NIS-2 Assessment: Why Tools Alone Are Not Enough
Why Many NIS-2 Initiatives Fail
The NIS-2 Directive presents medium-sized companies with new challenges. However, many projects start with a critical strategic error: they purchase a tool first and hope that ownership, prioritization, and evidence structures will emerge on their own.
In practice, this hope remains unfulfilled. Instead, uncoordinated siloed solutions often emerge, leaving it unclear who is responsible for what, which measures have priority, and how evidence can be provided to supervisory authorities.
The Tool-First Approach and Its Pitfalls
When companies begin their NIS-2 compliance journey by acquiring software, they overlook essential success factors:
Lack of Ownership: A tool cannot take responsibility. Without clear accountabilities, it remains unclear who implements, monitors, and documents measures.
Missing Prioritization: Software often displays hundreds of possible measures without distinguishing between critical and secondary requirements. Teams become overwhelmed and don't know where to start.
Unclear Evidence Structure: Supervisory authorities demand traceable documentation. A tool alone does not provide a meaningful evidence structure that will hold up in critical situations.
What Actually Works in Practice
Numerous projects in critical infrastructure, the energy sector, and finance reveal a clear success pattern:
Clear Responsibilities from Day 1
Successful NIS-2 implementations begin with defining roles and responsibilities. Who is the Information Security Officer (ISO)? Who coordinates implementation? Which departments are involved?
This clarity creates ownership and prevents important tasks from getting lost between departments. Each measure receives a concrete responsible person who handles implementation and documentation.
A Realistic 30-60-90 Day Roadmap
Instead of overwhelming annual plans, manageable milestone goals work better. A structured roadmap in three phases enables quick wins and continuous progress:
30 Days: Establish fundamental processes, such as incident reporting procedures with clear triggers, roles, and deadlines. The ISO takes responsibility, and initial exercise protocols document implementation.
60 Days: Implement advanced security measures, conduct risk assessments, and refine documentation structures.
90 Days: Create initial compliance evidence, conduct internal audits, and identify improvement opportunities.
Effort That Fits Into Daily Operations
Medium-sized companies don't have unlimited resources. Successful NIS-2 projects consider the organization's actual capacity.
Instead of perfectionist large-scale projects, pragmatic solutions are needed that integrate into existing workflows. Measures must be implementable without disrupting day-to-day business.
The Guided NIS-2 Assessment as a Solution
A structured assessment provides the ideal entry into NIS-2 compliance. The process follows a proven pattern:
Kick-off Workshop
At the beginning, objectives, scope, and responsibilities are clarified. All participants develop a shared understanding of requirements and project workflow.
Questionnaire in the Cybervize Platform
A structured questionnaire systematically captures the current state of information security. The platform enables efficient data collection and forms the basis for gap analysis.
Two Guided Workshops
In moderated workshops, results are analyzed, priorities are set, and concrete measures are defined. Each measure receives a responsible person, a timeframe, and an evidence structure.
Results Presentation with Roadmap
The outcome is a concrete, implementable roadmap. An example measure might look like this:
30 Days | Measure: Incident reporting process (triggers, roles, deadlines) | Owner: ISO | Evidence: Exercise protocol v1
This structure creates clarity, traceability, and implementation security.
Why Act Now?
The implementation deadlines for NIS-2 are approaching. Companies that start early have several advantages:
Time Buffer: Early implementation avoids last-minute rush and enables well-thought-out solutions.
Learning Effects: Initial implementation cycles show what works and where adjustments are needed. These experiences are valuable for continuous improvement.
Competitive Advantage: Companies that take information security seriously gain the trust of customers and business partners.
Practical Recommendations
For companies looking to tackle their NIS-2 compliance, the following steps are recommended:
- Assess Status Quo: Where does your organization currently stand regarding information security?
- Clarify Responsibilities: Who will assume the role of ISO? Which departments need to be involved?
- Create Realistic Roadmap: Which measures have priority? What is achievable in 30, 60, and 90 days?
- Build Evidence Structure: How do you document your measures so they are traceable to supervisory authorities?
- Leverage External Expertise: A guided assessment brings structure, experience, and accelerates implementation.
Key Industries and Their Specific Challenges
Energy Sector: Companies in energy face particular challenges due to their critical infrastructure status. Supply chain security and incident response capabilities are paramount.
Financial Services: Banks and financial institutions must balance NIS-2 requirements with existing regulatory frameworks like DORA and ensure seamless integration.
Critical Infrastructure (KRITIS): Organizations in healthcare, water, and transportation sectors require tailored approaches that consider their specific operational constraints.
Common Implementation Mistakes to Avoid
Beyond the tool-first approach, several other pitfalls can derail NIS-2 projects:
Underestimating Documentation Requirements: Compliance isn't just about implementing measures but proving you've done so effectively.
Ignoring Business Context: Security measures must align with business objectives and operational realities, not exist in isolation.
Lack of Executive Buy-in: Without leadership support, securing necessary resources and driving organizational change becomes nearly impossible.
One-and-Done Mentality: NIS-2 compliance is not a project with an end date but an ongoing process requiring continuous attention.
The Role of Continuous Improvement
Information security is not a static state but a continuous journey. After initial implementation, organizations must:
- Regularly review and update risk assessments
- Conduct periodic security exercises and simulations
- Stay informed about evolving threat landscapes
- Adapt measures based on lessons learned
- Maintain and update documentation
A structured assessment provides not just a starting point but a foundation for this ongoing process.
Conclusion: Structure Beats Software
NIS-2 compliance doesn't begin with a tool but with clear responsibilities, realistic planning, and implementable measures. A structured assessment provides the foundation for successful implementation.
Companies that act now gain a head start and avoid the stress of last-minute solutions. The investment in a thoughtful approach pays off in the form of legal certainty, more efficient processes, and strengthened trust.
If you want to approach your NIS-2 implementation in a structured manner, now is the right time for an initial consultation. Limited assessment slots are available starting April 13th.