9 July 2026 / 12 minutes of reading
Key Takeaways
When organizations first hear about NIS2, they usually start asking the same questions. Do we need a CISO? Should we implement ISO 27001? How many new policies do we need? Will we have to pass an audit? These are perfectly reasonable questions. However, they are usually the wrong questions to ask at the beginning.
The biggest change introduced by NIS2 is not additional documentation or regulatory requirements. It is a fundamental shift in how organizations approach cybersecurity. In other words, NIS2 is not a project. It is a risk management framework. This is why we continue to see the same implementation mistakes.
Organizations invest in new security technologies without understanding which systems are truly critical to their business. They produce dozens of security policies without ever validating whether they could recover from a ransomware attack. They complete compliance assessments while remaining unaware that a single misconfigured account could provide an attacker with administrative privileges. This is not a legislative problem. It is a prioritization problem.

Rather than analyzing legal requirements article by article, this guide focuses on the practical side of NIS2 implementation. We will examine the most common mistakes organizations make and explain how to build a cybersecurity program that not only supports compliance but also improves resilience against real-world cyber threats.
If your organization falls within the scope of the NIS2 Directive, do not wait for an audit or regulatory review. Building an effective cybersecurity program takes months, not weeks.
The NIS2 Directive significantly expands the number of organizations required to implement cybersecurity risk management measures across the European Union. Unlike its predecessor, it applies to a much broader range of essential and important entities operating in sectors such as energy, healthcare, transport, digital infrastructure, manufacturing, public administration and managed IT services.
The earlier an organization begins its preparation, the easier it becomes to integrate security measures into day-to-day operations.
A practical implementation roadmap may look like this:
Although this sequence appears straightforward, many organizations take the opposite approach. Instead of identifying risks first, they immediately focus on technologies, documentation or compliance audits.
This often leads to unnecessary costs, duplicated work and delayed implementation. The following chapters explain the most common mistakes and how to avoid them.
One of the first reactions to NIS2 is often an attempt to produce every required policy, procedure and security document. Information security policies, Incident Response Plans and Business Continuity Plans are all important. The problem begins when documentation becomes the objective instead of the tool.
Imagine two organizations. The first has comprehensive security documentation but has never tested its backup recovery process or its ability to respond to a cybersecurity incident. The second has fewer documents but performs regular penetration tests, validates the configuration of critical systems and exercises its incident response procedures. Which organization is better prepared for a real cyberattack?
Documentation exists to support security processes. It does not protect an organization by itself. NIS2 therefore focuses not on the existence of documents, but on an organization's ability to manage risks and demonstrate that implemented security measures are effective in practice.
Cybersecurity has long ceased to be an IT-only discipline. Modern attacks exploit business processes, human error and weaknesses in third-party relationships just as often as technical vulnerabilities. This is why NIS2 extends well beyond IT infrastructure. Effective implementation requires involvement from the entire organization.
Executive management approves investments and accepts business risks. HR manages onboarding, offboarding and employee awareness. Procurement selects vendors who may gain access to critical systems. Legal teams handle contractual obligations and regulatory requirements. If any of these functions are missing from the process, technical controls alone will not provide adequate protection.
Successful NIS2 implementation is therefore not an IT project. It is an organizational project.
When organizations become subject to NIS2 requirements, one of the first reactions is often to invest in new security technologies. EDR, SIEM, PAM and other security solutions are deployed with the expectation that they will significantly improve the organization's security posture.
Technology is an essential part of cybersecurity, but it is not the starting point.
Organizations first need to understand their own environment. Which systems are critical to business operations? What data do they process? Which services must remain available during an incident? What would be the business impact if these assets were compromised?
Without answering these questions, it is impossible to prioritize investments effectively. An organization may deploy best-in-class security solutions while overlooking the single weakness that represents its greatest risk. This is why NIS2 places risk assessment and risk management at the core of every cybersecurity program.
Many organizations believe their security controls are effective simply because they have been in place for years. They use multi-factor authentication, firewalls, network segmentation and regular backups. However, that does not automatically mean these controls are properly configured or capable of stopping modern attacks.
Security cannot be measured by the number of technologies you have implemented. It must be validated regularly.
Penetration testing demonstrates how a real attacker could compromise your environment. Security assessments identify configuration weaknesses before they are exploited. Red Team exercises evaluate how well the organization can detect and respond to sophisticated attacks. Equally important is regularly testing backup recovery procedures and the readiness of the Incident Response team.
The greatest risk is not the absence of security technology. The greatest risk is assuming everything works because no one has ever verified it.
Cybercriminals increasingly avoid attacking their primary target directly. Instead, they look for the weakest link in the supply chain. That may be an IT service provider, a software vendor, a cloud platform or any third party with access to internal systems.
This is one of the reasons why NIS2 places much greater emphasis on supply chain security than previous legislation. Organizations should understand which suppliers have access to critical systems, what security requirements apply to them and how supplier-related risks are assessed on an ongoing basis.
This does not mean auditing every single supplier. It means identifying the third parties whose compromise could have the greatest business impact and applying an appropriate level of security oversight.
When people think about cyberattacks, they often imagine attackers attempting to break through an internet-facing firewall. In reality, many attacks begin much more simply. An attacker steals a user's credentials, compromises a workstation and then moves laterally through the internal network.
Protecting the perimeter is no longer enough. Organizations must also understand the security of their internal environment.
One of the most common targets is Active Directory. Once attackers obtain privileged access, they can often take control of a significant portion of the organization's infrastructure. In many cases, this is not the result of sophisticated exploits, but of excessive privileges, outdated configurations or poorly managed identities.
Regularly reviewing identities, privileged accounts and internal security configurations should therefore be a fundamental part of every organization's cybersecurity program.
Moving systems to the cloud improves flexibility and scalability, but it also introduces new security challenges. Many organizations mistakenly believe that once workloads are migrated to the cloud, cybersecurity becomes the provider's responsibility.
In reality, cloud security follows a shared responsibility model. While the provider is responsible for securing the underlying infrastructure, the organization remains responsible for identity management, access control, data protection, service configuration and security policies.
Misconfigured cloud services remain one of the leading causes of data breaches. Publicly accessible storage, excessive permissions and missing multi-factor authentication are rarely the provider's fault. They are usually the result of incorrect configuration.
Cloud adoption does not eliminate security responsibilities. It changes them.
Many organizations devote most of their cybersecurity effort to the months leading up to an audit or regulatory assessment. Documentation is updated, obvious weaknesses are addressed and, once the audit is complete, security initiatives gradually lose momentum.
This approach was already ineffective before NIS2. Under the new regulatory framework, it makes even less sense.
Cybersecurity is constantly evolving. New vulnerabilities emerge every day, infrastructures change, new applications are deployed and cloud environments continue to grow. A single audit provides only a snapshot of the organization's security posture at a specific point in time.
Organizations with mature cybersecurity programs treat security as a continuous process. They regularly assess their environment, validate security controls, monitor emerging threats and remediate weaknesses before attackers can exploit them.
This continuous improvement mindset lies at the heart of NIS2.
Many organizations have an Incident Response Plan. Far fewer know whether it would actually work during a real cyber incident.
Responding to an incident is not simply about knowing who to call. Teams must understand their responsibilities, management must be able to make decisions under pressure and the organization must know how to communicate with customers, business partners, regulators and the public.
A ransomware attack or a major data breach rarely happens under ideal conditions. Decisions have to be made quickly, information is incomplete and every minute of downtime increases the business impact. Organizations that have never tested their Incident Response process often discover during the incident that contact lists are outdated, responsibilities are unclear or recovery procedures cannot be executed as planned.
An Incident Response Plan should therefore never exist solely as documentation. It should be regularly exercised, reviewed and improved so that it supports the organization when it matters most.
Audits and compliance assessments are valuable. They help organizations identify weaknesses, improve governance and demonstrate that appropriate security measures have been implemented.
However, compliance should never become the ultimate objective.
Organizations that focus exclusively on passing an audit often optimize their efforts around the assessment itself. Documentation is updated, missing controls are implemented and visible issues are addressed. Once the audit is over, security improvements often slow down.
Attackers do not care whether an organization passed an audit. They care whether it has vulnerable applications, misconfigured cloud services, excessive privileges or unpatched systems.
NIS2 should therefore be viewed as a framework for continuous cybersecurity risk management rather than a one-time compliance exercise. An audit confirms the organization's security posture at a specific moment in time. It cannot guarantee that the same level of protection will exist six months later.
The real objective is not to pass an audit.
The real objective is to build a cybersecurity program that continuously identifies risks, validates security controls and improves the organization's resilience over time.
There is no universal technology stack or security architecture that guarantees compliance with NIS2. Every organization has different risks, business priorities and levels of cybersecurity maturity. Nevertheless, organizations that successfully implement NIS2 typically share several common characteristics.
If your organization identifies more closely with the left-hand column, there is no reason to panic. Most organizations are somewhere between these two extremes. The important thing is to understand your current level of maturity and establish a structured plan for continuous improvement.
It is about changing how organizations manage cybersecurity. Security can no longer rely on one-time projects, periodic audits or the assumption that implemented controls will remain effective indefinitely. Cyber threats evolve every day, and organizations must continuously assess risks, validate security measures and improve their resilience.
Penetration testing, security assessments, configuration reviews, vulnerability management and supply chain security should not be isolated activities performed once a year. They should become part of an ongoing cybersecurity program.
NIS2 is not the destination. It is a continuous journey towards stronger cyber resilience.
All news