If your NIS2 strategy is a checklist, you already misunderstood it.

NIS2 is not about documentation.
It’s about accountability.

And that changes everything.

The Dangerous Illusion Around NIS2

In Belgium, we see three common reactions:

1. “It’s just another directive.”
2. “Legal will handle it.”
3. “We’ll update policies and be fine.”

That mindset is exactly what NIS2 is designed to break.

Because for the first time:

• Management can be held personally accountable.
• Fines are significant.
• Governance failures are no longer abstract risks.

NIS2 shifts cybersecurity from IT problem → Board-level responsibility.

If your board isn’t uncomfortable yet, you’re not reading it properly.

What NIS2 Really Changes

Let’s cut through the noise.

NIS2 forces organizations to mature across five dimensions:

1. Risk management governance
2. Incident reporting discipline
3. Supply chain security
4. Business continuity resilience
5. Executive accountability

This is not ISO copy-paste.
This is operational transformation.

1️⃣ Executive Liability Is Now Real

Under NIS2:

• Management bodies must approve cybersecurity risk measures.
• They must oversee implementation.
• They can be held liable for negligence.

This is not symbolic.

This means:

Cybersecurity reporting must become structured, measurable, and defensible.

Board slides are no longer decoration.
They are potential evidence.

2️⃣ Incident Reporting Is No Longer Optional

Early warning within 24 hours.
Detailed report within 72 hours.
Final report within one month.

If your SOC:

• Cannot classify incidents quickly
• Has no clear severity framework
• Has no documented playbooks
• Cannot produce structured evidence

You are exposed.

NIS2 exposes weak SecOps instantly.

3️⃣ Supply Chain Security Is the Hidden Bomb

This is where most companies are completely unprepared.

You are now responsible for:

• Third-party security posture
• Vendor risk management
• Contractual cybersecurity clauses
• Continuous monitoring

If your procurement team is disconnected from security,
NIS2 will break your operating model.

Security must integrate into:

• Vendor onboarding
• Contract management
• Risk assessments
• Performance monitoring

This is structural.

4️⃣ Business Continuity Is Not a PDF

NIS2 explicitly covers:

• Incident response
• Crisis management
• Disaster recovery
• Backup management

If your BCP:

• Has not been tested
• Exists only in SharePoint
• Is not integrated with technical architecture

Then it’s not resilience.

It’s documentation theater.

The Mistake Most Companies Will Make

They will treat NIS2 like ISO 27001:

• Hire consultants
• Produce policies
• Create controls on paper
• Pass a review
• Move on

That will fail under real scrutiny.

Because NIS2 expects operational effectiveness.

And operational effectiveness cannot be faked.

What Real NIS2 Maturity Looks Like

Let’s define levels.

Level 0 – Reactive

• Policies outdated
• No formal risk governance
• Incident response ad hoc
• No board visibility

Level 1 – Documentation

• Policies updated
• Risk register created
• Basic reporting process
• Compliance narrative exists

Most companies will stop here.

It is not enough.

Level 2 – Operational Governance

• Risk ownership assigned
• Clear reporting lines
• Incident classification framework
• Vendor security integrated into procurement
• KPIs defined

Now governance starts working.

Level 3 – Embedded Security Architecture

• Security integrated into DevSecOps
• Privileged access controlled
• Continuous monitoring mature
• BCP tested and automated
• Supply chain risk quantified

Now NIS2 becomes structural resilience.

Level 4 – Measurable Cyber Resilience

• Board dashboards tied to KRIs
• Incident response metrics tracked
• Zero Standing Privilege implemented
• Third-party risk continuously monitored
• Security culture embedded

This is where NIS2 becomes competitive advantage.

NIS2 and DevSecOps: The Overlooked Link

Most discussions focus on governance.

But NIS2 compliance without engineering maturity is fragile.

You cannot:

• Prove resilience
• Ensure incident containment
• Protect supply chains
• Guarantee business continuity

Without:

• Secure SDLC
• IAM/PAM maturity
• Detection engineering
• Infrastructure as Code controls

NIS2 forces strategy and engineering to converge.

This is where most consulting firms struggle.

They either:

• Deliver governance slides
• Or deploy tools

Rarely both.

The Belgian Reality

Many organizations in Belgium are:

• Technically competent
• Governance-light
• Reactive in crisis
• Vendor-dependent

NIS2 will expose this gap.

The winners will be those who:

• Redesign governance structures
• Align board and engineering
• Measure cyber risk properly
• Invest in architecture, not optics

The FuturWork Position

We do not approach NIS2 as:

“Let’s make you compliant.”

We approach it as:

“Let’s make you resilient.”

That means:

1. Governance redesign
2. Risk ownership clarification
3. IAM/PAM maturity uplift
4. SecOps strengthening
5. DevSecOps integration
6. Supply chain security structuring
7. KPI/KRI measurement framework

Strategy + execution.

No slide-deck-only transformation.

The Hard Question for CISOs

If an incident happens tomorrow:

• Can you notify within 24h with structured evidence?
• Can you demonstrate governance oversight?
• Can you prove third-party risk assessment?
• Can you show measurable privilege control?
• Can you show tested recovery capability?

If not, your NIS2 exposure is real.

The Opportunity Most Companies Miss

NIS2 is not just risk.

It’s leverage.

It gives CISOs:

• Budget justification
• Governance authority
• Structural mandate
• Board visibility

If used correctly, it upgrades the entire cybersecurity operating model.

Final Hot Take

Companies that treat NIS2 as a legal checkbox will remain fragile.

Companies that treat NIS2 as a governance transformation will become structurally resilient.

Regulation is not the threat.

Complacency is.

‍