Registration was the easy step
The deadline has passed. Most organisations covered by the NIS2 Directive have registered with their national competent authorities. The form perhaps took 20 minutes to complete. Good — but registration was the administrative starting gun, not the finish line.
Now begins the phase that determines whether your security work becomes real or just papers in a binder. And this is where I see most organisations getting stuck.
Reality: Registration took 20 minutes. Implementation takes 12–24 months. But that doesn’t mean you can wait — supervisory authorities can initiate inspections at any time.
Three mistakes I see over and over again
Registration is an administrative act, not proof of compliance. It's like registering a company and thinking the business is therefore operational. The directive requires that you actually implement security measures, not just notify that you're covered.
The tool trap is real. I see organisations investing in GRC platforms, SIEM solutions and vulnerability scanners before they've even mapped their information assets. Tools without process are like a till system without a business idea — it looks professional but provides no value.
The NIS2 Directive is clear: management is responsible. Not the IT manager, not the CISO — management. Delegating away responsibility is not just a poor strategy, it goes against the directive's intention. The board must approve policies, ensure resources and undergo training themselves.
What supervisory authorities actually look for
It’s easy to think that supervision is about having the right documents. It’s not. Supervisory authorities look for three things:
Systematic approach — Is there a common thread? Have you identified which information assets are critical, assessed the risks against them, and chosen measures based on that assessment? Or have you just picked controls from a list?
Traceability — Can you show why you chose exactly the measures you chose? Can you show who decided, when, and on what grounds? Traceability means that every decision has a documented connection back to an identified risk.
Management engagement — Have the board and management actively participated in security work? Are there minutes showing that security issues have been addressed at management level? Has management undergone the training that the directive requires?
Documentation without underlying process is theatre.
An information security policy that no one follows, a risk analysis that’s never updated, an incident management plan that’s never tested — that’s not compliance. That’s paperwork. And supervisory authorities are trained to see the difference.
Pragmatic prioritisation list
You can’t do everything simultaneously. But you can start right. Here’s the order I recommend:
- Risk analysis Map your information assets, identify threats and vulnerabilities, and assess the risks. Without risk analysis, you don't know where to deploy resources. Everything else builds on this step.
- Security measures Implement measures based on the risk analysis — not based on what the vendor is selling. Focus on the areas that NIS2 Article 21 specifies: access control, encryption, network security, training.
- Incident preparedness Build an incident management plan that actually works. Define roles, escalation paths and reporting templates. And test it — a plan that's never been practised is just a wish list.
- Supplier control Identify which suppliers have access to your critical information assets. Set security requirements and follow up. You can't outsource your responsibility.
From checklist to systematic approach
There’s a fundamental difference between organisations that tick off requirements and organisations that build real security. The former have documents. The latter have processes.
| Checklist thinking | Systematic security work |
|---|---|
| ”We have a policy" | "We have a policy that’s followed, reviewed and updated" |
| "We’ve done a risk analysis" | "We conduct risk analyses continuously and update when changes occur" |
| "We have an incident plan" | "We practice incident management quarterly" |
| "We set requirements on suppliers" | "We continuously monitor suppliers’ compliance” |
The NIS2 Directive isn’t about reaching an end goal. It’s about showing that you have a living, systematic security work that develops in line with the business and the threat landscape.
Next steps
Start by being honest about where you are. A GAP analysis that maps your current state against the NIS2 Directive requirements is the most effective first step. It gives you a clear picture of what’s missing — and what’s already working.
Securapilot’s GAP analysis module helps you map exactly where you stand against the NIS2 Directive requirements — without starting from zero. Build on your existing processes and develop what’s already there.
Frequently asked questions
What happens after NIS2 registration?
Registration is just the first step. Organisations must now implement the security measures that the NIS2 Directive requires — risk management, incident preparedness, supplier security and management engagement. Supervisory authorities can initiate inspections at any time.
What are the most common mistakes after NIS2 registration?
The three most common mistakes are: thinking that registration means you're done, starting by buying tools instead of understanding your processes, and delegating all responsibility to the IT department.
How do I know if my organisation meets the NIS2 Directive requirements?
Conduct a GAP analysis that maps your current state against the directive's requirement areas. This provides a clear picture of what's missing and helps you prioritise the most critical initiatives.
Can the supervisory authority inspect us already?
Yes. The NIS2 Directive came into force on 17 October 2024 and supervisory authorities have the right to conduct inspections. There is no formal grace period for implementation.
