"Regulations can be a tailwind": Dynatrace on NIS2 and complexity beyond human control
"It is not possible to provide the level of detail and accuracy required through manual processes."
It’s hard to imagine any business welcoming the arrival of yet more EU rules. From the AI Act to DORA, Eurocrats have battered companies with wave after wave of regulation in recent years and don't appear to be slowing down.
But what if new rules can actually be an opportunity to drive better outcomes and a welcome nudge to embed best practices at the very heart of an organisation?
The Network and Information Security Directive 2 (NIS2) is a pivotal regulatory shift for cybersecurity that expands compliance requirements, enforces stricter security measures, and increases accountability for resilience. It broadens the scope to include more sectors, mandates faster incident reporting, and introduces significant penalties for non-compliance.
NIS2 aims to enhance cybersecurity across the European Union but is having a global impact, just like the GDPR and other regulations that were dreamed up in Brussels but had a global impact.
The Directive came into force on January 16, 2023, and individual states had until October 17, 2024, to transpose it into national law. However, many organisations are still struggling to meet the requirements, with as many as two-thirds of businesses reporting that they did not expect to meet the October deadline. When this cut-off point passed, just two nations had fully transposed the directive into national law.
Key dates approaching include April 17, 2025, by which member states must submit lists of essential and important entities to the European Commission, and October 17, 2027, when the Commission will review the directive’s implementation and effectiveness.
Compliance is still by far a done deal for many businesses. To help organisations prepare for what’s ahead and understand both the benefits and risks of NIS2, Machine spoke to Bob Wambach (pictured below), Vice President, Portfolio and Strategy, at the observability platform provider Dynatrace.
Why should businesses know about NIS2?
"The first point to note is that there will be legal weight behind it. Businesses now have a responsibility not just to audit things after the fact but to act within very strict time limits. This needs to be done within 48 hours. This means you can’t rely on people digging through separate systems after incidents to understand what happened, when it happened, and the extent of the potential damages. Organisations need all of their information about how things are connected and what the downstream impact may be in one place.
"This relies on the convergence of monitoring and security protection so that you can provide notification and forensics very quickly. However leaders have been doing things until now, they need to reevaluate and ask: 'Am I going to be able to respond in a timely manner?' Because this is more than just reputational or brand damage or even potential lost revenue.
"If you suffered a breach and can’t explain why it happened or who’s impacted, then everybody is left wondering: ‘Am I affected?’ People will lose confidence in your business.
"That already applies to all companies, but now there’s also the weight of punitive damages and potential penalties behind it if they do not adhere to these requirements."
Is NIS2 having a global effect?
"This is an EU requirement, but it’s also a reflection of the direction the industry is moving in. So the first realisation is that you can’t just say: ‘Oh, I’ll provide this information as soon as I can.” No. There are actual time frames, and they’re tight.
"I would also say this isn’t just about what you traditionally consider your scope. The breadth of these requirements has expanded. They apply to a broader set of companies, including the supply chain. You need to know where things are coming from upstream and where they’re going downstream. It’s about understanding how your business operates on a deeper level - sometimes beyond what people themselves may even be aware of.
"You need software that understands more about your supply chain so you can meet these expanded requirements. And by software systems, I don’t just mean your applications - I mean all your databases. What data do you have? What personal information do you hold? How is it protected? Sensitive information comes from many places, and it can leak in many ways. You need to understand those risks as well.”
How are businesses in the US and other territories feeling about yet another piece of EU regulation with a global impact?
"In my view, this is simply a business reality. Companies would benefit from NIS2 by thinking of this in terms of benefits.
"Is it good for business if you are aware that you’ve suffered a cybersecurity attack? Is it good for business if, when an attack is successful, you understand the extent of it and know how to recover? The answer to all of these is, of course, yes. It is clearly good for business if you can do these things.
"I think there is a discussion around whether governments have the right to force companies to do what is good for business. In the case of protecting citizens, the answer is yes.
"We already have all kinds of regulations designed to protect citizens’ rights. When you think about how much of our lives are now conducted through online commerce - insurance, grocery shopping, banking, stock trading - there is a huge amount of personal information at risk. If bad actors gain access to this data, identities can be stolen, and people can be financially wiped out. This is a real threat, and governments have a responsibility to ensure that companies take appropriate precautions to protect that information.
"If those protections fail, companies need to understand what happened, why it happened, who needs to be notified, and how to mitigate the damage. Businesses may not like being told what to do - just as no one likes paying taxes. But taxes exist because they contribute to the well-being of society.
"Similarly, companies may not want to be required to invest in cybersecurity protection and reporting, but having a standard that ensures a certain level of protection and transparency benefits everyone. If something happens, businesses must be accountable, notify the right people, and not try to bury or hide the incident."
What advice are you giving customers about NIS2?
"The first point is recognising that it is not humanly possible to provide the level of detail and accuracy required through manual processes. You will always need real-time data about your security posture, and that data must be in the system. It also needs to be end-to-end. From our perspective, our advice is to converge your security information with your observability data and automate as much as possible.
"You need automated runtime vulnerability analysis, protection, and remediation. The faster you mitigate an incident, the less damage it causes.
"We believe in a secure-by-default mindset, where security is a fundamental part of your overall monitoring and observability strategy. IT operations, security teams, and development teams all need to work together. The goal is to shift security and quality testing as far left as possible - catching vulnerabilities during development rather than waiting until code is in production. Instead of releasing code and then analysing its security, you want to identify and fix vulnerabilities before they ever make it into the wild."
How can NIS2 benefit organisations that get compliance right?
"I think regulations, in general, are a tailwind for companies focused on observability and helping people understand their systems, as opposed to those that follow a do-it-yourself, disparate monitoring approach using a collection of different products. For Dynatrace, I don’t see this purely as something that helps our business; I see it as having parallel objectives, or you could even argue the same objectives.
"NIST regulations place requirements on organisations to understand their overall IT environments and protect them, ultimately safeguarding end users. That’s exactly what we aim to do at Dynatrace. Our platform helps companies deliver resilient, reliable software that performs well, provides an excellent end-user experience, and enables faster innovation while improving business outcomes. Regulations, in turn, are also aimed at improving business for citizens, which means we are fundamentally aligned.
"So why Dynatrace? Because you want your software to work perfectly. You can’t achieve that if you’re managing a complex system and trying to monitor networks, servers, applications, Kubernetes, security, and firewalls separately. If you monitor these elements independently and the data is fragmented, it lacks context. That creates a barrier to understanding your environment, protecting it, and responding effectively if an incident occurs.
"We fully support these regulations because they strive to create better experiences and stronger protections for end users."
How is GenAI complicating NIS2 compliance?
"I think GenAI will ultimately speed up productivity and accelerate innovation. However, at the same time, it creates the risk that intellectual property can be misappropriated to scoop up malicious code designed to exploit vulnerabilities and leak sensitive data outside an organisation - none of which are good for business.
"Companies need to take GenAI seriously because it is changing the game, and they need to be in the game. Not having a GenAI initiative is probably not going to end well. However, using it introduces new challenges. Unlike traditional coding, where a person with specific intent writes and comments on the code, AI-generated code adds another layer of abstraction and complexity. This means organisations need systems that can analyze what is happening inside the black box.
"We are evolving from retrieval-augmented generation (RAG), where sources are actively validated, to a future where we move away from large, highly flexible LLMs to more specialized, narrowly focused models. Eventually, we will see multiple LLMs working together and the rise of agentic AI, where AI systems are given business objectives and autonomously work to achieve them. As these technologies become more sophisticated, they also become harder to understand.
"To navigate this complexity, companies need advanced systems that can analyze, validate, and optimize AI models while ensuring security, reliability, and resilience. As AI becomes more powerful, managing its complexity is essential - and that’s exactly what Dynatrace does. It solves complexity."
How close are we getting to a situation in which organisations’ systems are so complex that they are beyond human understanding or control?
"This has already happened. One way to think about it is to look at a top-five organisation in almost any vertical industry, whether that’s a retailer, financial institution or insurance company. The sheer organisational complexity of these businesses means that different units and divisions operate independently while still needing to integrate and work together. That level of interaction is already far beyond human scale to fully comprehend.
"The larger an organisation, the more likely it is to have already realized that a fragmented approach to monitoring and observability is unsustainable. Instead, it needs to consolidate and leverage causal, predictive, and generative AI-based observability platforms to provide visibility, understanding, and protection across its environments.
"Is there anything inherently more complex in a large organisation’s software compared to a smaller one? Probably not. But with globally dispersed teams and thousands of people across different divisions, no single person can fully grasp the entire system. In a smaller company, an architecture team might have a clear map of most systems, objectives, and workflows.
"Looking ahead a few years, as Gen AI becomes more involved in software development, the connection between individual teams and what Gen AI is ‘thinking’ will become less direct. One of the reasons for using Gen AI is its unpredictability. It generates results based on prompts, training data, and context. If everything were entirely predictable, it would lose value because it wouldn’t introduce new ideas or solutions.
"As a result, even smaller organisations will start to mirror the complexity of large global enterprises. From a human perspective, it will be impossible to manually track and understand every decision made by AI-driven systems. Advanced observability platforms will be essential for deciphering intent, validating output, and making critical determinations about security, resilience, and performance under different conditions. The landscape is only going to become more complex."
Have you got a story or insights to share? Get in touch and let us know.
