An orange and white sign that says,'n roc '.
Solution
Blog
About Us
Resources
Get a demo
Get a demo
CISO
Governance
Prompt risks
June 2, 2026

Why NIS2 belongs in your AI governance and why "which plan" matters

Short answer: If your organisation falls under NIS2, every generative AI tool your employees use is part of your regulatory risk surface. The single most important thing to know is what AI is being used and on which plan — because a personal or free GenAI account handles your data very differently from a business plan, and that difference can turn everyday productivity into a compliance gap.

Most AI governance conversations start with models, policies, and acceptable-use documents. That's the wrong place to begin if you're a NIS2 entity. Start instead with a simple, uncomfortable question: do you actually know which AI tools your people use, and under what kind of account?

What does NIS2 have to do with AI?

NIS2 (Directive (EU) 2022/2555) doesn't mention "ChatGPT" or "generative AI." It doesn't need to. Its risk-management obligations — data security, access control, supply-chain risk, and the ability to demonstrate compliance — apply to any channel through which sensitive data leaves your control.

A generative AI vendor is, in NIS2 terms, a third party. The moment an employee pastes customer records, source code, or internal documents into a GenAI tool, that data has crossed your perimeter into someone else's systems. That is a data-security and supply-chain event whether or not anyone planned it.

ENISA's 2026 NIS360 report reinforces the point: the rapid advancement of AI is named as one of three emerging dynamics reshaping the threat landscape for critical sectors — alongside supply-chain risk and geopolitical volatility. AI governance and NIS2 compliance are no longer separate workstreams.

Why "personal vs business plan" is the question that matters

Here is the distinction that most policies miss. The same tool behaves differently depending on the account:

  • Free / personal plans may use submitted data for model training, offer limited retention controls, and sit entirely outside your contractual and audit reach.
  • Business / enterprise plans typically offer data-handling commitments, retention controls, and an administrative trail you can actually govern.

If half your workforce is using free accounts on personal logins, you have AI usage you cannot see, cannot govern, and cannot evidence to a supervisor. Industry telemetry through 2025 showed a sharp rise in "shadow" GenAI usage — employees adopting tools faster than their organisations can track them. You can't write a meaningful AI governance plan on top of a blind spot.

You can't govern what you can't see

This is the practical takeaway. Before you draft another policy, you need three facts:

  1. What AI tools are actually in use across the organisation.
  2. Which plans they run on — personal/free versus business/enterprise.
  3. What data and use cases are flowing through them.

With those facts, AI governance becomes straightforward: steer high-risk data away from ungoverned accounts, move valuable use cases onto governed plans, and keep the audit record NIS2 expects. Without them, you're guessing.

Key takeaways

  • Under NIS2, GenAI usage is part of your data-security and supply-chain risk surface — by default, not by choice.
  • The most important variable is which plan employees use: free/personal accounts are largely ungovernable; business plans are.
  • Shadow AI means most organisations lack visibility into their real exposure.
  • Effective AI governance starts with discovery — what's used, on which plan, with which data — not with policy.

Start with a free assessment, not a guess

You don't have to estimate any of this. NROC Security's free assessment runs in observation-only mode and produces an executive report that reveals:

  • Usage volume — how much GenAI activity is really happening across your organisation.
  • High-level use cases — what your teams are using AI for, and where sensitive data appears.
  • Organisational AI skill — how effectively your people prompt and apply AI, giving an indicative read on the productivity potential AI offers your entity.

It's the fastest way to turn AI from an ungoverned risk into a measured, NIS2-aligned advantage — and to see, before you spend anything, exactly where you stand.

Book your free assessment

FAQ

Does NIS2 regulate artificial intelligence?
NIS2 does not regulate AI directly, but its risk-management requirements — data security, access control, supply-chain risk, and demonstrable compliance — apply to any use of generative AI that moves sensitive data outside the organisation.

Why does it matter whether employees use free or business AI plans?
Free and personal AI plans often lack data-handling guarantees, retention controls, and any administrative or audit trail, placing them outside the organisation's governance and NIS2 reach. Business and enterprise plans typically provide the controls and evidence a NIS2 entity needs.

How do I find out which AI tools my organisation actually uses?
Run a discovery or observation-only assessment. NROC Security offers a free assessment that reports GenAI usage volume, high-level use cases, and organisational AI skill — the visibility required before any AI governance policy can be effective.

Written by
Markus Melin
Co-Founder and COO
Share This

Get insights on boosting GenAI app adoption safely

Subscribe to NROC security blog

More blog posts

Measuring what matters: How to quantify effectiveness of personal productivity AI

Although AI adoption is growing, productivity impact remains limited. While 14% of employees use GenAI regularly, only 0.1% currently demonstrate the skill and frequency needed to drive meaningful productivity gains. The data underscores the importance of measuring GenAI usage, skill development, and business outcomes.
Governance
Productivity

Unlocking productivity with GenAI: How Northamber and NROC Security make productivity and governance work together

Generative AI is accelerating faster than governance, leaving many organizations struggling to balance innovation with security. Join Northamber and NROC Security for a webinar that shows how productivity and safe GenAI use can go hand in hand.
Productivity
Governance

This website uses cookies to ensure you get the best experience on our website. Learn more

Accept All Cookies Reject All