Making Cybersecurity manageable (and demonstrable)
For many SMEs, NIS 2 feels like yet another compliance exercise. In reality, the directive is about something far simpler: can you demonstrate that you know, manage, and monitor the cyber risks within your organisation?
NIS 2 expects clear accountability at board level, prompt incident reporting, and demonstrable effectiveness of your security measures. Not a folder full of documents nobody uses, but a workable process embedded in the organisation.
This article summarises a webinar in which Cingulum, Nomios, and Refracted Security joined forces to address the six core functions of NIS 2: Governance, Identify, Protect, Detect, Respond, and Recover.
1. Governance: Cybersecurity becomes a board responsibility
The most significant shift from the traditional security approach is that cyber security is no longer purely an IT matter. NIS 2 expects board-level involvement in risk decisions, priorities, budgets, and oversight. Board members do not need to become technical experts, but they must take ownership of the organisation’s risk appetite.
Incident reporting also becomes a formal obligation. For serious incidents, fixed reporting timelines apply: an initial warning within 24 hours, a formal notification within 72 hours, and a final report within one month, including root causes and corrective measures. That means detection, escalation, and communication must be organised in advance.
Paper-based compliance is no longer sufficient. ISO 27001 or CyberFundamentals provides a strong policy framework, but NIS 2 focuses primarily on demonstrable effectiveness. Organisations must be able to show that risks are actively monitored, measures are working, and incidents are tested and evaluated.
SMEs often ask: “Is this not too heavy a burden? Do I need to build a risk framework? Does everything need to be documented?” Often with limited budgets and small teams. The good news: governance does not need to be complicated.
The most practical approach is to establish a governance rhythm that suits the pace of an SME: not an annual management review where everything is addressed at once, but a monthly 45-minute meeting where decisions and follow-up become routine.
To make that rhythm work, it helps to distribute responsibilities clearly. A workable structure for SMEs operates across three lines:
- Line 1 - Strategic (board or managing directors): They own the risk appetite; what is acceptable, what is not, and what budget is required. They approve the action plan and monitor progress.
- Line 2 - Tactical (security lead, IT manager, or external partner): This role builds and manages the risk register, prepares decisions, and coordinates incident reporting.
- Line 3 - Operational (process owners): They know the assets and suppliers within their domain, implement measures, and report incidents or deviations.
In this way, information security is no longer solely an IT responsibility. Business processes share accountability, and that is exactly what NIS 2 expects.
2. Identify & Protect: Secure what you know
You cannot protect what you do not know. Yet many SMEs still have unknown devices, inactive accounts, default passwords, or forgotten external access points. One organisation, for instance, discovered more than 4,500 connected devices when they believed they had approximately 1,500. The issue lies not just in the number of systems, but in uncontrolled access.
A sound approach therefore starts with visibility. Organisations need to know which servers, workstations, printers, IoT devices, external services, and accounts are active, and what impact an incident could have on each.
From there, access management becomes central. Identity and Access Management remains one of the most important baseline measures under NIS 2. Unique accounts, proper onboarding and offboarding, automatic removal of access rights, and MFA wherever possible are no longer optional extras, they are minimum expectations.
Administrator access deserves particular attention. Admin accounts are often the fastest route to a fully compromised environment. NIS 2 therefore expects organisations to eliminate shared admin accounts, work with temporary access, log all management sessions, and restrict external access to specific applications only.
3. Detect, Respond & Recover: Not just seeing, but acting and recovering
Detection without follow-up has limited value. On average, an attacker is present in an organisation’s systems for around 200 days before striking. In many cases, signals are visible, but they simply are not correctly interpreted or acted upon. Think of log files no one reviews, phishing incidents that go unreported, or ransomware that remains active and undetected for weeks.
Traditional antivirus software alone is no longer enough. EDR and behavioural analysis make it possible to identify suspicious processes, unusual communication patterns, and abnormal activity more quickly, and to isolate systems automatically when needed.
That said, you only know whether your detection and response capabilities truly work when you test them. Penetration tests reveal which vulnerabilities can realistically be exploited, while cyber resilience tests examine how quickly an organisation detects an attack and how procedures hold up under pressure. For many SMEs, an external Managed SOC is the most practical way to organise continuous, round-the-clock monitoring and triage.
The difference between a manageable incident and a crisis usually comes down to preparation, not technology. Strong response processes ensure that incidents are analysed, contained, and followed up before the impact escalates.
NIS 2 also requires attention to recovery capacity. Recovery means restoring systems and processes in a controlled manner, using reliable, tested backups and clear business continuity processes. A backup that has never been tested is not a recovery strategy.
The reporting obligation also requires preparation. Organisations must know in advance which systems could be affected, who communicates externally, how information is gathered, and what legal communications may be required. Tabletop exercises and crisis management simulations remain essential for exactly this reason. A plan that has never been tested is not a plan.
4. What can you do right now?
You do not need to solve everything at once. The key is prioritisation: address a limited number of risks with a focused set of measures, but with clear ownership and realistic deadlines.
- Appoint one owner. Do not start with policy documents. Start with accountability. Without an owner, cyber security remains an IT problem. With one, it becomes a manageable business risk.
- Draw up a short list of critical processes and assets. Limit yourself to 3 to 5 critical processes and 5 to 10 key suppliers.
- Enable MFA wherever possible. Multi-factor authentication significantly reduces the risk of compromised credentials.
- Review old and unused accounts. Focus on legacy accounts, former employees, shared accounts, and unmonitored administrator access.
- Restrict and log external access. Avoid network-level access. Work at application level and log everything.
- Enable logging, monitoring, and EDR, but link these to a procedure. Someone must be responsible for acting on the output.
- Test your detection and response capabilities. Start small with a penetration test or tabletop exercise, then scale towards a cyber resilience test or Managed SOC.
Start today. Prioritise, establish ownership, map your assets and access rights, and test your detection and response capabilities. That is how you move beyond theory and build cyber resilience that holds up when it truly matters.
