NIS2 | When Dusty Risk Assessments Creates the Illusion of Control
NIS2 (Directive (EU) 2022/2555) puts risk management at the centre of cybersecurity and operational resilience. But as organisations work to comply with the requirements, a familiar problem emerges: risk assessments are too often reduced to paperwork exercises with no or little operational benefits to the organisation.
This article explains why risk management under NIS2 must move beyond static documentation, highlights the cultural and organisational pitfalls that undermine it, and outlines how to build a continuous, consequence-driven approach that turns compliance into real protection.
NIS2 and Risk Management
To comply with NIS2 ’s requirements, organisations are required to implement regular and systematic risk management practices. But NIS2 goes beyond compliance. The true purpose of the directive is not simply ticking regulatory boxes; it is about protecting citizens, businesses, and society from potential disruption.
Risk management under NIS2 is not a paperwork exercise. It is about ensuring that essential services can continue to operate, recover quickly after incidents, and build trust in the resilience of critical infrastructure.
The Mistake: Risk Assessments are Done Once, Then Forgotten
For many organisations, risk assessments are treated as a checkbox exercise. A consultant is brought in, a report is drafted, and the task is considered complete. The document becomes proof of compliance, until the next audit cycle.
But this approach leaves organisations exposed.
These are the common pitfalls:
Outdated assessments
Risks are not revisited when business processes, suppliers, or technologies change.
Risk inflation
Every department labels its risk “critical,” creating noise instead of clarity.
Untested plans
Continuity and incident response plans exist only on paper.
No ownership
Responsibilities for monitoring and updating risks are unclear or siloed.
Disconnected documentation
Risk registers are produced but never influence strategic or operational decisions.
The result is misleading: a gap between theory and practice. An organisation may look compliant but is unprepared when real threats emerge.
Why It Happens: Risk Management Considered a Checkbox
The root cause is often cultural: risk management is frequently seen as a compliance obligation rather than a foundation for resilient and sustainable business growth – and, ever more significant – a font for trust in an increasingly insecure cyber world. Many organisations adopt an audit mindset, preparing risk documentation for inspections instead of real-life incidents.
Ownership is frequently siloed, with risk registers confined to IT or compliance functions and without genuine engagement from business leaders. Prioritisation suffers when there is no structured process to weigh risks against actual business impact, leading to political deadlocks where every risk is labelled as equally critical. Communication adds to the problem, as risk metrics are reported in technical terms that leadership cannot easily act upon. Boards may approve reports but fail to ensure that findings truly influence governance and decision-making.
The result is static risk documentation that quickly becomes irrelevant, creating not resilience but the illusion of safety.
How to Get it Right: Make Risk Management Continuous
True resilience comes from risk management that is alive at all times, a cycle of assessment, prioritisation, communication, and alignment with strategy.
Start by:
Assigning clear ownership
Define who is responsible for updating risk registers, testing continuity plans, and reporting to leadership. Use a RACI model (Responsible, Accountable, Consulted, Informed) to avoid gaps.
Regular reviews and updates
Schedule quarterly or biannual risk reviews. Update whenever there are significant changes – mergers, new suppliers, new technologies, or regulatory shifts.
Prioritising with impact in mind
Avoid “risk inflation” by aligning risks to business-critical processes and continuity needs. Not every red box in a heatmap deserves the same attention.
Testing, not just documenting
Run tabletop exercises, simulations, and red-team drills to validate whether risk plans function under pressure. Documentation without testing creates a false sense of readiness.
Communicating in leadership language
Translate technical risk indicators into business impact: downtime, financial loss, regulatory exposure, or societal harm. This is the language that enables informed decisions.
Linking risk to strategy
Integrate cyber and operational risks into enterprise risk management. Ensure risk insights shape investment, governance, and decision-making at the top.
This shift, from static paperwork to dynamic practice, is at the heart of NIS2’s intent: not only compliance, but consequence-driven resilience.
Want to dive deeper into NIS2? Explore our dedicated NIS2 hub for expert insights, practical recommendations, and the latest updates.
Next Step: Make Risk Management a Cycle
Ask yourself: Are our risk assessments living documents, or are they gathering dust?
Under NIS2, outdated or untested plans are not just a compliance gap, they are a liability. To meet the directive’s expectations and strengthen resilience, risk management must become a continuous cycle: assess, prioritise, update, test, and align with business priorities.
Because the ultimate goal of NIS2 is not paperwork. It is ensuring that organisations, citizens, and society can withstand and recover from disruption.
Schedule your session today and take a proactive step toward NIS2 compliance.
Managing NIS2 from the Top
We help organisations meet the requirements of the NIS2 Directive – from gap analyses and risk assessments to incident response management and executive advisory. With deep expertise in cybersecurity and regulatory compliance, we deliver tailored solutions aligned with the EU-wide NIS2 Directive and its national implementations across Member States.
