All news

9 July 2026 / 12 minutes of reading

NIS2 Is Not the Problem. The Problem Is That Most Organizations Start in the Wrong Place.

Mention NIS2 in almost any boardroom, and the same questions quickly come up.


Key Takeaways

  • NIS2 is not a one-time compliance project. It is a continuous cybersecurity risk management process.
  • The biggest mistake organizations make is focusing on documentation before understanding their risks and critical assets.
  • Cybersecurity is no longer just an IT responsibility. Executive management, HR, legal, procurement and business owners all play a key role.
  • Technology alone is not enough. Without regular testing, you cannot be sure your security controls are actually working.
  • Organizations should pay close attention to their internal environment, cloud services and supply chain, as these are among the most common attack vectors.
  • Passing an audit is not the goal. The objective is to continuously improve the organization's cyber resilience.
  • Continuous monitoring, vulnerability management and regular validation of security controls are essential for successful NIS2 implementation.

When organizations first hear about NIS2, they usually start asking the same questions. Do we need a CISO? Should we implement ISO 27001? How many new policies do we need? Will we have to pass an audit? These are perfectly reasonable questions. However, they are usually the wrong questions to ask at the beginning.

The biggest change introduced by NIS2 is not additional documentation or regulatory requirements. It is a fundamental shift in how organizations approach cybersecurity. In other words, NIS2 is not a project. It is a risk management framework. This is why we continue to see the same implementation mistakes.

Organizations invest in new security technologies without understanding which systems are truly critical to their business. They produce dozens of security policies without ever validating whether they could recover from a ransomware attack. They complete compliance assessments while remaining unaware that a single misconfigured account could provide an attacker with administrative privileges. This is not a legislative problem. It is a prioritization problem.

ChatGPT Image 9. 7. 2026, 14_58_50.png

Rather than analyzing legal requirements article by article, this guide focuses on the practical side of NIS2 implementation. We will examine the most common mistakes organizations make and explain how to build a cybersecurity program that not only supports compliance but also improves resilience against real-world cyber threats.

When Should You Start Preparing for NIS2?

If your organization falls within the scope of the NIS2 Directive, do not wait for an audit or regulatory review. Building an effective cybersecurity program takes months, not weeks.

The NIS2 Directive significantly expands the number of organizations required to implement cybersecurity risk management measures across the European Union. Unlike its predecessor, it applies to a much broader range of essential and important entities operating in sectors such as energy, healthcare, transport, digital infrastructure, manufacturing, public administration and managed IT services.

The earlier an organization begins its preparation, the easier it becomes to integrate security measures into day-to-day operations.

A practical implementation roadmap may look like this:

NIS2 Implementation Roadmap (EN)-selection (1).pngAlthough this sequence appears straightforward, many organizations take the opposite approach. Instead of identifying risks first, they immediately focus on technologies, documentation or compliance audits.

This often leads to unnecessary costs, duplicated work and delayed implementation. The following chapters explain the most common mistakes and how to avoid them.

Mistake #1: Starting with Documentation

One of the first reactions to NIS2 is often an attempt to produce every required policy, procedure and security document. Information security policies, Incident Response Plans and Business Continuity Plans are all important. The problem begins when documentation becomes the objective instead of the tool.

Imagine two organizations. The first has comprehensive security documentation but has never tested its backup recovery process or its ability to respond to a cybersecurity incident. The second has fewer documents but performs regular penetration tests, validates the configuration of critical systems and exercises its incident response procedures. Which organization is better prepared for a real cyberattack?

Documentation exists to support security processes. It does not protect an organization by itself. NIS2 therefore focuses not on the existence of documents, but on an organization's ability to manage risks and demonstrate that implemented security measures are effective in practice.

Mistake #2: Treating Cybersecurity as an IT Problem

Cybersecurity has long ceased to be an IT-only discipline. Modern attacks exploit business processes, human error and weaknesses in third-party relationships just as often as technical vulnerabilities. This is why NIS2 extends well beyond IT infrastructure. Effective implementation requires involvement from the entire organization.

Executive management approves investments and accepts business risks. HR manages onboarding, offboarding and employee awareness. Procurement selects vendors who may gain access to critical systems. Legal teams handle contractual obligations and regulatory requirements. If any of these functions are missing from the process, technical controls alone will not provide adequate protection.

Successful NIS2 implementation is therefore not an IT project. It is an organizational project.

Mistake #3: Investing in Technology Before Understanding Your Risks

When organizations become subject to NIS2 requirements, one of the first reactions is often to invest in new security technologies. EDR, SIEM, PAM and other security solutions are deployed with the expectation that they will significantly improve the organization's security posture.

Technology is an essential part of cybersecurity, but it is not the starting point.

Organizations first need to understand their own environment. Which systems are critical to business operations? What data do they process? Which services must remain available during an incident? What would be the business impact if these assets were compromised?

Without answering these questions, it is impossible to prioritize investments effectively. An organization may deploy best-in-class security solutions while overlooking the single weakness that represents its greatest risk. This is why NIS2 places risk assessment and risk management at the core of every cybersecurity program.

Mistake #4: Assuming Your Security Controls Actually Work

Many organizations believe their security controls are effective simply because they have been in place for years. They use multi-factor authentication, firewalls, network segmentation and regular backups. However, that does not automatically mean these controls are properly configured or capable of stopping modern attacks.

Security cannot be measured by the number of technologies you have implemented. It must be validated regularly.

Penetration testing demonstrates how a real attacker could compromise your environment. Security assessments identify configuration weaknesses before they are exploited. Red Team exercises evaluate how well the organization can detect and respond to sophisticated attacks. Equally important is regularly testing backup recovery procedures and the readiness of the Incident Response team.

The greatest risk is not the absence of security technology. The greatest risk is assuming everything works because no one has ever verified it.

Mistake #5: Overlooking Supply Chain Risk

Cybercriminals increasingly avoid attacking their primary target directly. Instead, they look for the weakest link in the supply chain. That may be an IT service provider, a software vendor, a cloud platform or any third party with access to internal systems.

This is one of the reasons why NIS2 places much greater emphasis on supply chain security than previous legislation. Organizations should understand which suppliers have access to critical systems, what security requirements apply to them and how supplier-related risks are assessed on an ongoing basis.

This does not mean auditing every single supplier. It means identifying the third parties whose compromise could have the greatest business impact and applying an appropriate level of security oversight.

Mistake #6: Focusing Only on External Threats

When people think about cyberattacks, they often imagine attackers attempting to break through an internet-facing firewall. In reality, many attacks begin much more simply. An attacker steals a user's credentials, compromises a workstation and then moves laterally through the internal network.

Protecting the perimeter is no longer enough. Organizations must also understand the security of their internal environment.

One of the most common targets is Active Directory. Once attackers obtain privileged access, they can often take control of a significant portion of the organization's infrastructure. In many cases, this is not the result of sophisticated exploits, but of excessive privileges, outdated configurations or poorly managed identities.

Regularly reviewing identities, privileged accounts and internal security configurations should therefore be a fundamental part of every organization's cybersecurity program.

Mistake #7: Assuming Cloud Security Is the Cloud Provider's Responsibility

Moving systems to the cloud improves flexibility and scalability, but it also introduces new security challenges. Many organizations mistakenly believe that once workloads are migrated to the cloud, cybersecurity becomes the provider's responsibility.

In reality, cloud security follows a shared responsibility model. While the provider is responsible for securing the underlying infrastructure, the organization remains responsible for identity management, access control, data protection, service configuration and security policies.

Misconfigured cloud services remain one of the leading causes of data breaches. Publicly accessible storage, excessive permissions and missing multi-factor authentication are rarely the provider's fault. They are usually the result of incorrect configuration.

Cloud adoption does not eliminate security responsibilities. It changes them.

Mistake #8: Treating Cybersecurity as an Audit Exercise

Many organizations devote most of their cybersecurity effort to the months leading up to an audit or regulatory assessment. Documentation is updated, obvious weaknesses are addressed and, once the audit is complete, security initiatives gradually lose momentum.

This approach was already ineffective before NIS2. Under the new regulatory framework, it makes even less sense.

Cybersecurity is constantly evolving. New vulnerabilities emerge every day, infrastructures change, new applications are deployed and cloud environments continue to grow. A single audit provides only a snapshot of the organization's security posture at a specific point in time.

Organizations with mature cybersecurity programs treat security as a continuous process. They regularly assess their environment, validate security controls, monitor emerging threats and remediate weaknesses before attackers can exploit them.

This continuous improvement mindset lies at the heart of NIS2.

Mistake #9: Underestimating Incident Response

Many organizations have an Incident Response Plan. Far fewer know whether it would actually work during a real cyber incident.

Responding to an incident is not simply about knowing who to call. Teams must understand their responsibilities, management must be able to make decisions under pressure and the organization must know how to communicate with customers, business partners, regulators and the public.

A ransomware attack or a major data breach rarely happens under ideal conditions. Decisions have to be made quickly, information is incomplete and every minute of downtime increases the business impact. Organizations that have never tested their Incident Response process often discover during the incident that contact lists are outdated, responsibilities are unclear or recovery procedures cannot be executed as planned.

An Incident Response Plan should therefore never exist solely as documentation. It should be regularly exercised, reviewed and improved so that it supports the organization when it matters most.

Mistake #10: Treating Compliance as the Finish Line

Audits and compliance assessments are valuable. They help organizations identify weaknesses, improve governance and demonstrate that appropriate security measures have been implemented.

However, compliance should never become the ultimate objective.

Organizations that focus exclusively on passing an audit often optimize their efforts around the assessment itself. Documentation is updated, missing controls are implemented and visible issues are addressed. Once the audit is over, security improvements often slow down.

Attackers do not care whether an organization passed an audit. They care whether it has vulnerable applications, misconfigured cloud services, excessive privileges or unpatched systems.

NIS2 should therefore be viewed as a framework for continuous cybersecurity risk management rather than a one-time compliance exercise. An audit confirms the organization's security posture at a specific moment in time. It cannot guarantee that the same level of protection will exist six months later.

The real objective is not to pass an audit.

The real objective is to build a cybersecurity program that continuously identifies risks, validates security controls and improves the organization's resilience over time.

What Does an Organization Prepared for NIS2 Look Like?

There is no universal technology stack or security architecture that guarantees compliance with NIS2. Every organization has different risks, business priorities and levels of cybersecurity maturity. Nevertheless, organizations that successfully implement NIS2 typically share several common characteristics.

NIS2 Readiness Infographic-selection.pngIf your organization identifies more closely with the left-hand column, there is no reason to panic. Most organizations are somewhere between these two extremes. The important thing is to understand your current level of maturity and establish a structured plan for continuous improvement.

NIS2 is not about implementing more technology

It is about changing how organizations manage cybersecurity. Security can no longer rely on one-time projects, periodic audits or the assumption that implemented controls will remain effective indefinitely. Cyber threats evolve every day, and organizations must continuously assess risks, validate security measures and improve their resilience.

Penetration testing, security assessments, configuration reviews, vulnerability management and supply chain security should not be isolated activities performed once a year. They should become part of an ongoing cybersecurity program.

NIS2 is not the destination. It is a continuous journey towards stronger cyber resilience.

logo

Sign up for our newsletter for all the important cybersecurity and ethical hacking news.

Home

GDPR

Contacts

Code of ethics

News

© 2024 citadelo AG. All rights reserved.

facebooklinkedinxyoutube