NIS2 | The Invisible Risks: Culture and Communication Gaps

NIS2 and The Real challenge

Cybersecurity discussions often drift straight to firewalls, encryption, detection tools and playbooks. Important, of course – but as has been discussed so many times in our previous articles – technology is not what makes or breaks security. With the NIS2 Directive now a reality across Europe, the real challenge is, and has always been, people. 

The Mistake: Ignoring the Governance and Culture Gap

The NIS2 Directive significantly raises the bar for governance and leadership accountability. Under its requirements, boards and senior executives carry clear responsibility for managing cyber risk and ensuring effective incident response.  Yet in practice, we still see many organisations framing security as a purely technical issue, and we believe that we will continue to do see this issue for a while yet.   

Risk documentation remains buried in IT dashboards (or, let us face it, in often forgotten Excel-sheets on a Sharepoint/Teams site) and never reach decision-makers in language they can act on. Awareness training is often an annual check-the-box exercise that quickly fades (how is that ISMS KPI for completed trainings coming along?). And when the messages about security vary from team to team, a coherent culture never takes root.  

These gaps do not just endanger a company – they weaken the collective resilience of the European Union. A single compromised supplier or operator of essential services can ripple across borders and sectors.  

What do we mean by “Culture”? 

We have all posed ourselves the question; what is organisational culture? The answer is fleeting and there have been multiple studies and research into one specific definition. If you add the aspect of “security”, it becomes an even more harrowing trial to define.  

But let us give it a try to define it ourselves. Organisational culture is the shared set of values, norms, and everyday behaviours that shape how people make decisions and interact when no one is watching. It is “how things are really done around here,” far more than any policy or mission statement. 

A cybersecurity culture is that same invisible force applied to digital as well as analogue risk to information: the collective mindset where employees instinctively question suspicious emails, leaders weigh security impact in every business decision, and teams communicate openly about incidents instead of hiding them. It is not a one-off training module or a poster in the break room – it is so much more. It is the lived practice of treating information as a critical asset and safeguarding it as naturally as locking the front door.  

Why It Happens: Box-Ticking Exercise Rather than Governance

The reasons why a specific organisation struggles to build a security culture will naturally vary, but from our experience we can identify a few common pitfalls. 

• Superficial training. Annual awareness modules tick a compliance box but rarely change actual behaviour. As the old cliché goes, a chain is only as strong as its weakest link.
• Isolated reporting. Critical metrics stay confined to operational dashboards rather than flowing into board-level reports. This disconnect weakens governance and leaves leadership without a full picture of the organisation’s security posture. 
• Security office not correctly placed. To this day, we still cannot believe that we at times encounter security functions and CISO’s that report to IT, which limits its ability to collaborate across business units and support enterprise-wide risk management. 
• Fragmented culture. Different departments hear different messages – or none at all. This inconsistency erodes accountability and makes it harder to embed security as a collective business responsibility. 

How to Get it Right: Think Beyond Compliance

• Treat cyber as a business risk. We have mentioned this before, yet it remains worth emphasising. Use the same language and rigour you apply to financial or operational risks. Open with how weak reporting, superficial training, and a fragmented culture translate into financial risk, regulatory penalties, and brand damage. Make sure to use metrics leaders care about to really hone in on powerful messaging.  

• Keep training alive. Blend short, role-specific refreshers, phishing simulations, and leadership workshops into everyday work. Bake security prompts into tools employees already use (M365, Slack, Jira, etc).  

• Report in plain terms. Translate incidents and trends into business impact – downtime, regulatory exposure, reputational damage – money.  

• Embed security in daily habits. HR onboarding, internal communications, and performance goals should all reinforce the message that cybersecurity is everyone’s responsibility.  

• Be creative. One of the fun and best tips to bolster a cybersecurity culture I have received is from a previous colleague. He created a scheme in the organisation whereupon reporting a vulnerability granted you a piece of candy from the security officer, thereby increasing the overall attention and boosting security morale. Gamification and shout-outs during all-hands do actually work.  

• Make it Practical and Action-Oriented. End with a short “playbook” or checklist:  

1. Map current reporting flows to the C-suite.  

2. Redesign metrics and dashboards.  

3. Build a continuous training programme.  

4. Assign ownership at board level.  

NIS2 is not just another regulation. It is a collective effort to raise the baseline of cybersecurity across Europe. It might sound cheesy, but in extension – every executive decision, every HR process, every internal message contributes to the resilience of the entire Union.  As consultants but foremost as citizens in Europe, we urge leaders to see this as more than meeting a directive’s letter. NIS2 is about safeguarding the digital backbone of European society – energy grids, healthcare systems, food production and supply chains, financial networks, and our democratic institutions.  

Want to dive deeper into NIS2? Explore our dedicated NIS2 hub for expert insights, practical recommendations, and the latest updates. 

Next Steps – Create a Living Security Culture

Let us put on our preacher hat whilst we regurgitate the following clichéd, but nonetheless vital, sentence: Security is not a one-off project. It’s a living process and a mindset shift that must live beyond a policy document. Here’s how we recommend getting traction right now: 

1. Secure a board sponsor you can work with. If it does not exist already, ask a senior executive to champion the programme and join quarterly cyber-risk reviews. 

2. Run a culture baseline. Short pulse surveys and a few candid interviews will tell you where people really stand on security awareness and reporting. 

3. Pilot quick wins. Pick one department and roll out micro-trainings, phishing simulations, or a light-weight reporting incentive – small successes build momentum. 

4. Tighten supplier oversight. Map critical vendors, set up continuous monitoring, and agree on joint incident-response expectations. 

5. Translate risk for leadership. Turn technical metrics into the language of downtime, regulatory penalties, and reputational cost so decisions happen in the boardroom – not the server room. 

Building a living security culture is not optional. It is the surest path to protecting your organisation – and strengthening the security and resilience of Europe as a whole.  

Managing NIS2 from the Top

We help organisations meet the requirements of the NIS2 Directive – from gap analyses and risk assessments to incident response management and executive advisory. With deep expertise in cybersecurity and regulatory compliance, we deliver tailored solutions aligned with the EU-wide NIS2 Directive and its national implementations across Member States.

Gustav Jansäter

Manager

Send email

+4670 828 83 24

Markus Persson

Managing Director, Cyber & Digital Risk

Send email

+46 70 211 03 94