations, or enterprise applications to the EU subsidiary, the parent's security posture is in scope for the subsidiary's Article 21 supply chain assessment. Swiss groups that centralise IT in Switzerland and provide services to EU subsidiaries need to account for this dependency in their NIS2 compliance documentation.

Management Liability — A Different Accountability Framework

NIS2 introduces personal liability for senior management of covered entities that fail to implement required cybersecurity measures. Article 20 requires member states to ensure that the management body of covered entities approves cybersecurity risk management measures and oversees their implementation, and that management body members can be held personally liable for infringements. Several member states — Germany, the Netherlands, and France among them — have transposed this liability provision directly into national law, allowing national competent authorities to impose sanctions on individual board members and C-suite executives of entities that fail NIS2 audits.

This accountability framework is meaningfully different from the supervisory model Swiss executives are accustomed to under FINMA. FINMA enforcement actions targeting individual executives are possible but procedurally constrained and relatively rare. NIS2 supervisory mechanisms in Germany and the Netherlands operate faster, with lower procedural barriers to individual sanctions. Swiss executives serving on the boards of EU subsidiaries classified as essential entities need to understand that their personal liability exposure in those jurisdictions is now governed by NIS2 Article 20 — a materially different legal framework from the Swiss governance context they manage day-to-day.

◆ Key Takeaway

NIS2 enforcement is not coming — it has arrived. Swiss holding companies with EU subsidiaries in NIS2 scope need three things before the next supervisory assessment cycle: a completed scope mapping identifying every EU subsidiary that meets essential or important entity thresholds; an Article 21 gap assessment against operational implementation (not just policy existence); and board-level acknowledgement of personal management liability under Article 20 in the relevant member states.

DORA Overlap and Double Compliance for Swiss Financial Groups

Swiss banks and insurers with EU subsidiary operations face a specific complexity: their EU subsidiaries in financial services may be in scope for both NIS2 and DORA. DORA applies to financial entities — credit institutions, insurance and reinsurance undertakings, investment firms, and others listed in Article 2 — and its ICT risk management requirements cover substantially the same operational domains as NIS2 Article 21. EU legislators intended DORA to function as lex specialis for financial entities, meaning financial sector entities covered by DORA are generally exempt from NIS2's technical requirements. The exemption applies at the entity level: a bank subsidiary covered by DORA is not also subject to NIS2's Article 21 obligations for that entity's banking operations.

However, Swiss financial groups with diversified EU operations may have entities outside the DORA scope — technology subsidiaries, service companies, holding entities — that are separately in NIS2 scope. The compliance architecture for a Swiss financial group with EU operations therefore requires mapping not just NIS2 scope but the interaction between NIS2 and DORA scope across every EU subsidiary. Groups that have focused exclusively on DORA compliance for their financial entities may have NIS2-scope non-financial subsidiaries that have received no compliance attention.

  • Conduct a complete NIS2 scope mapping of every EU subsidiary by sector and size threshold — do not assume that prior ISO 27001 certification or FINMA compliance governance has addressed this; it has not.
  • For each identified NIS2-scope entity, conduct an Article 21 gap assessment against operational implementation: policies without operational evidence of deployment will not satisfy supervisory assessment in Germany, the Netherlands, or France.
  • Address supply chain security documentation for any EU subsidiary that receives IT infrastructure, security services, or enterprise applications from the Swiss parent — the parent's security posture is in scope as a third-party provider.
  • Ensure that EU subsidiary boards understand their personal liability exposure under Article 20 in the applicable member state's transposition; do not assume the FINMA enforcement model applies in EU jurisdictions.
  • Register any essential or important entity in the relevant national registry by the applicable member-state deadline — Germany's deadline has passed with a roughly one-third compliance rate; France and other transposed jurisdictions have their own timelines. Late registration does not eliminate the compliance obligation but eliminates the option of arguing that the supervisory contact was unclear.
  • For Swiss financial groups, map DORA and NIS2 scope interactions explicitly — identify which EU subsidiaries are covered by DORA (and therefore generally exempt from NIS2 Article 21) and which are in NIS2 scope without DORA coverage; do not assume the exemption applies by default without entity-level analysis.
  • Build NIS2 incident reporting procedures at the EU subsidiary level — NIS2 requires significant incident notification within 24 hours and a full notification within 72 hours to the relevant national competent authority; this cannot be handled from Switzerland as a central function without a local point of contact and a rehearsed process.

NIS2 enforcement in 2026 is producing a clearer picture of what "compliance" means in practice: not the possession of security policies, but the demonstrated implementation of security measures at an operational level, overseen by management that is personally accountable for the outcome. Swiss holding companies that have treated NIS2 as a documentation exercise at their EU subsidiaries are moving toward their first supervisory assessment cycle with a gap that remediation orders will make explicit and timelines will make urgent. The organisations that identify and close that gap before supervisory contact are in a materially better position — legally, reputationally, and operationally — than those that encounter it for the first time in an assessment.