The IT industry likes to think of security in terms of products. New generation firewalls, EDR systems, advanced network segmentation – these are concretes that are easy to price, sell and deploy. However, in the face of the EU’s NIS2 directive, this traditional model of thinking is becoming a trap. Experts analysing the new legislation make it clear: NIS2 is not a technical manual for administrators. It is a management revolution that brutally exposes what many companies have so far ignored – the lack of coherent corporate governance.
Many companies still live with the belief that compliance with new regulations can be ‘bought’ or achieved by updating their infrastructure. This is a dangerous cognitive error. An analysis of the directive’s assumptions shows that the focus shifts radically from ‘IT operations’ to ‘risk management’. This means that even the most expensive technology will not protect an organisation from the consequences if the people, decision-making processes and accountability structure fail.
The illusion of a digital fortress
When a security incident occurs, the first instinct is to look for blame in the technology department. Did the system fail? Was an update overlooked? Meanwhile, security strategists point to another clue. Cyber security rarely falls down because of a lack of technology. Rarely is the problem a physical lack of a firewall or monitoring tools. These are usually in place.
Systems fail most often because of decisions, priorities and structures that fail to fully map risks. So it is not a question of whether a company ‘has’ the tools, but whether its management structures are configured so that risk is understood and controlled at every level. If the board does not understand what it is protecting and why, even the best-armed digital fortress will have its back door open. Governance therefore becomes, in the light of NIS2, a safety-critical function – a foundation without which technology loses its effectiveness.
The end of the era ‘is a problem for IT professionals
One of the biggest changes NIS2 introduces is the redefinition of accountability. For years, cyber security has been treated as a technical domain, relegated to IT departments, away from boardrooms. The new directive ends this approach.
NIS2 is a management requirement. It obliges management not only to proactively manage security, but also to demonstrate that decisions made are based on a sound assessment of risk in the context of the business model. Boards face the challenge of combining technical correctness with business relevance. They need to be able to assess how a specific digital threat affects finances, the supply chain or reputation.
Without this classification, technical analysis remains in a vacuum. Companies are required to be able to demonstrate the ‘decision path’ – how decisions are prepared, prioritised and documented. This is a huge challenge for organisations that lack a structured logic for decision-making. In 2026, accountability will be personal and direct, forcing C-level staff to educate themselves and change their mentality.
Paper accepts everything, hackers do not
Another misunderstanding that blocks progress in many organisations is the approach to compliance as a set of documents. There is a perception that compliance can be achieved by creating a sufficient number of procedures or security policies. In practice, NIS2 requires the opposite – a living ecosystem.
The directive calls for the coherent integration of multiple, often siloed areas: technical safety measures, governance, staff competence development, reporting and supply chain management. If these elements do not mesh perfectly, gaps are created. It is in these gaps – between HR procedure and server configuration, between the report to the board and the actual state of the network – that the biggest emergency disasters occur.
Governance involves more than a formal definition of responsibilities. It is the framework within which risks become visible. If a company fails to connect these dots, it will be left with a cupboard full of documents that in no way increase its real resilience.
Time – a resource you will not integrate
The implementation of NIS2 cannot be understood as a one-off legal obligation to be ‘ticked off’. It is a transformation process, and the biggest enemy of companies in this process is time. Many organisations drastically underestimate the timing of the launch, deluding themselves into thinking that they will be in time for the implementation in a few weeks before the deadline.
Experts warn: even with a good starting point, it takes months to define new roles, coordinate processes and, above all, introduce effective reporting structures in a ‘management language’. For companies with complex supply chains or a distributed structure, this time extends even further. Anchoring security requirements at multiple operational levels is a marathon, not a sprint.
The coming months are a crucial ‘transfer window’. Those who start the transition process now have the luxury of controlling priorities and allocating resources sensibly. They can take a realistic inventory and determine which measures realistically reduce risk.
Those who procrastinate will fall into a spiral of time pressure. ‘Last-minute’ implementations usually end up with half-hearted solutions that are not tailored to the company’s individual risk profile. Such a strategy not only increases costs (operating in a fallback mode is always more expensive), but also raises the risk that central requirements remain incomplete.
Consequences of inaction
What happens if companies react too late? The consequences go far beyond the regulatory sanctions that are most often discussed. Organisations that fail to implement appropriate governance structures in time lose their ability to manage risks operationally. They become reactive rather than proactive.
This poses a huge reputational risk. In the new reality, a lack of evidence of effective security management is a straightforward way to lose the trust of customers and investors. What’s more, these companies may be pushed out of the market by their own business partners – as supply chains will require compliance with certain standards that cannot be implemented overnight.
Turning pointNIS2 is a turning point for the entire industry. The directive moves cyber security from the technical back office to the strategic core of the business. Governance becomes the new firewall – a factor that will determine economic stability and liability risk in the years to come.
