NIS2 | Why Many Get it Wrong

Picture this: You are reviewing your company’s latest cyber risk report. It is technical, dense and no one in the leadership team really reads it. Meanwhile, the IT department is doing its best to stay on top of threats, but the strategic decisions, the budget and the governance? Still disconnected.

Then a breach happens. Everyone looks to leadership for direction. But the board is unsure. The response plan is vague. Time is lost - and so is trust.

NIS2 is not just a technology issue. Under the NIS2 Directive, it is also a matter of legal accountability.

NIS2 Defined

NIS2 (Directive (EU) 2022/2555) is the EU’s overarching cybersecurity directive aimed at improving cyber resilience and risk management for essential and important entities across critical sectors. 

The directive aims to establish a consistent level of cybersecurity across the EU, ensure that key entities are prepared, responsive and resilient, and hold leadership accountable for cyber governance and risk-based decisions. 

Who is affected? 

NIS2 applies to operators in critical sectors such as energy, transport, finance, health and water. It also covers digital infrastructure providers, ICT service companies, public administration, and any business deemed “essential” or “important” to the functioning of society or the economy. 

The Mistake: Seeing NIS2 as only IT or Compliance

Many organisations fall into a familiar trap: treating NIS2 like a checklist exercise, much like early responses to GDPR. The responsibility is assigned to IT, a policy is drafted, and the box is ticked. Then the issue is parked, until an incident occurs. 

 
These are among the most common pitfalls: 
 

  • Delegating full responsibility to IT or compliance 
  • Rushing through documentation without addressing structure or roles 
  • Focusing on technical controls instead of business-wide governance 
     

But NIS2 goes further, placing explicit legal responsibility on senior executives and boards. It’s not just about written policies – it’s about how cybersecurity is actually integrated into day-to-day operations.

Why It Happens: Misunderstanding the Scope 

The fundamental misunderstanding is viewing NIS2 as a set of technical controls, when in fact it is binding legislation that governs how cyber risks must be managed across the organisation. 

The directive demands coordination across legal, operational and technical domains. Leadership is expected not only to approve security measures, but to understand the organisation’s cyber risk landscape, receive relevant training, and take ownership of incident response oversight. 

In many organisations, these responsibilities are unclear, fragmented across departments, or not acknowledged at all. That’s where the real risk lies, because a lack of governance isn’t just a compliance issue, it’s an operational vulnerability. 

How to Get It Right: From Compliance to Capability 

To succeed under NIS2, it’s not enough to simply pass an audit. Organisations must build structures that support lasting, measurable security. 

Start by: 

  • Clarifying what each NIS2 requirement means for your organisation’s context 
  • Educating leadership on their role and liability under the directive 
  • Establishing governance that connects IT, legal, risk and business strategy 
  • Replacing static documentation with living, regularly updated processes 

This shift, from paperwork to practice, is the difference between reactive and resilient. 

Next Step – Assess, Align & Act 

Ask yourself: Are we truly organised to meet NIS2 requirements – in practice, not just on paper?

If the answer is unclear, you’re not alone. Many organisations are still working to define their NIS2 posture.  

Schedule your session today and take a proactive step toward NIS2 compliance.

Ebba Rehnstam

Associate

Jonas Blomqvist

Director, Cyber & Digital Risk

Resilience by Design: Leading NIS2 from the Top

We help organisations meet the requirements of the NIS2 Directive – from gap analyses and risk assessments to incident response management and executive advisory. With deep expertise in cybersecurity and regulatory compliance, we deliver tailored solutions aligned with the EU-wide NIS2 Directive and its national implementations across Member States.

View Preview

Get Tailored Advice on NIS2

Please describe what you are interested in (please refrain from providing sensitive personal information)
This field is for validation purposes and should be left unchanged.

Let's connect

NIS2 | Why Many Get it Wrong NIS2 | Why Many Get it Wrong
I want an Advisense expert to contact me about:
NIS2 | Why Many Get it Wrong

By submitting, you consent to our privacy policy

Thank you for connecting with us

An error occurred, please try again later