Many organisations still view NIS2 as just another compliance project. Meanwhile, the regulator is making it increasingly clear that it will not be assessing the number of policies implemented or security tools purchased. What will matter is whether a company can demonstrate that it manages risk proactively and does so in a consistent manner. This is precisely what emerges from ENISA’s latest guidelines, which shift the focus from documentation to the practical operation of processes.
This change is of great significance to technology companies. For years, regulatory compliance often meant preparing the relevant documentation ahead of an audit. NIS2 introduces a different approach. An organisation must be ready to prove that its security processes are functioning every day, not just at the time of an inspection. For businesses, this means that cybersecurity is becoming an integral part of corporate management, rather than a one-off project carried out by the IT department.
This is best illustrated by considering what the regulator will actually expect in practice. An audit will not begin by asking what network security solution the company has purchased. It will be far more important whether the organisation can identify the key risks, assess their impact on operations, assign responsibility for mitigating them, and demonstrate that the process is regularly reviewed. The approach to incident management, supplier security and vulnerability remediation is similar. Each of these areas is intended to be a process, rather than a set of procedures set out in documentation.
This is precisely why the concept of evidence of compliance is becoming increasingly important. ENISA does not limit itself to describing the requirements, but provides examples of materials that can confirm their fulfilment. These may include risk registers, the results of business continuity plan tests, incident handling reports, system logs, audit confirmations or documentation relating to supplier assessments. For the regulator, a mere declaration that a process exists will not be sufficient. What will count is the ability to demonstrate that it operates effectively and is continuously maintained.
This also changes the role of the board. NIS2 clearly states that responsibility for cybersecurity does not end with the security or IT department. Senior management should understand the level of risk, make decisions regarding its acceptance, ensure adequate resources are provided, and oversee the implementation of measures. Cybersecurity is therefore becoming an element of corporate governance, just like financial management or operational risk management.
In practice, this means that technology companies should focus on building sustainable processes, rather than a ‘NIS2 implementation’ project. Organisations that establish a coherent risk management system – one that also covers suppliers, incident reporting and regular assessments of the effectiveness of security measures – will be better prepared not only for audits arising from NIS2. These same mechanisms will form the foundation for compliance with future European regulations on cybersecurity and digital resilience.
NIS2 changes the way the regulator assesses an organisation’s maturity. A company does not need to prove that it is immune to every cyberattack. It must demonstrate that it is capable of continuously managing risk, responding to threats and providing credible evidence that its processes actually work. This will be the most important criterion for assessment.

