Common Mistakes Companies Make With NIS2
When organizations begin preparing for NIS2, the first instinct is often to understand the Directive itself. Many teams start by reading legal articles and trying to interpret what each paragraph requires. That approach rarely leads to clarity. NIS2 is not primarily a legal exercise. It is a governance and risk management framework that pushes organizations to understand their exposure, build operational resilience, and ensure that leadership is directly involved in cybersecurity oversight. In practice, companies rarely struggle because they ignore NIS2. They struggle because they approach it in ways that do not reflect how the Directive actually works.
Several patterns appear repeatedly when organizations start their preparation.
1.Treating NIS2 as a documentation exercise
One of the most common mistakes is treating NIS2 as a paperwork project. Policies are written, responsibilities are assigned, and a risk assessment document appears in a shared folder. Once the documentation exists, the organization assumes that the requirement has been fulfilled. The Directive expects something very different. NIS2 focuses on operational security and continuous risk management. Systems evolve, infrastructure changes, suppliers rotate, and threat actors adapt. A document written once cannot reflect a constantly changing environment. Supervisory authorities will not only review whether policies exist. They will expect evidence that security measures are actually implemented and functioning.
2. Staying too abstract
Another common pattern is producing strategic documents that remain disconnected from technical reality. An incident response plan may exist, but the organization has never simulated an incident. A business continuity plan might be approved by management, yet no recovery exercise has been performed. Supplier security policies are defined, but vendors have never been evaluated beyond a questionnaire. NIS2 places emphasis on practical implementation. Controls must exist not only in documentation but also in daily operations. Organizations that remain at policy level often discover gaps when they try to demonstrate how those policies work in practice.
3. Trying to interpret every legal article
Some teams spend weeks trying to interpret the Directive line by line. This usually creates confusion rather than progress. NIS2 describes objectives and responsibilities, but it does not prescribe exact technical configurations or step by step implementation instructions. A more effective starting point is operational visibility. Organizations should first understand their environment. What assets exist. Which services are critical. How systems are interconnected. Which third parties are integrated into their operations. Without this foundation, compliance discussions remain theoretical.
4. Not knowing where to start
Many companies ask the same question: where should preparation actually begin? The answer is rarely tools or policies. It begins with visibility. An organization cannot manage risks in systems it has not identified. It cannot protect suppliers it has not classified. It cannot report incidents it cannot detect. A reliable asset inventory, network mapping, and identification of critical services form the basis for meaningful risk management. Once this visibility exists, security controls and governance structures become much easier to design.
5. Underestimating management responsibility
One of the most significant shifts introduced by NIS2 is executive accountability. Cybersecurity is no longer considered only a technical function. Management bodies must approve cybersecurity risk management measures, oversee their implementation, and ensure that the organization understands its exposure. This requirement changes internal dynamics. Security discussions must move beyond technical terminology and translate cyber risk into business impact. Leadership cannot remain distant from cybersecurity decisions. Governance structures must reflect that responsibility.
6. Overlooking supply chain exposure
Many high profile incidents in recent years originated through compromised suppliers. NIS2 reflects this reality by placing clear emphasis on supply chain security. Organizations are expected to understand the role external providers play in their operations and to evaluate the risks associated with those relationships. This requires more than contractual language. Companies must identify which vendors are critical, how their systems interact with internal infrastructure, and what level of security assurance is required from them. Ignoring supplier risk leaves organizations exposed even when internal controls appear strong.
7. Reporting requirements without detection capability
NIS2 introduces strict timelines for incident reporting. Organizations must provide an early warning within 24 hours of detecting a significant incident, followed by a detailed notification within 72 hours. These timelines assume that detection mechanisms are already functioning. In many environments incidents are discovered weeks after initial compromise. Logging may be incomplete, monitoring fragmented, and escalation procedures unclear. Without operational detection capabilities, reporting obligations cannot be met. NIS2 therefore indirectly pushes organizations to strengthen monitoring and response functions.
8. Looking at NIS2 only through the lens of penalties
Financial penalties associated with the Directive receive significant attention. While the potential fines are substantial, focusing exclusively on them often leads organizations to aim for minimal compliance. A broader perspective reveals that NIS2 can serve as a catalyst for stronger security governance.
Organizations that implement structured risk management often gain better visibility of their infrastructure, clearer accountability structures, stronger incident response capabilities, and improved resilience against disruptions. In that sense the Directive does more than enforce compliance. It encourages maturity. NIS2 does not require organizations to memorize legal text. It requires them to demonstrate that cyber risk is understood, managed, and governed. Supervisory authorities will look for evidence that organizations know their systems, monitor their infrastructure, assess supplier exposure, and involve leadership in security decisions. Companies that treat NIS2 as a documentation exercise will struggle to demonstrate this. Organizations that approach it as a framework for structured cybersecurity governance will be far better prepared, regardless of regulatory pressure.
Sources:
Want a clear understanding of your organization’s current position regarding NIS2 requirements?