What Good Looks Like for NIS2: Beyond Checkbox Compliance

The Network and Information Security Directive 2 represents the most significant expansion of mandatory cyber security obligations in Europe since GDPR. Its scope now covers tens of thousands of organisations across eighteen sectors that were not previously subject to any binding cyber security requirements. Its penalties are substantial. Its personal liability provisions for senior management are, for many boards, unprecedented. And yet the dominant response across much of the organisations now in scope has been to treat NIS2 as a compliance exercise rather than as the governance overhaul it requires.

Checkbox compliance with NIS2 is achievable. Organisations can appoint a named security officer, produce risk assessments, document an incident response plan, and sign off on a third-party risk register. None of this constitutes good NIS2 governance. The directive's architects understood that prescriptive technical requirements are easy to satisfy on paper and easy to fail in practice. The substance of NIS2 is not in its technical annexes. It is in its governance provisions, specifically the direct accountability it places on management bodies for the adequacy and ongoing supervision of the organisation's security posture.

Having advised on regulatory frameworks at the NCSC and worked as CISO in organisations operating in critical infrastructure sectors subject to the predecessor NIS Regulations, I have a clear view of what regulators consider genuine compliance and what they consider paper compliance. The distinction matters considerably, because enforcement under NIS2 will not be limited to organisations that had no programme. It will extend to organisations whose programme was not effectively supervised.

What NIS2 actually requires at board level

The governance provisions of NIS2 are explicit in a way the original NIS Directive was not. Management bodies must approve the organisation's cyber security risk management measures. They must oversee their implementation. They can be held personally liable for infringements. And they are required to undertake training sufficient to assess the risks and governance measures in place.

This is not a requirement that can be discharged by the security function. It is a requirement that applies directly to directors, and it changes the nature of what board-level engagement with cyber security must look like.

Approval is not the same as endorsement. NIS2 requires management bodies to approve security risk management measures. Approval in the context of a compliance framework means informed approval: the board has understood the material risks, reviewed the proposed measures, considered alternatives, and taken an explicit decision. A board that received a briefing and nodded through a management recommendation has not approved anything in a manner that would satisfy a regulator examining governance adequacy after an incident.

Oversight is ongoing, not periodic. The requirement to oversee implementation does not mean receiving a quarterly update. It means having in place the governance mechanisms, reporting lines, escalation processes, and accountability structures that would surface a material security failure before it became an incident. A board that only hears about security when things go wrong has not been overseeing implementation. It has been receiving incident reports.

Training is a legal obligation, not a recommendation. NIS2 Article 20 explicitly requires that management body members undertake training to gain sufficient knowledge and skills to identify risks and assess their impact. This is a legal obligation, not a recommendation. Organisations that cannot demonstrate that their board members have received appropriate training are carrying a compliance risk that has nothing to do with their technical security controls.

What good NIS2 implementation looks like in practice

Good NIS2 compliance is characterised by three things that checkbox compliance never produces: genuine board understanding, a documented decision trail, and operational security that matches the documented programme.

Genuine board understanding. The board can describe, in its own terms, the organisation's material cyber risks, the measures in place to manage them, and the trade-offs that have been made in the current security investment. This understanding does not come from a single training session. It comes from ongoing, well-structured reporting that gives directors the context to build a genuine working knowledge of the organisation's security posture over time.

A documented decision trail. Regulators examining governance adequacy after an incident will look for evidence that the board was making decisions, not just receiving information. Board minutes that record security discussions, explicit endorsements of risk appetite positions, documented escalations, and records of what was considered and why will be the difference between demonstrating good governance and being unable to defend governance at all.

Operational security that matches the documented programme. The most common and most damaging NIS2 compliance gap is the distance between the security policy and the security reality. An incident response plan that has never been tested is not a control. A third-party risk register that was last updated eighteen months ago does not reflect the current third-party risk landscape. Regulators will test the operational reality of security programmes, not just their documentation.

The supply chain dimension

NIS2's supply chain requirements deserve particular attention, partly because they extend the effective reach of the directive well beyond the organisations directly in scope, and partly because most organisations are significantly underweight on supply chain security governance relative to what NIS2 expects.

NIS2 requires in-scope organisations to address security risks in their supply chains and their relationships with suppliers. This is not a documentation requirement. It is a governance requirement: the organisation must have a systematic approach to understanding, assessing, and managing the security risks introduced by its third-party relationships, and it must be able to demonstrate that approach to regulators.

For many organisations, this represents a fundamental shift in how supplier relationships are managed. Security requirements must flow into procurement decisions, contract terms, and ongoing supplier management. The CISO's role in supplier governance must be clarified. And the board must have a view of the organisation's aggregate third-party risk that it currently does not have. Building this capability is not quick, and it is not cheap. Organisations that have not started should not be reassured by the fact that regulators are still working through initial enforcement priorities.

Ali Zeb is an Executive Cyber Security Advisor, Non-Executive Director, and former Strategy Advisor at the NCSC and advisory member at the FCA. He advises boards and executive teams on NIS2 implementation, regulatory compliance strategy, and cyber security governance.