NIS2 and True Resilience: Why Compliance Alone Is Not Enough

Many companies approach NIS2 like a bureaucratic compliance exercise: check the boxes, create the documentation, pass the audit, done. But organizations that treat cybersecurity this way miss the actual purpose of the regulation. The second Cross-Border Cybersecurity Tour, held at East Side Fab in Saarbrücken, brought this discrepancy between compliance thinking and genuine resilience into sharp focus.

NIS2 as a Tick-Box Project: A Dangerous Misinterpretation

The EU's NIS2 Directive is the most comprehensive legislative cybersecurity requirement imposed on European companies and organizations to date. It mandates operators of essential and important entities to implement technical and organizational measures, incident management, business continuity planning, and a range of additional requirements. For many IT managers, NIS2 thus presents itself primarily as a compliance task: what must be demonstrated by when?

This view is dangerously shortsighted. A company that treats NIS2 exclusively as a documentation project may have fulfilled all requirements on paper after the audit – but achieved no meaningful improvement in its actual security posture. Compliance is not a shield against attackers. Certificates and reports do not stop ransomware.

The Cross-Border Tour: Exchange Across Borders

The Cross-Border Cybersecurity Tour brings together experts from various regions and countries to discuss the practical realities of cybersecurity. The second stop in Saarbrücken was guided by a clear principle: a functioning security operation is worth more than a perfect tool landscape or flawless policy documentation. What matters is the actual capacity to act when it counts.

The cross-border exchange – the event brings together participants from Germany, France, and the Saarland-Luxembourg triangle – sharpens awareness that cybersecurity is not a local problem. Attacks do not stop at national borders, and both NIS2 and DORA apply across Europe. This makes it all the more important to learn from each other and share best practices.

Compliance versus Resilience: What Makes the Difference

Compliance describes proof that certain requirements are met. Resilience describes the ability to detect, stop, withstand, and recover from attacks. Both matter, but compliance is not the same as resilience. A company can be compliant and still be incapacitated within hours of an attack – because no one knows how the incident response plan works in practice, because backups exist on paper but have never been tested, or because the security operations center exists in theory but is unstaffed at night and on weekends.

True resilience comes from regular exercises, tested and proven processes, clearly defined responsibilities, and a security culture that is practiced at all levels of the organization. It does not come from a completed audit.

What DORA Shows the Financial Sector

A look at DORA – the Digital Operational Resilience Act, which applies alongside NIS2 specifically to the financial sector – shows where things are headed. DORA explicitly requires operational resilience of digital systems: not only protection against attacks is assessed, but also the ability to maintain operations during an attack and fully recover afterward. Testing obligations for critical systems, requirements for third-party providers, and comprehensive documentation of dependencies are all part of the framework.

DORA anticipates what also holds true for NIS2: regulation alone is not enough. Legislators can define minimum standards, but the actual security work must be done within organizations themselves. The responsibility lies with management.

Recommendations for IT Decision-Makers

Organizations that view NIS2 as an opportunity rather than a burden can achieve real security gains through its implementation. In practice, this means establishing a regular incident response exercise cycle. Test your backups – not just whether they exist, but whether they can actually be used in an emergency. Ensure your security organization is capable of acting around the clock, either internally or through a qualified external partner. Assess your third-party vendors on their security level, since attackers frequently exploit the weakest link in the chain.

The Cross-Border Cybersecurity Tour makes clear: cybersecurity is an ongoing commitment, not a project. Organizations that use NIS2 as a starting point for building genuine resilience – rather than treating it as the endpoint of a compliance journey – are better positioned in the long run. And in doing so, they protect not only themselves, but also the partners, customers, and society that depend on security.