Skip to content

Featured Search

NIS 2 in practice: What regulated cyber resilience really looks like.

Tags

Cyber regulation has changed tone. It is no longer simply about having policies in place, point-in-time assessments, or a reassuring slide deck for the board.

NIS 2, now the EU’s baseline cyber directive across a wide range of critical sectors from energy and transport to healthcare, manufacturing and digital infrastructure, is a clear signal of that shift.

It treats cyber resilience as an operating model expectation: continuous risk management, accountable incident response, and governance that can be demonstrated under pressure, rather than asserted after the fact.1 Crucially, that governance must stand up at board level, where accountability now sits squarely with management bodies.

For UK organisations, this matters even if they are not directly in scope of NIS 2. The UK government has already introduced a Cyber Security and Resilience (Network and Information Systems) Bill to update the UK’s network and information systems regime, expanding scope and increasing regulatory powers.2

The regulatory language may differ, but the expectation is the same: resilience must be demonstrable, not assumed.

Need a practical playbook for connecting cyber risk, controls, incidents and assurance? Download our new cyber risk eBook: Download now

NIS 2 marks a shift, not an addition

Many organisations initially approach NIS 2 as just another compliance layer.

That framing is comforting, because it suggests a familiar response: map the articles, confirm the control set, prepare the audit pack.

But NIS 2 is not simply asking whether you have controls. It is asking for proof of whether cyber resilience is run as a governed, measurable system.

The directive strengthens expectations around risk-management measures, incident handling and reporting, business continuity, supply-chain security, and oversight by senior management. It also tightens the logic of accountability: cyber is not just an IT matter; it is a management-body responsibility with potential liability implications.

The practical implication is challenging for organisations who have so far been making do with cyber programs built around disconnected tools and periodic reporting.

Beyond the legal text: NIS 2 regulatory expectations

The legal language is dense, but the outcomes regulators are pushing for are simple. In practical terms, regulators are looking for four capabilities. Organisations should be able to demonstrate that:

  • Cyber risk management is continuous, not episodic: Controls cannot simply be reviewed annually when threats and dependencies change weekly
  • Incident response is structured and accountable: The point is not just to respond. It is to show who owned the decision-making, how escalation worked, what you knew when, and how the incident affected critical services. The EU’s wider cyber direction reinforces this collective readiness mindset3
  • Critical assets and dependencies are visible: If you cannot clearly identify the systems and services that matter most, you cannot credibly claim resilience. NIS 2’s approach includes supply-chain security as part of baseline cyber risk management
  • Governance is demonstrable at senior levels: Under NIS 2, management bodies are expected to approve risk-management measures, oversee implementation, and ensure training for management-body members.
For organisations that have relied on cyber activity as a proxy for cyber assurance, this is where the pressure starts.  

Why NIS 2 exposes weak cyber operating models

NIS 2 does not ‘catch organisations out’ on technical controls. It catches them out on operating model gaps, especially fragmentation.

Fragmentation can start off as sensible specialisation:

  • Security tooling in one ecosystem
  • Control testing in spreadsheets
  • Incidents tracked in ticketing tools
  • Board reporting assembled manually at month-end.

 Individually, each component may be defensible. Together, they often fail the basic NIS 2 test: can you connect cyber protection to cyber assurance? 

These are some of the key areas in which governance can fail:

  • Cyber risk, controls, incidents and assets are managed in separate places: The organisation has no single view of exposure. It has multiple partial truths, each optimised for a different team

  • Incident response is divorced from governance and assurance: Post-incident reviews may happen, but they rarely flow back into control effectiveness, risk ratings, business impact, or third-party dependency management

  • Evidence is gathered retrospectively, under pressure: When regulators, auditors, or the board ask ‘show me the proof’, the answer requires a scramble of emails, screenshots, and manual reconciliations

  • Board reporting summarises activity but cannot prove effectiveness: A dashboard that says “patching is improving” is not the same as assurance that critical services are resilient against realistic failure modes.

This is why NIS 2 is best understood as a stress test. It reveals whether cyber governance is a connected system or a collection of tools that only look coherent in hindsight.

The board-level assurance test

NIS 2 raises a simple but uncomfortable question: can your board provide cyber assurance with confidence?

If a regulator asked directors three questions, could they answer clearly and consistently?

  • What are our most critical services and systems?
  • What is our current exposure to disruption or compromise?
  • How do we know the controls that matter are working?

If answering those questions requires stitching together reports from multiple systems, reconciling spreadsheets and validating data manually, confidence is fragile.

Under NIS 2, resilience is not what you do. It is what you can prove with connected data and board-level confidence.  

What NIS 2-ready cyber governance looks like in practice

The good news is that NIS 2-ready governance is not a mystery. It looks like a cyber operating model designed to answer the questions regulators and boards now ask. In practice, that target state has a few consistent features:

  • Cyber risks are linked directly to critical assets and services: Risk statements are not generic; they map to the systems and services that deliver value and support continuity
  • Controls are mapped to both risks and regulatory expectations: The organisation can map each control to a specific risk and show which obligations those controls support, without maintaining multiple inconsistent control sets 
  • Incidents are captured, investigated and tied back to control effectiveness: An incident is not just a ticket; it becomes governed information that updates risk exposure, tests assumptions, and improves the control environment
  • Supply-chain exposure is visible and assessable. Dependencies are not buried in procurement records. They are part of the cyber resilience narrative
  • Dashboards show posture, gaps and trends, not just activity. Reporting moves from “how many things we did” to “how confident we are of our resilience posture, and why”.

Most organisations already recognise many of these components in their target state, but they are separated by system boundaries, team boundaries and reporting boundaries. The challenge is integration, not invention.

Conclusions and next steps for your organisation

If you operationalise NIS 2 well, the payoff is bigger than compliance.

A connected, measurable cyber governance model speeds up incident response because escalation and ownership are clear, and it strengthens executive and board confidence because reporting is defensible.

That outcome does not happen by accident: it depends on how your cyber operating model is designed.

Protecht helps organisations operationalise cyber governance under regulations like NIS 2 by creating a connected assurance layer across cyber risk, controls, assets and incidents, so boards move from narrative reassurance to evidence-based confidence.

Ready to see what connected, decision-ready cyber governance looks like in practice? Request a demo of Protecht’s solution:

Request a demo

References

1. Directive (EU) 2022/2555 (NIS 2 Directive), Official Journal of the European Union:
https://eur-lex.europa.eu/eli/dir/2022/2555/oj  

2.  UK Department for Science, Innovation and Technology — Cyber Security and Resilience (Network and Information Systems) Bill factsheets:
https://www.gov.uk/government/publications/cyber-security-and-resilience-network-and-information-systems-bill-factsheets  

3. Regulation (EU) 2025/38 (Cyber Solidarity Act) overview (EU digital strategy pages):
https://digital-strategy.ec.europa.eu/  



 
Back to list

About the author

Gary has over 10 years’ experience consulting and providing advisory services to a wide range of clients both locally and overseas. He has a MSc in Finance and Capital Markets. Prior to Protecht, Gary spent time with three global banks consulting on risk and strategic change. He started his career in Risk Advisory at KPMG.

You may also like