The NIS2 river crossing¶
NIS2 compliance is navigable for organisations of any size that fall within scope. It requires systematic preparation, cross-functional coordination, and realistic planning, but it is not insurmountable. Thousands of essential and important entities across the EU are successfully making the crossing.
Unlike climbing a mountain where the path is largely yours to choose, crossing a river means respecting the current. NIS2 has more prescriptive requirements, mandatory incident reporting timelines, and specific obligations you cannot simply route around. The current flows in one direction, and you must navigate it successfully.
Compliance is treated as something derived from observed system behaviour rather than demonstrated through documentation alone. The mandatory measures in Article 21 encode assumptions about the environment they operate in. When a control fails to produce its intended effect, the question worth asking is not whether the procedure was followed but whether the assumption it was built on still fits operational reality. The evidence that counts is not that a measure is implemented and documented but that it produces the expected effect under realistic conditions: a penetration test verifying that network segmentation holds, a tabletop exercise testing whether incident reporting timelines are achievable under pressure, a phishing simulation confirming whether awareness training changed behaviour, a PoC or CTF scenario confirming that a detection capability fires when expected. Each stage of the crossing reflects this framing.