CyberSecUpdate #15 – NIS2: from audit to implementation
Quo Vadis NIS2? Or: what needs to be done to get it right (implementation and compliance)?
Just as the Apostle Peter asked about the right path, so too do the management teams of organisations covered by NIS2 face the same question today. The answer – fortunately – is far less dramatic.
From audit to plan – a roadmap to compliance (NIS2 implementation plan)
Continuing the thread from CyberSecUpdate #14, the first step is to translate the results of the vulnerability audit into a concrete implementation plan: define the scope of the system, designate process and asset owners, adopt security policies, and define criteria for acceptable risk and assess that risk in the context of the specific organisation’s operations. Such a NIS2 implementation plan should include a schedule of activities aligned with statutory deadlines (in accordance with national legislation transposing the Directive) – and let us recall: these deadlines began on 3 April 2026.
Implementation: priorities and documentation (NIS2 technical and organisational measures)
A plan structured in this way should be implemented by putting in place priority technical and organisational measures, focusing on those areas that the audit identified as critical to business continuity: access control, network segmentation, backup and recovery mechanisms, incident monitoring and detection, and response procedures. Implementation should be documented, and the effectiveness of the measures measured using simple, quantifiable indicators – enabling ongoing progress assessment and decision-making, including in the context of NIS2 compliance.
Don’t forget the formalities!
Your organisation must formally approve the security policy, appoint responsible persons and incorporate the topic into corporate reporting cycles. Staff training and practical simulation exercises should confirm operational readiness, whilst incident reporting procedures should ensure rapid and legally compliant reporting of incidents (NIS2) to the relevant authorities.
Compliance is a marathon, not a sprint (maintaining compliance with NIS2)
When planning and selecting measures, remember that system implementation is a phased process. A gap analysis and initial implementations lay the foundations, but compliance requires monitoring, periodic reviews and updates in response to technological, organisational and regulatory changes. By treating these activities as an investment in operational resilience, your organisation minimises the risk of penalties for non-compliance, but – more importantly – safeguards business continuity and ensures effective cybersecurity.
“Investing in procedures today means security tomorrow.”
We have already touched upon how we can help your organisation in CyberSec #9. I also encourage you to read the published and upcoming posts in the CyberSecUpdate series on KWKR – we will guide you step by step through the full implementation of NIS2 and the practical requirements set out in the NIS2 Directive. What can we expect in the next episode? Stay tuned.
