NIS2 READY
As the NIS2 Directive comes into force, many organizations are moving fast to meet new cybersecurity requirements. But speed without clarity often leads to mistakes and those can be costly. Here are the ten most common pitfalls we see in NIS2 implementation, and how to avoid them.
1. Not Checking if Your Organization Falls Under NIS2
The most common mistake is simply not knowing that NIS2 applies to you. Many businesses assume: “That’s for hospitals, banks, or energy providers, not us.” But that’s not true. NIS2 also covers sectors such as transport, water supply, IT services, cloud, telecommunications, postal services, research, and the production of critical components.
If you are a medium or large company (50+ employees or over €10 million turnover) and operate in one of these areas, you are most likely within the scope of the NIS2 Directive (and its national implementation under the Cybersecurity Act).
Even smaller businesses outside these sectors may be indirectly affected by NIS2 – for example, as suppliers or partners of organizations already subject to the Cybersecurity Act (e.g., an IT provider for a hospital, or a manufacturer serving an energy company).
What to do
Check your status on the website of the National Security Authority (NBÚ) to see if you must register as an operator of essential or important services. Don’t wait for an official letter – it’s your responsibility to find out.
2. Thinking NIS2 Is Only an IT Problem
Many organizations see NIS2 as a purely technical issue – updates, firewalls, antivirus tools. In reality, it’s a management and organizational issue. Responsibility for cybersecurity lies with the company’s leadership, not just the IT team.
Under NIS2, cybersecurity governance is no longer optional, it’s a legal obligation. NIS2 even introduces personal liability for management, if the organization neglects its duties, the NBÚ can sanction top executives.
What to do
Assign a person or team responsible for cybersecurity (for example, a CISO – Chief Information Security Officer).
Provide a clear budget, authority, and regular reporting to management. Leadership must stay involved – you can’t just “outsource” security.
3. Not Monitoring What’s Happening in Your Systems
Many companies have no idea what’s happening in their networks. They collect logs, but no one reviews them. As a result, incidents are detected days later – when it’s too late.
What to do
Implement suitable monitoring tools and assign someone to check them regularly. Focus on what matters most – administrator accounts, access to sensitive data, critical systems, and anything connected to the internet.
Visibility = protection.
4. Underestimating Communication with Management
Even the best security strategy fails if leadership doesn’t understand it. If management doesn’t know the risks, they won’t allocate time, money, or people. Under NIS2, however, leadership is personally accountable.
What to do
Speak the language of business, not tech. Explain how risks could impact operations, reputation, or compliance.
Hold short regular briefings and involve management in simulated attacks – they’ll quickly see how fast things escalate.
5. Misunderstanding Risk Management
Some companies treat risk management as a checkbox exercise – a list written once and never reviewed. Others go overboard with complex registers full of jargon that no one uses. Neither approach works.
What to do
Start simple: list your key systems and business processes, then ask: What happens if it fails? What could cause that? How can we prevent or recover quickly?
Use clear, plain language. Involve non-IT staff. Every identified risk should lead to a real, practical action, not just a color-coded score.
6. Writing Security Policies No One Reads
Many companies download templates, add their logo, and call it a “security policy.” But if no one knows it, reads it, or follows it, it’s worthless.
What to do
Keep your policies short, clear, and realistic.
Focus on essentials:
- how access is granted,
- how updates are handled,
- how incidents are reported,
- how data is protected.
Adjust the level of detail for different roles (employees vs. admins) and keep policies up to date.
7. Ignoring Third-Party Risk
Cyberattacks often spread through suppliers – software, services, or cloud platforms. If your partner is not secure, you’re still responsible. NIS2 explicitly requires organizations to manage third-party and supply chain risks.
Don’t forget to assess your own exposure to vendors – especially through software updates, managed IT services, and cloud integrations. A single weak link can compromise your entire network.
WHAt to do
List all vendors and service providers who have access to your systems or data. Ask about their security practices, certifications, and incident processes. Include cybersecurity clauses in contracts – for example, ISO 27001 requirements or notification deadlines for incidents.
8. Having No Plan for When Things Go Wrong
Many companies hope they’ll never face a cyber incident. But in today’s world, it’s not if, but when.
Without a plan, chaos follows – confusion, delays, missed reporting deadlines.
What to do
Create a clear incident response plan that defines who does what, how to communicate, and when to report to the NBÚ (within 24 hours). Test the plan regularly – at least once a year with a simple simulation.
9. Neglecting Employee Training (or Doing It Only Once)
The weakest link in cybersecurity isn’t technology – it’s people. Most incidents start with one careless click on a phishing email.
What to do
Run regular, practical security awareness training for everyone, not just IT staff. Use short sessions with real-world examples (fake emails, suspicious links). Encourage employees to report suspicious activity confidently.
Track participation and completion rates – NIS2 auditors may request evidence that your staff received and understood the training.
10. We Wrote the Documents. We’re Done.
Cybersecurity isn’t a one-time project. Technology, threats, and your business all change. Your defenses must evolve too.
What to do
Review your risk assessments, policies, and incident plans at least once a year or after major system changes.
Run tests, phishing simulations, or tabletop exercises. Treat mistakes and near-misses as opportunities to improve.
Final Thought: NIS2 Is Not a Threat – It’s an Opportunity
NIS2 isn’t something to fear. It’s a framework to make your organization safer, more trusted, and more resilient.
Those who prepare early will gain more than compliance – they’ll gain confidence, reliability, and competitive strength.
How Tazilla Helps
Tazilla guides you step by step through NIS2 compliance – from identifying whether you fall under the directive, through risk assessment, policy creation, employee training, and incident response planning.
All in one platform, built to make cybersecurity simple and practical.
