NIS2 — Pragmatic Implementation

NIS2 has moved from "upcoming regulation" to operational reality. Across our Nordic engagements over the past two years, a clear pattern has emerged: the organisations struggling most are not the ones who started late. They are the ones who started in the wrong place — with documentation instead of decisions, with tools instead of processes, with auditors instead of operators.

Below are the six traps we see most often, and how we recommend avoiding them. Two of them — scoping and management liability — carry the largest consequences if you get them wrong, so we treat them with extra weight.

1.Scoping done wrong, or not done at all

Scoping is where most NIS2 projects already lose. We see two opposite errors: companies who assume they are not in scope because their core business is not on the sector list, and companies who assume the entire group falls under NIS2 and budget accordingly. Both are expensive.

The essential vs. important entity distinction matters operationally, not just for paperwork — it changes supervisory regime, fine ceilings, and reporting cadence. And the supply-chain pull-through is consistently underestimated: we have seen mid-sized Nordic suppliers discover they are de facto in scope because their largest customer is, and contractual obligations cascade down.

2.Treating NIS2 as a compliance exercise

We have walked into organisations with 200-page policy binders that no one in operations has read. The policies were technically aligned with NIS2 — and operationally invisible. When we asked an IT operations lead how an incident would actually be reported within the 24-hour early-warning window, the answer was: "I assume someone in compliance handles that."

3.Underestimating management's personal liability

This is the change that boards still do not fully grasp. Under NIS2, management bodies must approve and oversee cybersecurity risk-management measures, must follow training, and can be held personally accountable for failures of oversight. In several Nordic jurisdictions, the implementing law allows authorities to impose temporary bans on individual managers from carrying out managerial functions in the entity.

We have sat in board meetings where the directors signed off on a NIS2 "compliance status" without anyone in the room being able to explain what was actually being approved. That signature now carries personal weight.

4.Buying tools before fixing processes

We see this pattern repeatedly: a six- or seven-figure investment in a SIEM, a GRC platform, or an attack-surface management tool, brought in to "solve NIS2." Six months later, the tool produces dashboards no one acts on, because the underlying processes were never defined. One client had a SIEM generating 40,000 alerts per month with no triage process and a two-person security team. The tool was not the problem.

5.Supply chain as an afterthought

NIS2 is explicit: cybersecurity risk-management measures must include supply chain security and the security of supplier relationships. In practice, we see organisations who can describe their own controls in detail but cannot answer basic questions about their critical suppliers — who they are, what data they process, what the contractual security obligations are, and what happens if they fail.

6.Incident response that has never been tested

A plan in a drawer is not a plan. We have reviewed incident response procedures that named individuals who had left the company, referenced systems that had been decommissioned, and assumed contact with authorities through channels that no longer existed. None of this surfaced until the first tabletop exercise — which was also, in most cases, the first time anyone had read the document end to end.

Our recommendation: start with the operating model

The common thread across these six traps is the same: organisations that treat NIS2 as a project deliverable rather than an operating model question. The regulation is not asking for a binder. It is asking whether you can run — and keep running — a business that is critical to society.

At NordVisio we work senior-led, operationally grounded, and without the consulting theatre. If you want a candid assessment of where you stand against these six traps, we are happy to have the conversation.