The Framing Error That Determines the Outcome
How an organisation frames its NIS2 programme determines what it gets from it. Organisations that frame NIS2 as a compliance exercise will produce compliance documentation. Organisations that frame it as a security strategy forcing function will produce improved security posture, and the compliance documentation follows naturally from that posture.
The difference is not semantic. It determines who leads the programme, what gets funded, what gets measured, and what the organisation looks like when the October 2024 transposition deadline passes. A compliance-framed programme is led by legal and risk teams, funded from the compliance budget, measured against documentation completeness, and produces policies and process descriptions that may or may not reflect operational security reality. A security strategy-framed programme is co-led by the CISO and the CTO, funded from the security investment budget, measured against security posture improvement and risk reduction, and produces operational changes that satisfy the compliance requirements as a by-product of being genuinely more secure.
The good news is that NIS2 is written to reward the second framing. Its minimum measures under Article 21 are not a documentation checklist. They are an operational security capability specification that describes what an organisation that genuinely manages cyber risk looks like. An organisation that genuinely has those capabilities satisfies NIS2. An organisation that has documentation describing those capabilities may or may not.
What NIS2 Is Actually Asking For
The Article 21 minimum measures read as an integrated security programme, not as an isolated compliance requirement. Risk analysis and information system security policies are the foundational governance layer. Incident handling is the operational response capability. Business continuity, backup, and disaster recovery address operational resilience. Supply chain security addresses the third-party risk that most enterprise security programmes underinvest in. Policies on the use of cryptography and encryption address a technical hygiene requirement with broad applicability. Cyber hygiene practices and training address the human and process elements. Multi-factor authentication and access control address identity and access management. And network security and software security policies address the technical architecture layer.
Reading these measures as a list misses the point. Reading them as a description of what a mature security programme looks like reveals them as the investment roadmap that good security practice has always demanded but budget cycles and competing priorities have consistently deferred.
This is why NIS2 is most usefully understood as a forcing function. The regulation provides the external pressure that justifies the security investment that the organisation’s internal security programme has been unable to secure through the business case alone. The CISO who has been unable to fund incident response capability improvement or supply chain security assessment can now point to a regulatory requirement that carries board-level accountability and enforcement consequences.
The Board Accountability That Changes the Dynamic
Article 20 of NIS2 makes senior management personally accountable for cybersecurity risk management. This is the provision that most compliance programmes underweight and that most security leaders underuse.
The personal accountability provision means that the CIO, CISO, and members of the management body responsible for cybersecurity oversight cannot delegate NIS2 compliance to IT and legal and consider their obligation discharged. They must approve cybersecurity risk management measures, oversee their implementation, and be prepared to demonstrate that oversight to regulators. The enforcement mechanism for Article 20 violations includes suspension from management positions in repeated non-compliance cases.
This changes the dynamic in a way that no internal business case can replicate. Security investment decisions that require board approval are different decisions when board members have personal liability exposure for inadequate security posture. The CIO who has been unable to secure budget for incident detection capability can now frame the conversation around the board’s personal exposure under Article 20 rather than around the organisation’s security risk appetite.
The shift from risk conversation to accountability conversation is not manipulation. It is accurate. NIS2 makes senior management accountable for security outcomes in a way that creates a genuine alignment of interests between technology leaders seeking security investment and executives who previously experienced security investment requests as cost centre arguments.
Reframing the NIS2 Programme
The practical consequence of the security strategy framing is a programme design that starts with the security posture assessment rather than the compliance gap analysis. The question is not “where do we have documentation gaps relative to NIS2 requirements?” It is “where does our security programme have genuine capability gaps relative to the threats we face, and how do NIS2 requirements map onto those capability priorities?”
The posture assessment that drives this programme is a security maturity assessment across the Article 21 minimum measures, conducted by the security team rather than by the legal team, and using operational evidence rather than documentation review as the basis for assessment. Can we detect a significant network intrusion within the time frames that Article 23 incident reporting requires? Do we have tested recovery procedures that would meet Article 21’s business continuity requirements? Is our supply chain security assessment process operating at the scale and quality that Article 21’s supply chain measures require?
The answers to these questions, expressed in operational terms, are the investment priorities for the NIS2 programme. The compliance documentation that satisfies the audit follows from the operational improvements rather than preceding them.
Setting Up the Series
This first article in a five-part NIS2 series establishes the frame. NIS2 is not a compliance exercise; it is a security investment opportunity with a regulatory deadline and board-level accountability attached to it.
The following articles in this series examine the regulatory landscape that organisations must navigate, including the interaction of NIS2 with DORA, the EU AI Act, and the CER Directive. They examine the board accountability obligations of Article 20 in operational detail. They translate the Article 21 minimum measures into an operational compliance framework with specific assessment criteria. And they address the supply chain security obligation, which represents the most significant and least-prepared-for element of NIS2 for most European enterprises.
The October 2024 transposition deadline is approaching. The organisations that will be ready are the ones that started with the right framing.