Cybersecurity has shifted from being a technical issue to a strategic concern that boards and regulators can no longer ignore. The European Union’s revised Network and Information Security Directive (NIS2) and the UK’s forthcoming Cyber Security and Resilience Bill are raising expectations for thousands of organisations. These regulatory shifts come as state-sponsored cyberattacks, particularly from Russia and Iran, grow in frequency and sophistication, targeting Europe’s infrastructure, healthcare systems and supply chains.
For consulting firms, this convergence of regulatory change and geopolitical instability represents both a challenge and a significant advisory opportunity.
NIS2 marks a major step up from its predecessor, applying to more than 300,000 organisations across a wide range of sectors. It demands stricter risk management, tougher incident reporting, stronger supply chain controls and greater accountability at board level. The European Commission has made clear that the purpose of NIS2 is not only to improve compliance and reporting but to embed resilience as a cultural and strategic priority across European businesses. Implementation, however, remains uneven. Some member states have adopted prescriptive measures such as independent audits, while others have taken a lighter touch. This creates a fragmented landscape that complicates compliance for multinationals and increases the need for external advisory support.
The UK, no longer bound by EU law, has chosen a different path. Its Cyber Security and Resilience Bill mirrors the ambition of NIS2 but reflects a distinct regulatory philosophy. Whereas the EU has opted for a highly prescriptive, rules-based system with harmonised obligations across governance, supply chain security and incident response, the UK favours a more principles-based regime. Its approach is designed to be flexible and adaptive, allowing requirements to be tailored by sector rather than imposed in a uniform way. For businesses with operations in both jurisdictions, this divergence introduces complexity. In Europe they must conform to detailed rules enforced at member state level, while in the UK they are required to demonstrate resilience but have greater discretion in how they achieve it.
Geopolitics explains much of the urgency behind these reforms. Both Russia and Iran have been linked to disruptive cyber campaigns against European targets. These attacks are no longer simply about stealing data but about causing widespread disruption, undermining critical services and eroding public trust. NIS2 and the UK Bill are designed to address this evolving threat environment, placing as much emphasis on resilience and continuity as on prevention.
For consulting firms, the implications are strategic rather than technical. Advising on compliance checklists is only part of the story. The real value lies in helping organisations integrate cyber resilience into governance, culture and enterprise risk management. This includes engaging boards in treating resilience as a strategic priority, aligning operations and supply chains with regulatory expectations, and preparing organisations to respond effectively when incidents occur.
The market impact is already visible. In mergers and acquisitions, cyber resilience is now a factor in due diligence. Supply chain contracts increasingly contain mandatory provisions on resilience. Boards are seeking external assurance that cyber risks are being addressed at the highest level. Consulting firms that can provide this expertise will strengthen their role as trusted partners and expand their influence beyond compliance into broader organisational transformation.
Cyber resilience is fast becoming a licence to operate. Regulators are demanding more, adversaries are becoming more aggressive, and boards want credible assurance that their organisations are prepared. For consulting leaders, the imperative is clear: use NIS2 and the UK’s parallel reforms not only as a compliance requirement but as a platform to build lasting resilience and competitive advantage for clients. Those who succeed will protect clients from regulatory and reputational risk while helping them thrive in an increasingly volatile environment.
Written by Benjamin Mandell