Immediate Threat or Gradual Shift? The Hidden Impact of Regulation 2690 on Europe’s Cybersecurity Landscape

October 2026 is circled in red on the calendars of European IT and compliance teams. For months, all eyes have been on the NIS2 directive’s “basic measures” deadline. But a closer look reveals a less-publicized, more immediate challenge: Regulation (EU) 2690/2024 is not waiting for anyone. It’s already in force, reshaping the compliance landscape and exposing a dangerous misunderstanding that could leave even the best-prepared organizations scrambling.

Regulation 2690: The Unseen Deadline

The cybersecurity community has been laser-focused on the NIS2 directive, which sets out “basic measures” for critical infrastructure and essential service providers. The assumption? That compliance with these basics would buy time before stricter rules kicked in. However, Milena Rizzi, chief at Italy’s National Cybersecurity Agency (ACN), delivered a blunt wake-up call: Regulation 2690 isn’t a future threat - it’s the new normal, effective immediately.

The confusion is understandable. NIS2’s implementation timeline stretches to October 2026, but Regulation 2690’s requirements - incident reporting, real-time monitoring, patch management, and structured risk governance - are already enforceable. For “essential” organizations, this means operating under two overlapping rulebooks, with the more demanding one already in play.

Basic Measures: Your Only Safe Harbor

ACN’s strategy is pragmatic: treat NIS2’s basic measures as a foundation, not a finish line. By methodically implementing these steps between now and October 2026, organizations build the infrastructure needed for the advanced, ongoing obligations of 2690. Skipping or delaying basic compliance isn’t just risky - it’s a recipe for disaster once inspections and enforcement ramp up.

Rizzi is clear: the transition period is for adaptation, not avoidance. Authorities may show leniency to organizations genuinely progressing toward compliance, but those who procrastinate will face a daunting catch-up and potential penalties. For ICT providers within corporate groups, the message is even starker: if you qualify as “essential,” you must comply with both sets of rules - immediately.

The Real Risk: Waiting Too Long

The timeline is unforgiving. Organizations that start implementing basic measures early can gradually layer on the advanced controls of 2690. Those who stall until late 2026 will face a compressed, high-stakes scramble - at the very moment regulators are poised to shift from support to enforcement. The lesson: the path to compliance is a marathon, not a sprint, and the clock is already ticking.

Conclusion: Regulation 2690 Is Not the Enemy - But It Won't Wait

The specter of Regulation 2690 is not a distant threat - it is the new horizon. NIS2’s basic measures are not a shield, but a bridge to a more demanding regulatory regime. The organizations that embrace this reality now will not only avoid last-minute chaos, but will also be better equipped to withstand tomorrow’s cyber threats - and tomorrow’s inspectors.

WIKICROOK

• NIS2 Directive: The NIS2 Directive is an EU law requiring critical sectors and their suppliers to strengthen cybersecurity and report serious cyber incidents.
• Regulation 2690/2024: Regulation 2690/2024 is an EU law that sets strict, immediately applicable cybersecurity requirements for organizations to strengthen digital security and incident response.
• Incident Notification: Incident notification is the mandatory reporting of major cybersecurity breaches to authorities within a set period, ensuring compliance and enabling prompt response.
• Continuous Monitoring: Continuous Monitoring is the ongoing surveillance of systems to quickly detect and respond to emerging security risks or unauthorized changes.
• Essential Entity: An Essential Entity is a critical organization required to follow strict cybersecurity regulations to ensure the protection and continuity of vital societal functions.