{"id":17755,"date":"2025-08-19T08:56:17","date_gmt":"2025-08-19T06:56:17","guid":{"rendered":"https:\/\/www.dp-institute.eu\/?p=17755"},"modified":"2025-08-19T09:00:07","modified_gmt":"2025-08-19T07:00:07","slug":"4-pitfalls-to-avoid-on-your-nis2-compliance-journey","status":"publish","type":"post","link":"https:\/\/www.dp-institute.eu\/en\/4-pitfalls-to-avoid-on-your-nis2-compliance-journey\/","title":{"rendered":"4 Pitfalls to Avoid on Your NIS2 Compliance Journey"},"content":{"rendered":"

NIS2 is top of mind in many boardrooms, and it applies to thousands of organizations equally, although some implementation efforts may be more equal than others. In that context, we thought it would be valuable to take a closer look at some of the\u00a0classic pitfalls\u00a0we\u2019ve observed based on our experience working closely with CISOs from a wide range of organizations.<\/p>\n

1. Poor Communication and Stakeholder Misalignment (Internally and<\/em>\u00a0Externally)<\/strong><\/h2>\n

Spoiler alert: cybersecurity doesn’t happen in a vacuum. It\u2019s one of those fields (much like privacy) that affects not just one department in an organisation. Whether it\u2019s IT, legal, procurement, leadership, you name it, if these players aren\u2019t on the same page your project risks becoming a game of Chinese Whispers (no, that\u2019s not a Chinese APT reference although it does admittedly sound more mysterious than Salt Typhoon or Deep Panda). In short, communication matters. Reporting, progress reports, alignment, all crucial elements in a successful NIS2 project.<\/p>\n

Keep in mind though, NIS2 isn\u2019t just an internal party. Everyone is invited, especially third-party suppliers. And boy, do they love to dance, especially when they become an attack vector for your organisation. Many organizations outsource critical IT or cloud services but fail to recognize how deeply those vendors are embedded in their risk landscape. That\u2019s a big blind spot.<\/p>\n

Vendors often carry a significant chunk of your cyber risk, but they won\u2019t naturally align with your goals unless you\u00a0bring them to the table early and set clear expectations.<\/p>\n

Bottom line:<\/strong>\u00a0keep the communication lines open, loop in the right people early, and don\u2019t forget this also includes crucial external partners.<\/p>\n

2. Just Going Through the Motions<\/strong><\/h2>\n

One of the biggest mistakes organizations make? Treating NIS2 like a technical problem to be solved by IT alone, or on the other end of the spectrum: a paper tiger on the hunt for documentation and risk assessments that need to be tackled by legal and compliance.<\/p>\n

In reality, NIS2 demands\u00a0a top-down, organization-wide approach to security governance. If you treat it like \u201cjust another certification\u201d or a box to tick, you\u2019ll end up drowning in paperwork with little to show for it. A Cyfancy framework does not make a governance program!<\/p>\n

Instead, focus on building a pragmatic but functional governance program or ISMS\u00a0(Information Security Management System). Translation: a program that does tick all the compliance boxes, but more importantly: one that actually works for your organisation and is embedded in daily operations, decision-making, and company culture.<\/p>\n

3. Underestimating the Resources You\u2019ll Need<\/strong><\/h2>\n

Inconvenient truth: cybersecurity takes\u00a0the right people, the right skills, and the time to do things properly. Regardless of the inescapable paper trail: the spirit of NIS2 legislation is higher levels of cyber resilience and to achieve this there are no shortcuts.<\/p>\n

Too often, projects are launched with existing staff who already have full plates. Cybersecurity is anything but boring which means staff has plenty of work as is.<\/p>\n

To set your organisation up for a successful NIS2 implementation, you need:<\/p>\n