Starting NIS-2 Pragmatically: Why Parallel Workstreams Fail and What Helps Instead
Last week I sat in a NIS-2 kick-off. 12 people at the table, the agenda: implementation. After 20 minutes I had heard five workstreams, three tool preferences, and zero prioritization. The project manager said: "We just need to tackle everything at once." That is precisely the fastest way to fail at NIS-2.
This situation is not an isolated case. It repeats itself in numerous companies – and it is not a sign of engagement, but of missing structure. The desire to address everything simultaneously is understandable. But it almost always leads to the same outcome: a lot of activity, very little substance.
The Problem with the "Everything at Once" Approach
NIS-2 implementations with long timelines and multiple parallel workstreams fail for a structural reason: resources are limited. Teams are not exclusively occupied with NIS-2. Expertise is not evenly distributed across all topics. And priorities that are not set get set by day-to-day business.
The result after six months of parallel workstreams typically looks like this: little substance in any area, even less motivation among those involved, and a milestone plan that increasingly diverges from reality. The temptation to cut scope or extend the project is then great – but neither solves the underlying problem.
What Distinguishes a Pragmatic Start
A pragmatic NIS-2 start looks different. It begins with a structured as-is picture: what is actually in place? Where are the biggest gaps – and how significant are they relative to the effort required to close them? Only then are priorities set.
The pragmatic approach has four steps: creating an as-is picture (where do we actually stand?), setting priorities (which gaps carry the highest risk while remaining manageable in effort?), clarifying ownership (who is genuinely responsible – with mandate and capacity?), and planning effort realistically (what can we actually complete in the next three months?).
The Priority Filter as a Practical Tool
A proven practical tool for prioritization work is the priority filter: the top 10 gaps are identified, assessed by risk and effort, and from these the top 5 backlog items are derived with an owner and a first evidence date. This simple tool immediately creates the ability to act.
It prevents the common trap where many topics are on the agenda but none actually progresses. And it creates a foundation for regular reporting: we are working on these five topics, here is the status, here are the next steps.
Ownership and Capacity: The Underestimated Success Factors
Two factors are regularly underestimated in NIS-2 projects: ownership and capacity. Ownership does not just mean writing a name in a RACI matrix. It means a person has the mandate and decision-making authority to drive a topic forward – and has time for it.
Capacity is often the most honest conversation that needs to happen in the kick-off: how much time can the CISO, the IT manager, or the compliance officer realistically invest in NIS-2 topics – alongside their regular work? The answer to this question determines how ambitious the plan can realistically be.
Conclusion: Start Small, Finish Consistently
For mid-market companies that want to take NIS-2 seriously: it is better to fully complete three topics than to half-address ten. The first completed workstream creates credibility – internally and with regulators. It shows that the company does not just plan, but delivers.
A big bang approach is rarely the right path. Small, tangible steps with clear outcomes create the foundation for everything that follows. NIS-2 is a marathon – but it begins with the first well-placed step.