Skip to main content
Regulatory readiness and cybersecurity
Regulatory readiness

NIS2: Advancing cybersecurity

Transforming compliance into cyber advantage

NIS2 (Network and Information Security Directive)

The NIS2 Directive is an EU law setting strict cybersecurity standards for organizations deemed essential or important, aiming to protect networks and boost resilience across member states.
Kyndryl’s status as an essential entity means customers benefit from partnering with a provider that already has comparable regulatory expectations. This reduces duplication of effort and can ease aspects of their own compliance activities.
 
Laptop, typing and woman in server room for engineering, network maintenance or programming. Administration, computer and cybersecurity with IT professional in data center for firewall installation.

Why it matters

Key principles

NIS2 replaces the more limited 2016 NIS Directive (NIS1), significantly broadening its scope to include additional sectors and entities and introducing stricter requirements that reflect the evolving cybersecurity landscape. NIS2 is supported by the NIS2 Implementing Regulation, applicable European Union Agency for Cybersecurity (ENISA) Guidelines, and national legislation transposing NIS2 into the laws of individual EU member states.
01
Information Sharing: NIS2 establishes mechanisms for information exchange between EU institutions and national regulatory authorities to strengthen collective cybersecurity.
02
Registration and Risk Management Measures: Entities classified as “essential” or “important” in designated sectors must register with the relevant authorities and implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks effectively.
03
Incident Reporting: Important and essential entities are required to report any “significant incidents” to the relevant authorities within strict timelines to ensure timely response and mitigation. This includes reporting within 24 hours of initial identification, an interim report within 72 hours, and a final post-incident report within one month.
IT technician checking the servers vitals using laptop computer. Male support agent working in a dark network server room

How Kyndryl adheres to NIS2

Kyndryl is committed to maintaining full compliance with its regulatory obligations and oversight as an “essential” entity. To support this, we have established the Kyndryl Europe Regulatory Team (ERT), which oversees adherence to regulatory oversight DORA, NIS2, and their UK equivalents, including the forthcoming UK Critical Third-Party Regime under FSMA and the Cyber Security and Resilience Bill.

The ERT manages Kyndryl’s engagement with the regulatory authorities that enforce these frameworks and provides guidance to our account teams on related matters. The ERT includes professionals from diverse disciplines, including legal, cybersecurity, and audit.

Kyndryl’s NIS2 strategy is built on two foundational pillars that guide our approach to cybersecurity and regulatory compliance:

Technical and Organizational Controls

Focuses on implementing robust technical, operational and organizational measures designed to keep pace with ongoing changes in technology standards and cybersecurity threats. These controls apply to shared infrastructure managed by Kyndryl for multiple customers and serve as a baseline for dedicated environments designed for individual customers or defined groups, subject to their design authority. We leverage the Unified Controls Framework (UCF) and other applicable industry standards to identify and implement these controls effectively.

Global Policies and Internal Standards

Areas not governed by these controls are addressed through global policies and the Kyndryl Internal Cybersecurity Standard (KICS). KICS applies across Kyndryl’s internal infrastructure and environment, ensuring comprehensive coverage and alignment with internal cybersecurity expectations.

Beyond these pillars, we continue to strengthen our risk and supply chain management, enhance business continuity and recovery planning, clarify governance roles and responsibilities, and continuously improve incident reporting and resolution processes, with senior cybersecurity leadership actively engaged across functions.

This integrated approach reinforces and expands Kyndryl's compliance capabilities, ensuring readiness and resilience in meeting current and future regulatory expectations.

Registration

Kyndryl operates in multiple EU member states and relies on the “main establishment” provisions of NIS2 for registering as an “essential” entity in the EU member state where we maintain a substantial cybersecurity footprint.

Risk management measures

Kyndryl maintains a comprehensive global framework of regulatory governance and internal controls that are continuously reviewed and updated as needed.

Incident reporting

Kyndryl operates robust CSIRT teams supporting both enterprise and customer environments, with enhanced incident response and reporting processes aligned to NIS2 timelines and regulatory expectations. Kyndryl also maintains a dedicated team for managing operational incidents, recognizing that significant incidents under NIS2 are not limited to cybersecurity events and can equally arise from operational issues, such as service outages or service unavailability.

How Kyndryl supports customer compliance

Kyndryl’s assessment of NIS2’s impacts across our EU subsidiaries and global infrastructure delivery centers means that customers benefit from a provider ready to assist them with the cybersecurity and resiliency requirements imposed upon them by NIS2, helping to reduce their overall compliance effort.

We work closely with our customers to translate their regulatory requirements into tailored technical specifications. Where necessary, this includes updates to our contracts, service scope, enterprise processes, and procedures while minimizing both operational and commercial impact for all parties involved.

Kyndryl services

Governance, risk and compliance

Kyndryl’s integrated, insight-driven frameworks help organizations align with evolving regulations, reduce risk, and strengthen operational resilience.

Learn more

Cyber risk and regulation readiness

Our decades of experience modernizing and managing the world's mission-critical systems can help you meet and exceed compliance requirements and protect your mission-critical systems.

Learn more

Connect with Kyndryl

Together we can make sure the world thrives.

Contact us