In practice, we see that many organisations are confident about their cybersecurity posture. They often feel they are “doing reasonably well”: there is a firewall in place, backups are running, and an IT service provider is responsible for day-to-day operations.
Despite this overall confidence, compliance with the NIS2 requirements is frequently not where it should be. The situation is comparable to someone who considers themselves healthy but never undergoes a thorough medical check-up. If nothing seems wrong, everything appears to be under control … until a problem suddenly emerges.
The purpose of the NIS2 directive is to ensure a higher and more consistent level of cybersecurity across the European Union. It places strong emphasis on digital resilience and business continuity for essential and important entities, so they are better prepared to withstand cyber incidents and external attacks.
In this article, we highlight three clear signs that indicate that your organisation is not compliant with NIS2. Do one or more of these sounds familiar? Then it is time to act.
What does “being NIS2-compliant” actually mean for your organisation?
NIS2 is not only about improving resilience, but also about control and the ability to demonstrate that resilience. Can you prove that you understand your risks? Who is accountable when things go wrong? Which decisions are taken, and by who? How are incidents handled in practice?
In theory, these questions seem quite straightforward. In reality, however, we consistently observe three recurring signals that show organisations are not yet NIS2 compliant.
lijk is wanneer er iets misloopt? Welke beslissingen worden dan genomen? Hoe worden incidenten opgevolgd?
In theorie klinkt dat logisch. In de praktijk zien we echter drie vaak terugkerende signalen die aantonen dat organisaties toch nog niet voldoen aan NIS2.
1st sign: cybersecurity is treated as an IT issue, not a management responsibility
One of the most obvious signs of non-compliance appears when cybersecurity is fully delegated to the IT department. IT manages the technical controls, applies updates, and responds to incidents, while executive management and senior leadership keep their distance. Cybersecurity is viewed as a technical matter rather than a strategic responsibility.
Under NIS2, this is no longer sufficient. The directive explicitly states that an organisation’s board is responsible for overseeing cyber risks, approving security measures, and supervising their implementation. Executive leadership must also possess sufficient knowledge to fulfil this role effectively.
Cybersecurity has therefore moved beyond an operational concern and is now firmly on the agenda of the board.
How do you recognise this in practice?
Does cybersecurity feature regularly on the board’s agenda? Are cyber risks formally discussed and documented? Is there a record of who has accepted certain risks, and why? If a serious incident were to occur tomorrow, would it be clear who holds ultimate responsibility? Does the board know which critical processes depend on which systems, and what impact a disruption would have on the organisation?
Beside governance structures, awareness is also a clear indicator: do board members receive targeted training on cyber threats and their role under NIS2? Or does knowledge remain concentrated primarily within IT?
When these questions are difficult to answer, this points to a structural governance gap, and therefore to an increased risk of non-compliance.
What does NIS2 require here?
To comply with NIS2, cybersecurity must be discussed at management level. This means leadership must not only be informed, but actively involved in approving security measures, setting priorities, and monitoring risks. Cybersecurity must be embedded in strategic decision-making alongside financial and operational risks.
Responsibilities must also be clearly defined and formally documented. Who makes which decisions? Who accepts specific risks? Who oversees implementation?
The directive further stresses that executives must have adequate knowledge to perform their duties. This requires targeted training and awareness initiatives, so decisions are not blindly delegated to IT.
Finally, this is also about demonstrability. Risk discussions, decisions, and follow-up must be visible and traceable. Without a solid governance structure, compliance remains fragile.
2nd sign: there is no structured and demonstrable risk management process
NIS2 is built on a fundamental principle: you cannot manage risks unless you understand them.
In an organisation that is not yet compliant with NIS2, there is no clear and up-to-date overview of information security risks. A central risk register is missing, risk assessments are inconsistent, and priorities are set based on intuition or urgency rather than impact and likelihood. This inevitably leads to problems.
NIS2 explicitly requires a risk-based approach. This means systematically identifying critical processes and systems, the threats they face, and the measures needed to ensure continuity.
It is not enough to take action: you must also be able to explain why certain choices were made. Why was a specific risk accepted? Why was another treated as a priority? Who made that decision?
If risk analysis is a one-off exercise or a document that is not actively maintained, the organization does not meet NIS2 requirements.
Additional point of attention: supply chain security
Under NIS2, responsibility does not stop at the boundaries of your own organisation.
The directive clearly states that supply chain risks must be included in your risk analysis. In other words, if a supplier or IT partner suffers a cyber incident that affects your services, it is still your responsibility.
Supplier selection is often driven by cost, availability, and functionality. If cybersecurity measures and/or certifications are not an integral part of that decision-making process, this is a strong indication of non-compliance with NIS2.
NIS2 requires a solid understanding of third-party risks. You need to know which suppliers have access to critical systems, what dependencies exist, and what the potential impact of a disruption on their side would be for your organisation.
Supply chain security is therefore not an add-on, but an essential component of effective risk management.
Learn more about Supply Chain Security?
In our eBook on supply chain attacks, we explain in practical terms how to identify and manage these risks in the context of NIS2.
Common red flags
How can you tell if your risk management lacks structure? These are some typical warning signs:
- There is no central, up-to-date risk register. Risks are scattered across documents or reside in people’s heads.
- The last risk assessment dates back several years and is not reviewed systematically.
- Critical processes and systems essential for business continuity are not clearly identified.
- Risk assessments are mainly performed after incidents, rather than proactively.
- Suppliers are not structurally assessed on their cybersecurity measures.
- There is no clear link between identified risks and concrete action plans.
Any single one of these may be coincidental. When several are present, however, it usually indicates the absence of a mature and demonstrable risk approach, and therefore and increased risk of non-compliance with NIS2.
3rd sign: incidents are not detected, recorded, or reported in a timely manner
Even organisations with solid security controls can fail when an incident occurs.
NIS2 introduces clear obligations regarding incident management. The goal is not only to limit damage, but also to ensure timely detection, proper documentation, and, where required, notification to the competent authority.
This requires a well-defined process. Without a formal incident response plan, employees do not know what qualifies as a significant incident. Escalation paths are unclear, and notification deadlines are not embedded in operational workflows.
Does this sound familiar? Then this too is a strong indicator of NIS2 non-compliance.
The directive imposes strict reporting timelines. This means you must be able to quickly assess an incident’s impact, identify who needs to be involved, and determine what information must be communicated. Without predefined procedures, this is extremely difficult in practice.
Incident management is therefore not just about reacting, it is about preparation, clear allocation of responsibilities, and thorough documentation.
What does NIS2 require for incident notification?
NIS2 sets out explicit obligations in the event of a significant cyber incident.
Organisations must notify significant incidents to the competent authority within strict deadlines. This requires the ability to rapidly assess whether an incident is reportable, understand its impact on services, and compile the required information.
This demands preparation. You must define in advance:
- When an incident is considered “significant” ;
- Who triggers internal escalation ;
- Who performs the impact analysis ;
- Who is responsible for formal notification.
In addition, NIS2 requires incidents not only to be resolved, but also documented and reviewed. What happened? What was the impact? What measures are being taken to prevent recurrence?
Unsure about your NIS2 compliance? Here is the next step
We repeat it often, but cybersecurity is not something you “get done” once. It is a continuous process of monitoring, improvement and evaluation.
Do you recognise one or more of the signals described above? There is no need to panic, but it is time to take structured action.
The first step is gaining clarity. Where do you stand today? Which risks have already been identified? Where are the main gaps? And which issues should be addressed first?
A maturity assessment or targeted gap analysis can provide that clarity. The goal is not to create unnecessary work, but to establish direction and a clear starting point. Perfection does not exist, but if you can demonstrate that you are actively working on governance, risk management, and oversight, you remain in control.
Want to understand where your organisation stands today?
Schedule a free consultation with our experts and gain clear insight into your current maturity level and your NIS2 obligations.
