Cybervize - Cybersecurity Beratung
All articles

NIS-2 as a Tool Project: The Costliest Starting Mistake

Alexander Busse·March 2, 2026
NIS-2 as a Tool Project: The Costliest Starting Mistake

Starting NIS-2 as a tool project is the most common and costliest mistake. I encounter it at almost every other company approaching the directive for the first time.

The problem is not the tool itself. Tools can make sense. The problem is the sequence: if you buy a tool first and then try to establish ownership and prioritization afterwards, you've put the cart before the horse.

Why the Tool Purchase Happens First

The explanation is straightforward: tools are tangible. You can present them to management, take a screenshot, document a license. That feels like progress - and it isn't.

What lies beneath the tool purchase is often an avoidance move: the genuinely difficult questions are not asked. Who is responsible? What has priority? How much effort can realistically be absorbed internally?

These questions don't have comfortable answers. Responsibility means someone is named specifically. Priorities mean something else gets deprioritized. Effort means budgets and timelines must be made visible.

What Happens Without Structure

Without ownership, prioritization, and evidence structures, every NIS-2 project degrades into coordination loops and spreadsheets. The energy present at the start dissipates. Six months later, the company has a tool nobody uses properly and a compliance gap that has grown larger than before.

This is not an exception. It is the standard outcome when the tool precedes the operating model.

What Actually Works

Three elements must be in place before any tool purchase:

First: clear ownership. Not "essentially IT" or "everyone." One person who decides and is accountable.

Second: a roadmap executable in 30-60-90 days. Not an 18-month plan that ends up in a drawer. Concrete steps that are actually achievable internally.

Third: effort that fits into daily operations. NIS-2 is not a full-time project for most mid-sized companies. It must work alongside day-to-day business - or it won't work at all.

The Structured Entry Point

A structured NIS-2 assessment delivers exactly these three outputs: a current-state picture, a prioritized roadmap, ownership structures, and effort estimates. With a kick-off, questionnaire, two workshops, and a results presentation that management can actually act on.

Conclusion

Anyone serious about NIS-2 doesn't start with a tool. They start with the question: who owns this, what has priority, and what is realistic? Only after those questions are answered does a tool make sense.

Buying the tool first is not a sign of progress. It is a sign that the difficult questions haven't been asked yet.

Back to all articles

Related articles

The Executable NIS-2 Roadmap: Better Than the Most Beautiful Presentation

The best NIS-2 roadmap is not the most comprehensive or beautiful. It is the one that actually gets implemented. What this means in practice.

March 30, 2026

Looking for a NIS-2 Tool? Why an Operating Model Must Come Before Software

Many companies start their NIS-2 journey by searching for the right tool. But the foundation is often missing: a clear operating model with defined responsibilities and processes. Why getting the sequence right matters.

March 27, 2026

The Information Security Policy as Quick Win: Foundation for NIS-2 Compliance

Many companies keep postponing their information security policy. Yet it is the most important quick win on the path to NIS-2 compliance – when set up correctly.

March 25, 2026

Related services

NIS-2 & DORA Training

Executive training on NIS-2 and DORA regulatory requirements.

Learn more

Virtual CISO (vCISO)

Strategic security leadership at C-level, flexible and cost-effective.

Learn more

Cybersecurity Assessment

Comprehensive analysis of your IT security posture with actionable roadmap.

Learn more