NIS-2: Legal Uncertainty Is No Excuse

What It’s Really About

The discussion around NIS-2 often revolves around detailed regulations and interpretative questions. Understandable – but dangerous. Because the core has long been clear: Companies of essential importance to the economy and society must demonstrably professionalize their IT security and governance. Those who choose to “wait and see” now risk exactly what NIS-2 addresses: longer outages, chain reactions in the supply chain, and executive liability without solid evidence of appropriate measures.

The Essence of NIS-2 in Five Points

• Management Responsibility: Executive management/board is explicitly obligated to understand risks, approve measures, and have their effectiveness reviewed.
• Risk-Based Controls: Not checklist religion, but appropriate, documented measures across identities, endpoints, networks, applications, and data.
• Reporting Obligations & Incident Reporting: Serious incidents must be reported in a timely and qualified manner – without panic, but with facts.
• Supply Chain Security: Third parties are not “outside” – they are part of your attack surface. Minimum controls and evidence are contractually required.
• Enforcement & Sanctions: “Paper security” is not enough. Missing governance and ineffective processes are subject to sanctions – regardless of good intentions.

Who Is Affected – Directly, Indirectly, Through Contracts

Many companies fall directly within the scope; others feel NIS-2 through their customers: Large clients and operators demand evidence and audit rights, even if you are not formally “in scope.” Realistically, there are three classes:

1. Directly affected (essential/important entities): formal obligations and regulatory contact.
2. Indirectly affected (critical suppliers/service providers): contractual evidence obligations, audits, minimum standards.
3. De facto affected: no formal classification, but dependent on customers who pass down NIS-2 requirements.

Common Misconceptions – and the Sober Answer

• “We need the final official guidance first.” – Wrong. The expected controls have been best practice for years: phishing-resistant MFA, patch SLOs, segmentation, backups with integrity verification, Incident Reporting process.
• “Certificate = done.” – No. Certificates help, but they do not replace lived processes or supply chain controls.
• “Our IT will handle it.” – Half true. NIS-2 is governance: risk decisions, budget, contracts, escalation – that is an executive responsibility.
• “We are too small/unimportant.” – Until an outage affects a customer who is very important. Then their rules apply – immediately.

From Legal Text to Practice – What “Appropriate” Looks Like

Start where failure is most expensive: identities, external attack surfaces, and recovery. “Appropriate” means: documented, repeatable, tested.

Core building blocks that matter:

• Identities first: Phishing-resistant MFA (e.g., Passkeys/FIDO2) for critical roles, just-in-time privileges, disabling weak legacy protocols.
• Patch SLOs instead of “we patch regularly”: Internet-exposed critical issues in days, internal with clear deadlines; escalation for delays is automated, not manual.
• Segmentation & Hardening: Separation of critical zones, hardened admin workstations, default blocking of risky scripting tools.
• Backups with proof: Offline/immutable, time-measured restore drills including integrity verification – documented and repeatable.
• Reporting & communication path: A practiced Incident Reporting process with roles, deadlines, contact paths (internal/external), legal guardrails.
• Contractually secure the supply chain: Minimum controls (MFA, patch SLOs, logging), drill obligations, reporting deadlines, audit rights.

Minimal Roadmap Without Drama

Not everything at once – but consistently and with evidence.

1. Risk map & responsibilities (management resolution):
   Which processes are critical? Which attack paths are realistic? Who decides on deviations? Document it and formally approve it at executive level.

2. Controls into the operations manual (not just into slides):
   For each control (e.g., MFA, patch SLO, restore drill) a one-page runbook: objective, trigger, steps, owner, evidence. No novel – but operational.

3. Collect and version evidence:
   Tickets, logs, screenshots, drill records. Without evidence, it did not happen. Centralized, audit-proof, searchable.

4. Supply chain in tiers:
   Desk review for all, remote audit for “high,” targeted tests for “critical.” Missing evidence ⇒ deadline, escalation, if necessary access restriction.

What Is Measured – and How

Metrics do not replace control, but they make progress visible – and failures measurable. Focus on a few hard KPIs with clear consequences for deviations:

• MFA coverage (phishing-resistant) for critical roles.
• Patch SLO compliance by exposure (Internet vs. internal).
• Restore time & integrity for the two most critical business processes.
• Incident maturity: time to initial assessment, time to report, completeness of initial notification.
• Supply chain fitness: percentage of critical partners with verified evidence/drills and functioning 24/7 contact path.

Important: Every deviation requires a defined consequence (e.g., escalation, change freeze, additional review). Reporting without action is busywork.

Practical Advice for Skeptical Executives

• Ask for evidence, not intentions. “Show me the last restore protocol with timestamp.”
• Prioritize where time equals money. A stable recovery reduces downtime costs – and convinces insurers.
• Tie budget to impact. Fewer tools, more resilient processes.
• Make it audit-ready. Anything that cannot be found effectively does not exist – especially under NIS-2.

Conclusion: Action Beats Excuses

NIS-2 is not an end in itself, but a catalyst for solid governance. Those who put processes, evidence, and the supply chain in order today win twice: less day-to-day risk and less stress when it matters. Waiting for perfect clarity is a strategy – just not a good one. The requirements are known, the path is feasible. Start now – and document that you did.

FAQ about Blog post