Key challenges of NIS2 in practice
In theory, NIS2 is relatively straightforward: define the scope, choose your compliance path, assess gaps and implement your controls.
In reality, most organisations face a mix of internal challenges:
1. Scoping & ownership: more than IT alone
Many organisations still struggle to determine if they fall within scope, and if so, who should lead this initiative. While IT often initiates the discussion, executive leadership bears ultimate accountability under Article 20 of the directive. In practice, responsibility is often siloed or unclear.
2. From policy to practice: mind the gap
Policies may exist on paper, but operationalisation remains inconsistent. This is especially the case in areas like incident response, crisis communication, or third-party risk management. We frequently see a disconnect: management is overconfident, assuming plans and processes will work, while employees are often unaware of their roles or responsibilities when a cyber event occurs. Testing is rare, and awareness remains low.
NIS2 raises the bar: it’s not enough to protect selected departments or functions. Organisations must provide assurance for the entire entity. Even those with a well-functioning cyber security function may find themselves underprepared to demonstrate compliance across all regulatory requirements.
3. Knowing what to protect: visibility is key
A major challenge lies in identifying and protecting the “crown jewels” - the assets, systems, and data most critical to operations and reputation. While many organisations have a general idea, few have a structured, risk-based classification approach.
As Risk experts, we often observe a lack of real-time visibility on key assets and KPIs/KRIs, underuse of past incident data, challenges with legacy systems, presence of shadow IT and weak supplier risk oversight. A recurring point of concern is the monitoring of third parties that manage sensitive data or critical infrastructure. Particularly regarding the robustness of contractual clauses and service-level agreements (SLAs) that define security expectations and responsibilities.
4. Awareness at all levels: a cultural challenge
Cyber resilience relies as much on people as on technology. Awareness must infuse every level, from the boardroom to frontline staff and external partners.
We regularly see fragmented governance, limited communication, or the absence of structured awareness programs (e.g., phishing simulations, onboarding briefings). The result: poor preparation, unclear roles, and underestimation of real cyber risks. Building a security-aware culture requires more than top-down policies. It needs engagement, education, and ownership at every level.
5. Strength within IT: technical foundations
On the other hand, we often observe that technical protection measures are already well established in many organisations. These include network segmentation, firewall configurations, backup strategies, multi-cloud resilience, access controls, cryptographic safeguards,…. Such foundations provide a strong baseline for mitigating cyber risks.
Pragmatic advice based on practical experience
NIS2 echoes the six pillars of the NIST Cyber Security Framework: govern, identify, protect, detect, respond, recover. In short, strong resilience requires both top-down alignment and bottom-up awareness.
Here are some recommendations to make your NIS2 journey a success:
Launch a company-wide program and projects to ensure cross-functional involvement and break down silos.
Involve the board early - their buy-in is key to prioritisation and funding.
Appoint a CISO and find executive sponsors (e.g., Finance, Operations, Legal…).
Start with a pragmatic baseline assessment, not just a theoretical ISO mapping - let the practical reality inform your compliance roadmap.
Review and strengthen your incident management process to ensure timely detection and reporting, both internally and to relevant external authorities (including the CCB).
Leverage existing risk and compliance structures instead of creating new silos.
Identify, assess, and document critical business functions and projects - map them to their supporting IT/OT systems and third-party providers.
Focus first on core business and cyber risks especially those falling within the ‘amber zone’.
Proactively engage your critical suppliers and business partners in NIS2 discussions to clarify shared responsibilities.
To gain leadership support, translate cyber security in business terms: revenue protection, customer trust, operational continuity... Demonstrate how cyber investments secure each department’s objectives, de-risking the organisation and protecting the brand.
How BDO can support your journey
At BDO, we specialise in assisting organisations to align with NIS2 requirements. Our experience in ISO27001 certification and CyberFundamentals can support you in your NIS2 needs and ambitions.
