Date
19.08.2025
NIS2 is top of mind in many boardrooms, and it applies to thousands of organizations equally, although some implementation efforts may be more equal than others. In that context, we thought it would be valuable to take a closer look at some of the classic pitfalls we’ve observed based on our experience working closely with CISOs from a wide range of organizations.
1. Poor Communication and Stakeholder Misalignment (Internally and Externally)
Spoiler alert: cybersecurity doesn’t happen in a vacuum. It’s one of those fields (much like privacy) that affects not just one department in an organisation. Whether it’s IT, legal, procurement, leadership, you name it, if these players aren’t on the same page your project risks becoming a game of Chinese Whispers (no, that’s not a Chinese APT reference although it does admittedly sound more mysterious than Salt Typhoon or Deep Panda). In short, communication matters. Reporting, progress reports, alignment, all crucial elements in a successful NIS2 project.
Keep in mind though, NIS2 isn’t just an internal party. Everyone is invited, especially third-party suppliers. And boy, do they love to dance, especially when they become an attack vector for your organisation. Many organizations outsource critical IT or cloud services but fail to recognize how deeply those vendors are embedded in their risk landscape. That’s a big blind spot.
Vendors often carry a significant chunk of your cyber risk, but they won’t naturally align with your goals unless you bring them to the table early and set clear expectations.
Bottom line: keep the communication lines open, loop in the right people early, and don’t forget this also includes crucial external partners.
2. Just Going Through the Motions
One of the biggest mistakes organizations make? Treating NIS2 like a technical problem to be solved by IT alone, or on the other end of the spectrum: a paper tiger on the hunt for documentation and risk assessments that need to be tackled by legal and compliance.
In reality, NIS2 demands a top-down, organization-wide approach to security governance. If you treat it like “just another certification” or a box to tick, you’ll end up drowning in paperwork with little to show for it. A Cyfancy framework does not make a governance program!
Instead, focus on building a pragmatic but functional governance program or ISMS (Information Security Management System). Translation: a program that does tick all the compliance boxes, but more importantly: one that actually works for your organisation and is embedded in daily operations, decision-making, and company culture.
3. Underestimating the Resources You’ll Need
Inconvenient truth: cybersecurity takes the right people, the right skills, and the time to do things properly. Regardless of the inescapable paper trail: the spirit of NIS2 legislation is higher levels of cyber resilience and to achieve this there are no shortcuts.
Too often, projects are launched with existing staff who already have full plates. Cybersecurity is anything but boring which means staff has plenty of work as is.
To set your organisation up for a successful NIS2 implementation, you need:
- clear roles and responsibilities
- realistic timelines
- actual capacity (not just wishful thinking)
- access to expertise, whether internal or external
Skimping on resources is a short-term solution, in the long run this results in the worst of both worlds: extra work with little to show for it in terms of actual cyber resilience.
4. What Does Success Even Look Like?
If you’re investing months (or years) of effort into NIS2, you should know what you want to end up with. NIS2 compliance, much like GDPR compliance, is not an objective itself.
Too many teams launch into large projects without ever asking what success looks like. How will you know if you’re making progress? What does “success” look like in practical terms?
Anyone look at recent Generative AI projects recently? Without clear goals and metrics, we can all pass shoulder pats around the team and feel good, but we don’t know what’s working and what’s not. Perhaps more important, you’ll struggle to justify the investment to leadership and in the end that’s what it often boils down to: what is the return on investment?
Try to define measurable, meaningful objectives up front. Not just to pass the audit, but to actually get better at what matters: protecting your organization. Think average time to resolve an incident, mean detection time, percentage of critical vendors that were subject to a security review this year, percentage of applications that were part of an access review, etc.
Management Summary
While there are many potential pitfalls, let’s summarise the pitfalls we talked about in this article with some management friendly catch phrases:
- Communicate, don’t procrastinate
- From paper tiger to spirit animal: let your governance program work for you instead of against you
- Overestimate the resources you’ll need, it may be just enough
- Define what a successful security governance program looks like
Want to learn more about a successful NIS2 implementation? Register for our NIS2 Lead Implementer training!
Date
19.08.2025
