NIS2 | Cybersecurity as a Cost – The Most Expensive Mistake
What is more expensive: investing in cybersecurity today, or paying the price of a major breach tomorrow? The true cost of cybersecurity is usually revealed too late in the chaos of a breach, the loss of trust, and the heavy hand of regulators.
Keep reading to learn how NIS2 changes the way organisations must view and manage the cost of cybersecurity and why, in the end, underinvestment costs more, both in crises and in compliance.
NIS2 and Cyber Security Investments
Cybersecurity is still too often treated as a defensive cost, a technical expense hidden in the IT budget. This mindset, however, is one of the most expensive mistakes a business can make. Underfunding security does not save money, it multiplies risk. A single incident can cost millions in recovery, downtime, and reputational repair.
With the arrival of NIS2, the consequences are even greater: inadequate investment is not only risky but also a regulatory violation that can lead to fines of up to 10 million euros or 2% of global turnover. More than that, there is personal liability incurred on leaders and managers in the consequences of not securing your organisation and failing to comply with the regulation.
Yet focusing only on avoiding losses tells only half the story. Cybersecurity also delivers a clear Return on Investment (ROI). Organisations that see cybersecurity as an investment, not just protection, gain resilience and competitive advantage.
The Mistake
The most common mistake is treating cybersecurity only as insurance. Budgets are minimal to tick compliance boxes, while strategic improvements are postponed until after an incident. When a breach finally occurs, the response is reactive: emergency consultants, rushed fixes, and reputational management campaigns.
Under NIS2, this approach is especially dangerous. Failing to implement risk management or report incidents on time does not just increase business risk, it also exposes organisations to severe regulatory penalties. In short: underinvestment costs more, both in crises and in compliance.
Why it Happens
Organisations too often frame cybersecurity in the wrong way. Boards hear about firewalls, patching cycles, and intrusion detection systems. These sound like overhead, not value. Board rarely see how security directly links to protecting revenues, ensuring operational continuity, and enabling growth.
Organisational silos reinforce the issue. Organisations often delegate security solely to IT, disconnecting it from finance, strategy, and governance. NIS2 changes this equation as management bodies are now explicitly accountable for cybersecurity. Boards must be trained, informed, and responsible. Underinvestment is no longer just a business risk – it is a breach of regulatory duty.
How to Get it Right
The key is to reframe cybersecurity as both protection and value creation. Use ROI to demonstrate why investments matter:
- Avoided costs: incidents prevented, downtime reduced, fines minimized.
- Revenue protection: operations safeguarded, customer trust maintained.
- Growth opportunities: compliance with NIS2, stronger ESG positioning, and eligibility for contracts where cyber resilience is a requirement.
- A robust partner: in the face of an insecure world, be a staunch and robust partner valuing the security of not only your organisation but those of your third parties – customers, suppliers, business partners.
- Operational efficiency such as improving business processes and data flows by leveraging the security optimisations to also identify and correct inherent design flaws in existing processes.
Executives should communicate cybersecurity in business language, not technical jargon. Instead of talking about firewalls, talk about resilience. Instead of patching, talk about safeguarding revenue. Instead of encryption, talk about being a secure and robust party of the internal European economic area.
NIS2 can serve as a roadmap where it outlines the steps (risk management, supply chain security, training, incident reporting) that both deliver compliance and create measurable business value.
Equally important is leadership accountability. NIS2 makes it clear that boards and executives are not just observers but directly responsible for cybersecurity risk management. Management bodies must approve security measures, ensure adequate resources, and even undergo training themselves. This shift moves cybersecurity out of IT silos and places it firmly in the domain of governance and strategy. For boards, the question is no longer if they are involved, but how well they fulfil their role.
Next Step
The way forward is to build a business case for cybersecurity that addresses both halves of ROI. Link every investment not just to risk reduction, but also to business objectives and growth opportunities. Use NIS2 requirements as a foundation for this case showing how compliance aligns with resilience, trust, and long-term value creation.
The most expensive mistake is treating cybersecurity as a cost. The smartest move is to see it for what it really is: a strategic investment with measurable returns in compliance, resilience, and competitive advantage.
Schedule your session today and take a proactive step toward NIS2 compliance.
Managing NIS2 from the Top
We help organisations meet the requirements of the NIS2 Directive – from gap analyses and risk assessments to incident response management and executive advisory. With deep expertise in cybersecurity and regulatory compliance, we deliver tailored solutions aligned with the EU-wide NIS2 Directive and its national implementations across Member States.
