NIS-2 Delay: Why Waiting Costs More Than Starting

Three months ago, a managing director told me: We're waiting to see how things develop. NIS-2 was still unclear, he said. He wanted to see what others would do. Last week he called back. Voice tense. We need this now. Fast.

This call is not an isolated case. It is a pattern.

The Pattern That Repeats Every Regulatory Cycle

It was the same with GDPR. The same with ISO 27001. With every regulation that initially seemed unclear, there came a moment when waiting turned into an emergency.

The difference between January and April is not the regulation. The difference is resources. What would have been a calm start in January is now a firefight. Internal teams are booked through Q3. External capacity is scarce. Prices are rising.

Three Reasons Companies Wait

First: Uncertainty about their own obligation. Many companies simply do not know whether they fall under NIS-2. That uncertainty leads to passivity rather than a structured assessment.

Second: Overestimated complexity. NIS-2 compliance sounds like a massive project. In reality, the first step is small and clearly defined.

Third: Watching competitors. Companies wait to see what others do. But when everyone waits, no one gains an advantage and the deadline keeps moving closer.

What Makes the Mountain Bigger

The mountain does not get smaller by waiting. It grows.

Starting today allows for structured prioritization, a budget that builds incrementally, and clearly defined internal responsibilities. Starting in autumn means making decisions under time pressure, paying premium rates for external consultants, and making compromises that cause problems later.

On top of that: supervisory authorities are currently building their audit capacity. Companies still in their startup phase when the first enforcement actions arrive face a serious problem.

The First Step Takes Two Hours

An applicability assessment answers exactly one question: Does my company fall under NIS-2?

The answer depends on three factors: sector, company size, and the criticality of services provided. The BSI provides clear criteria. With a structured checklist, the assessment is done in two hours.

The outcome is binary: in scope or out of scope. Those out of scope can close the file. Those in scope now have a decision basis rather than a vague threat.

What Comes After the Applicability Assessment

Once applicability is confirmed, the gap assessment follows. It shows where the organization stands today and which of the 21 security measures under Article 21 NIS-2 are already met.

Prioritization Over Perfection

No company needs to implement all measures simultaneously. What matters is demonstrable, documented progress. Supervisory authorities do not expect perfection. They expect seriousness and a clear plan.

The difference between a company that meets 40 percent of requirements in October and can present a roadmap, versus a company that has not started at all, is significant from a regulatory perspective.

What to Do Now

Step one: conduct the applicability assessment. Two hours, clear result. Step two: commission or internally run a gap assessment. Step three: prioritize measure packages and assign owners.

This is not a marathon project. It is a sequence of manageable steps that feel far easier than the pressure of starting under time constraints in autumn.

The call I received last week is a forecast for many companies still waiting today. The mountain does not shrink on its own.