NIS2 | Why Many Get it Wrong
Picture this: You are reviewing your company’s latest cyber risk report. It is technical, dense and no one in the leadership team really reads it. Meanwhile, the IT department is doing its best to stay on top of threats, but the strategic decisions, the budget and the governance? Still disconnected.
Then a breach happens. Everyone looks to leadership for direction. But the board is unsure. The response plan is vague. Time is lost - and so is trust.
NIS2 is not just a technology issue. Under the NIS2 Directive, it is also a matter of legal accountability.

NIS2 Defined
NIS2 (Directive (EU) 2022/2555) is the EU’s overarching cybersecurity directive aimed at improving cyber resilience and risk management for essential and important entities across critical sectors.
The directive aims to establish a consistent level of cybersecurity across the EU, ensure that key entities are prepared, responsive and resilient, and hold leadership accountable for cyber governance and risk-based decisions.
Who is affected?
NIS2 applies to operators in critical sectors such as energy, transport, finance, health and water. It also covers digital infrastructure providers, ICT service companies, public administration, and any business deemed “essential” or “important” to the functioning of society or the economy.
The Mistake: Seeing NIS2 as only IT or Compliance
Many organisations fall into a familiar trap: treating NIS2 like a checklist exercise, much like early responses to GDPR. The responsibility is assigned to IT, a policy is drafted, and the box is ticked. Then the issue is parked, until an incident occurs.
These are among the most common pitfalls:
- Delegating full responsibility to IT or compliance
- Rushing through documentation without addressing structure or roles
- Focusing on technical controls instead of business-wide governance
But NIS2 goes further, placing explicit legal responsibility on senior executives and boards. It’s not just about written policies – it’s about how cybersecurity is actually integrated into day-to-day operations.
Why It Happens: Misunderstanding the Scope
The fundamental misunderstanding is viewing NIS2 as a set of technical controls, when in fact it is binding legislation that governs how cyber risks must be managed across the organisation.
The directive demands coordination across legal, operational and technical domains. Leadership is expected not only to approve security measures, but to understand the organisation’s cyber risk landscape, receive relevant training, and take ownership of incident response oversight.
In many organisations, these responsibilities are unclear, fragmented across departments, or not acknowledged at all. That’s where the real risk lies, because a lack of governance isn’t just a compliance issue, it’s an operational vulnerability.
How to Get It Right: From Compliance to Capability
To succeed under NIS2, it’s not enough to simply pass an audit. Organisations must build structures that support lasting, measurable security.
Start by:
- Clarifying what each NIS2 requirement means for your organisation’s context
- Educating leadership on their role and liability under the directive
- Establishing governance that connects IT, legal, risk and business strategy
- Replacing static documentation with living, regularly updated processes
This shift, from paperwork to practice, is the difference between reactive and resilient.
Next Step – Assess, Align & Act
Ask yourself: Are we truly organised to meet NIS2 requirements – in practice, not just on paper?
If the answer is unclear, you’re not alone. Many organisations are still working to define their NIS2 posture.
Schedule your session today and take a proactive step toward NIS2 compliance.


Resilience by Design: Leading NIS2 from the Top
We help organisations meet the requirements of the NIS2 Directive – from gap analyses and risk assessments to incident response management and executive advisory. With deep expertise in cybersecurity and regulatory compliance, we deliver tailored solutions aligned with the EU-wide NIS2 Directive and its national implementations across Member States.