The NIS2 Directive introduces broader obligations, stricter technical requirements and significantly higher accountability for entities across the EU. It expands the scope of regulated sectors, strengthens supervisory powers and introduces substantial penalties that can reach up to 10 million euros or 2 percent of global annual revenue. With only 24 hours to submit an initial incident notification and the expectation of demonstrated technical controls, it becomes clear that compliance cannot be achieved through documentation alone.
Organizations that postpone their preparation usually struggle not with policies, but with technical weaknesses: missing visibility, misconfigurations, unmanaged vulnerabilities and insufficient monitoring. These issues surface quickly once NIS2 analysis begins.
Insufficient Technical Controls
Article 21 of the Directive outlines mandatory technical and organizational measures such as vulnerability management, data protection, supply chain security, identity and access management, secure configuration, network monitoring and regular validation of controls. In practice, many organizations rely on basic tools such as antivirus, firewalls and MFA while missing essential elements like continuous monitoring, segmentation and comprehensive logging.
Technical debt accumulated over years cannot be compensated with policies alone. NIS2 expects real operational security, not theoretical security on paper.
Incomplete Asset and Data Inventory
A precise asset inventory is crucial for identifying critical systems, understanding dependencies and assessing risk. NIS2 indirectly requires this through Articles 20 and 21. Many organizations lack full visibility into servers, services, legacy systems, Internet-facing endpoints, APIs and key data flows. Undocumented or abandoned systems often remain exposed without monitoring.
Without an accurate map of assets and data, risk assessments become generic and protective measures are implemented in the wrong places or at the wrong priority.
Poorly Configured or Incomplete Logging
NIS2 places strong emphasis on rapid detection, analysis and reporting of incidents. Article 23 requires an initial notification within 24 hours and a more detailed report within 72 hours. This is not possible without comprehensive and synchronized logging.
Common gaps include missing administrative logs, missing application audit trails, lack of logging on backup systems, insufficient SIEM coverage and no time synchronization. When an incident occurs, organizations often discover they do not have the data required to reconstruct the event or support a timely notification.
Lack of Network Segmentation
Flat networks and broad access rights remain common despite the Directive’s expectation of reduced attack surface and restricted lateral movement. In many environments, critical systems, employee workstations and backup environments still share the same segments, making containment almost impossible.
Proper segmentation, micro-segmentation in virtual environments, strict separation of administrative networks and isolation of backups are essential measures that directly support NIS2 expectations.
Weak Incident Response Preparedness
NIS2 requires structured incident response capabilities, including forensic readiness, early threat detection mechanisms, recovery procedures and scenario testing. Many organizations have incident response plans on paper but lack the technical capabilities to execute them.
Frequent issues include the absence of centralized event visibility, missing playbooks, untested backups, no integrity checks and no tooling for rapid forensic collection. When an incident occurs, the organization is unable to respond within the timelines mandated by Article 23.
Occasional Instead of Continuous Vulnerability Management
Vulnerabilities do not follow audit cycles, yet many organizations perform scans only once or twice a year. NIS2 explicitly requires vulnerability management as a continuous process. Without authenticated scanning, post-patch verification and real-time monitoring of emerging vulnerabilities, organizations remain exposed.
Reports often pile up without prioritization, leaving critical findings unresolved for extended periods.
Overemphasis on User Training Instead of Technical Foundations
User awareness is important, but it cannot replace insufficient technical architecture, poor configuration or missing monitoring capabilities. Some organizations invest heavily in training while leaving the core infrastructure unchanged and vulnerable.
If architecture, administration and monitoring are not adequately implemented, even highly aware users cannot prevent system-wide compromise.
NIS2 is not merely another regulatory requirement but also an opportunity to modernize infrastructure, strengthen operational resilience and introduce structure into security processes. Organizations that start early gain clarity, reduce pressure and avoid last-minute remediation. Those that delay often face simultaneous technical and organizational challenges.
If you need a quiet, structured and practical approach to assessing your security posture or planning your next steps, AresISEC can support you throughout the preparation process. NIS2 may be demanding, but it is also a chance to align security with real operational risks.
Sources:
EUR-Lex – NIS2 Directive (EU) 2022/2555
European Commission – NIS2 Directive Overview
ENISA – NIS Investigation and Guidance
ENISA – Security Measures Under NIS2
European Commission – Digital Strategy: Cybersecurity
