Why NIS2 is not an IT project – and what successful organisations do differently

As soon as NIS2 appears on the agenda, many organisations initially turn their attention to IT or information security. Checking firewalls, updating policies, commissioning external assessments. This approach is understandable – but it falls short. 

Because NIS2 is more than a technological issue. The directive requires an organisation-wide approach with clear leadership responsibility. 

At the core of the directive is a structured ICT risk management system that is based on recognised standards and includes all relevant risks. In addition to cyberattacks, this also includes outages, human errors, supply chain risks and physical threats. 

Successful organisations use this requirement to sharpen their understanding of risk: 

• Which services are truly critical? 
• Where do dependencies exist? 
• Which risks are acceptable – and why? 

These questions cannot be delegated and must be decided at the leadership level.  

A structured risk management system improves an organisation’s ability to steer effectively. Decisions become more transparent, priorities clearer and measures more targeted. 

Many organisations have extensive policies. What is often missing is the connection to operational reality. NIS2, therefore, focuses not on documents but on functioning processes: risk identification, incident management, escalation and continuous improvement. 

A documented process that does not work in practice is worthless. A clearly defined and lived process, on the other hand, creates operational certainty – even under time pressure. 

If processes are not practised and aligned, delays occur in a crisis. Well-rehearsed workflows, on the other hand, enable fast and coordinated responses. 

The ability to report incidents in a timely and structured manner becomes a real test of maturity for many organisations. NIS2 requires clarity regarding thresholds, responsibilities and information flows.  

Those who only define what to do when an incident actually occurs risk failing not only technically but also organisationally. Mature organisations secure these processes in advance. 

NIS2 explicitly highlights ICT third-party management. Third parties must be integrated into the overarching risk management – from selection and monitoring through to emergency and reintegration plans. 

This makes Third Party Risk Management an integral part of organisational security. 

If external dependencies are not systematically assessed, risks arise outside the organisation’s direct sphere of influence. Transparency, clear criteria and continuous evaluation reduce these uncertainties and strengthen operational cyber resilience. 

At the latest during implementation, it becomes clear that manual approaches reach their limits. Excel-based solutions offer neither transparency nor auditability nor end-to-end traceability. 

Digital solutions such as BIC GRC make it possible to manage risks, incidents, third parties and evidence on one central platform – with clear workflows, deadlines and responsibilities. 

Structured systems create the conditions to implement processes consistently and document decisions in a traceable manner. 

NIS2 is an organisational project with clear leadership responsibility. 

Organisations that follow this approach view the directive as a framework for structured decision-making, clear processes and integrated risk management. This creates a solid foundation for sustainable resilience. 

Find out how BIC GRC can help you with your NIS 2 implementation