For years, cybersecurity remained a secondary concern in investment decisions. During fundraising rounds, the focus was primarily on growth, market potential, and leadership teams. Since the implementation of the NIS2
For a long time, cybersecurity remained a secondary topic in investment decisions. In fundraising rounds, attention was primarily focused on growth, market potential, or the strength of the management team. Cyber risk, if mentioned at all, was often relegated to a brief IT review.
That approach is no longer viable.
With the implementation of the European NIS2 Directive, cybersecurity has evolved into a strategic dimension that investors can no longer ignore. This shift is driven by both an expanded regulatory scope and the increasing frequency and impact of cyberattacks — factors that make cyber risk a business, governance, and financial issue rather than merely a technical one.
The NIS2 Directive significantly broadens the number of companies subject to enhanced cybersecurity requirements. In France alone, it is estimated that 15,000 to 18,000 organizations now fall under its scope — compared with around 500 under the previous NIS1 regime.
To tailor expectations appropriately, NIS2 distinguishes between two main categories of entities:
Essential Entities
Organizations whose operations are critical to the economy and society — such as energy, transportation, healthcare, and key digital infrastructure — and whose disruption would have broad consequences.
Important Entities
Organizations that play a strategic role, including many SMEs, mid-sized industrial firms, digital service providers, and fast-growing tech companies. Although not critical in the strict sense, their disruption could still have significant ripple effects.
Compliance is mandatory for both categories, with varying levels of oversight.
A major innovation of NIS2 is the personal accountability of senior management. Leaders are now directly responsible for implementing and overseeing cybersecurity measures. This elevates cybersecurity from a technical concern to a core governance issue.
Under NIS2, organizations must:
Establish risk management processes led from the top;
Report significant incidents to national authorities within tight deadlines;
Ensure business continuity and secure communication channels;
Strengthen digital supply chain security;
Provide targeted cybersecurity training for executives.
Today’s investors — whether private equity, venture capital, or strategic acquirers — face a new reality:
an organization that is not NIS2-compliant represents a measurable financial risk, which can directly affect investment outcomes.
This risk may materialize as:
Regulatory penalties: Fines can reach up to €10 million or 2% of global turnover for critical entities;
Post-acquisition compliance costs: Delayed remediation can require substantial unexpected investment;
Operational and reputational damage: A successful attack may disrupt operations for weeks.
Consequently, cyber due diligence has become as essential as financial or legal due diligence in investment processes.
Investors conducting cyber due diligence should assess:
Regulatory status — Is the target subject to NIS2, and what is its compliance level?
Technical controls — Security infrastructure including firewalls, multi-factor authentication, detection capabilities, and backup strategies.
Cyber governance — Policies, executive involvement, presence of security leadership, and training.
Supply chain risk — Security posture of critical IT vendors and partners.
Incident history — Frequency and severity of past security breaches.
Remediation costs — Estimated investment needed to achieve compliance.
Engaging cybersecurity specialists for in-depth audits and penetration tests is recommended.
Recent figures make the landscape clear: cybersecurity incidents are rising sharply, and their consequences are increasingly severe. In France, the number of reported security events has grown year over year, reflecting a systemic vulnerability that investors must integrate into their risk models.
Supply chain compromises — where a vendor’s breach impacts its clients — further emphasize the need for broad and systemic risk evaluation.
Forward-thinking investors no longer view NIS2 as merely a regulatory burden. Instead, they see it as a mechanism to differentiate good risks from poorly prepared ones.
Companies that exceed baseline compliance may benefit through:
Lower risk premiums in cyber insurance coverage;
Better positioning in B2B contracts, where cybersecurity credentials are increasingly decisive;
Higher valuation multiples, justified by demonstrable risk management and growth resilience.
This shift unlocks new investment opportunities in cybersecurity solutions, advisory services, and compliant SaaS platforms.
The arrival of NIS2 has transformed the cyber risk landscape for investors. In a context where cyber threats are ubiquitous and leadership accountability is unambiguous, disregarding cybersecurity due diligence is no longer defensible.
Sophisticated investors now weigh cyber risk with the same rigor as financial or operational risk. Beyond compliance, cyber resilience is emerging as a clear value driver — one that signals strong governance and future readiness.
For companies that embrace this shift, cybersecurity becomes more than a cost of doing business: it becomes a strategic advantage that attracts capital and strengthens long-term performance.
You will enjoy to read this :
DVID offers an e-learning experience that is revolutionizing IoT cybersecurity
Blitzscaling: Growth at All Costs, Between the Californian Myth and Economic Reality
Advisor et Consultant auprès des dirigeants d'entreprise - Fondateur de GOWeeZ !
For years, cybersecurity remained a secondary concern in investment decisions. During fundraising rounds, the focus was primarily on growth, market potential, and leadership teams. Since the implementation of the NIS2 Directive, this approach is no longer sustainable. Cybersecurity has become a strategic issue for investors, directly impacting governance, risk management, and long-term value creation. Ignoring cyber risk today means accepting an uncertainty that investors can no longer justify.
