October 2024 was the national implementation deadline for the NIS2 Directive. One year on, the European enterprise cybersecurity landscape has changed in measurable ways. It has also not changed in ways that compliance programme reporting might suggest. The gap between these two observations is where the honest assessment of NIS2’s first year is located.<\/p>\n
The assessment that follows is based on observable patterns from enterprise security programmes, enforcement signals from national competent authorities, and the evolving understanding of where the compliance investment has produced genuine security improvement versus compliance documentation. It is an honest reading, not an optimistic one.<\/p>\n
Board-level engagement with cybersecurity is the most consistent positive change attributable to NIS2. The management body obligations in article 20, combined with the personal liability provisions that received significant legal attention in the second half of 2024, have produced a level of board engagement with cybersecurity governance that was not present before NIS2. Board members who had delegated cybersecurity governance entirely to the CISO are engaged in oversight functions that the directive requires of them personally.<\/p>\n
The quality of this engagement varies significantly. The boards that have moved from quarterly security update slides to genuine oversight of the security risk management framework are in a qualitatively different position from those that have added a board-level security briefing to their existing governance calendar. The difference is visible in the depth of the questions board members ask and in the accountability they exercise over the security programme’s performance against its risk management objectives.<\/p>\n
Incident classification and reporting capabilities have improved in the organisations that treated the NIS2 reporting requirements as an operational capability development objective rather than a documentation compliance exercise. The 24-hour initial notification requirement forced these organisations to design and test incident classification processes that can identify a significant incident within the timeframe the directive requires. The exercise of designing and testing this capability produced improvements in incident response that have value independent of the regulatory reporting requirement.<\/p>\n
Supply chain security attention has increased significantly, with a notable improvement in the visibility that covered entities have into their third-party ICT service provider relationships. The comprehensive ICT supplier register that NIS2 required many organisations to build from scratch has produced better vendor management discipline than existed before. For some organisations, the registry has become the foundation for a vendor risk management programme that is substantively more mature than the pre-NIS2 state.<\/p>\n
The technical security controls implementation gap is the most concerning finding from the first year. NIS2 article 21 specifies a set of technical and organisational measures that covered entities must implement. These include network and information systems security measures, cryptography controls, access control and multi-factor authentication, and supply chain security measures. The policy frameworks describing these measures exist in most covered entities. The implementation maturity of the actual controls is, in a significant proportion of covered entities, lower than the policy frameworks suggest.<\/p>\n
The gap between policy and implementation is not unique to NIS2; it characterises most enterprise security governance programmes. What NIS2 has done is make this gap more visible through the conformity assessment process and the supervisory engagement that follows it. The organisations that have used NIS2 to close this gap, rather than to document it, are in a materially different security posture than those that have produced compliance documentation without the corresponding control implementation.<\/p>\n
The supply chain security programme depth remains insufficient in most organisations. The register of third-party ICT suppliers is built. The enhanced due diligence on the most critical suppliers has been performed. But the ongoing monitoring of supplier security posture, the contractual provisions that provide audit rights and incident notification obligations, and the supply chain incident response planning for scenarios where a critical supplier has a significant incident, are not present at the required maturity level in most covered entities.<\/p>\n
The TLPT programme is behind schedule across the European financial services sector and across the wider NIS2 covered population. Threat-led penetration testing requires infrastructure, expertise, and coordination with national competent authorities that take significantly longer to establish than compliance programme plans typically allowed for. Most organisations that were in scope for TLPT in the first year of NIS2’s application have not yet completed a TLPT engagement.<\/p>\n
National competent authorities across EU member states have begun issuing their first enforcement actions under NIS2, and the early cases reveal supervisory priorities that organisations should take into account when assessing their compliance exposure.<\/p>\n
The early enforcement actions are concentrated in three areas: inadequate incident reporting (failures to notify within the required timeframe or failures to provide adequate information in the notification), significant cybersecurity control deficiencies identified during supervisory assessments, and management body engagement failures where the evidence of genuine board oversight is absent.<\/p>\n
The fine amounts in the early cases are not at the upper end of the NIS2 penalty framework, but the precedent they set is more significant than the individual amounts. The precedent establishes that enforcement is operational, that the covered entities receiving enforcement actions include respected organisations rather than exclusively outliers, and that the defence that “NIS2 is new and compliance takes time” is not sufficient to avoid enforcement where the gap is material.<\/p>\n
The honest assessment for covered entities one year into NIS2 is: are you in a better security position than you were a year ago, and is that improvement genuine or documentary?<\/p>\n
The organisations in a genuinely better security position have made real improvements to their incident response capability, their board oversight processes, their supply chain visibility, and their technical control implementation. These improvements have value independent of NIS2 compliance, because they reduce the actual security risk that NIS2 was designed to address.<\/p>\n
The organisations in a better documented security position have produced compliance documentation that represents their compliance programme accurately but that sits ahead of the operational implementation it describes. This position has regulatory risk that will surface through supervisory engagement.<\/p>\n
The path from the second position to the first is the priority for the next twelve months. The supervisory community has given covered entities the benefit of programme time. That benefit is not indefinite.<\/p>\n","protected":false},"excerpt":{"rendered":"
One year after NIS2’s national implementation deadline, it is possible to make an evidence-based assessment of what has actually changed in European enterprise cybersecurity posture \u2014 and what has not.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-165","post","type-post","status-publish","format-standard","hentry","category-executive-briefings"],"_links":{"self":[{"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/posts\/165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=165"}],"version-history":[{"count":0,"href":"https:\/\/baecke.io\/index.php?rest_route=\/wp\/v2\/posts\/165\/revisions"}],"wp:attachment":[{"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/baecke.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}