The 40-Page Assessment Problem: Why NIS-2 Assessments Must Enable Decisions
Last week, a CISO placed a 40-page NIS-2 assessment on the table. His only comment: "And now what?" That brief sentence captures a widespread problem in information security across mid-sized companies. Assessments are conducted, findings are documented, reports are printed — and then the document sits on a shelf. No decisions are made, no measures are initiated, no progress is achieved.
The question is not whether an assessment was done. The question is: what happens next?
The Decision Trap
An assessment after which no one can make a decision is simply a waste of time. That sounds harsh, but it is the reality in many mid-sized organizations. The challenge is not a lack of knowledge — the expertise is usually there. The real problem is structural: assessments become comprehensive status reports rather than foundations for action.
NIS-2 places particular demands in this regard. The directive does not merely require identifying vulnerabilities — it demands the clear assignment of responsibilities at management level. Without these assignments, any assessment remains incomplete, regardless of how professionally it was produced. This is precisely where most implementation projects fail at the first step.
Three Outputs Every NIS-2 Assessment Must Deliver
Working with mid-sized companies has made one thing clear: an effective NIS-2 assessment requires exactly three clear outputs. If even one is missing, the assessment becomes a filing cabinet exercise.
What is the priority? The output of an assessment should not be an alphabetically sorted list of findings. It must contain a clear prioritization: which measures are critical and must be addressed immediately? Which have medium-term relevance? And what can be deferred for now without materially worsening the risk profile? This prioritization must be transparently justified — based on risk value, effort, and regulatory requirement.
Who takes ownership? NIS-2 makes it clear that cybersecurity is a matter for senior leadership. In concrete terms, this means: for every identified measure, a responsible owner must be named — not "the IT department," but a specific person with a name, function, and decision-making authority. This also requires a clearly designated deputy and a defined review cadence, such as monthly. Without these structures, accountability evaporates through the hierarchy — a classic pattern that becomes costly during audits and in the event of an incident.
What effort is realistic? Any measure without a realistic effort estimate will not be implemented. This is not a criticism of those involved; it is an organizational reality. If an assessment only says "measure X is necessary" but does not specify that "measure X requires approximately 80 hours of external consulting plus 30 hours of internal resources in Q2," there is no basis for budget planning and resource allocation.
Assessments as Leverage, Not Compliance Exercise
These three outputs transform an assessment from a compliance exercise into a strategic management tool. Suddenly, leadership has a basis for decisions. Suddenly, the CISO knows who needs to do what next week. Suddenly, progress can be measured and communicated.
NIS-2 is not a bureaucratic obstacle — it is a structuring aid. The directive compels organizations to define processes, clarify responsibilities, and manage risks systematically. These are capabilities that make business operations more resilient independent of any regulatory requirement. An assessment is not the end point — it is the starting point for structured implementation.
Practical Implementation: What a Structured Assessment Must Deliver
A guided NIS-2 assessment that systematically delivers these three outputs follows a clear process model. The first step is a structured inventory conducted via a digital questionnaire that captures the current security status across all NIS-2 relevant areas: governance, risk management, incident response, supply chain security, and access control.
The second step involves two targeted workshops: one for prioritizing findings jointly with senior leadership, and one for ownership assignment with the responsible business units. These workshops are not reporting sessions — they are decision forums where concrete responsibilities and timelines are established.
The result is not another 40-page document. The result is a compact implementation matrix: measures, priorities, owners, deputies, effort, and timeline. Everything a company needs to start immediately — and to report concretely at the next management meeting.
Conclusion: The Question Must Be Answered Before It Is Asked
The companies that successfully implement NIS-2 are not those with the most complete documentation. They are those that know, after the assessment, what to do next, who does it, and how long it takes. The "And now what?" is not a sign of missing competence — it is a sign of an incomplete process.
A good NIS-2 assessment answers this question before it is asked. It does not just deliver a status report — it delivers a clear roadmap. Because compliance without the ability to act is just paper, and paper does not protect systems.