NIS2 READY
The incident was over. Systems were running again, the pressure had eased, and a sentence was heard in the room that was meant to close the discussion:
“But we had an internal policy.”
They did. In a PDF. Approved, signed, and formally correct. And yet, it did not help.
Not because it was bad or poorly written, but because a document, in a critical moment, does nothing. It does not stop an attack, restore systems, or help when fast decisions must be made. This is where one of the biggest misconceptions surrounding the implementation of NIS2 becomes evident.
When Regulation Becomes a “Real” Problem
Many organizations openly state that they will fully address NIS2 only once it has been transposed into national legislation and creates a clear legal obligation for them. From a legal perspective, this position is, to some extent understandable. A European directive does not impose obligations directly on individual entities – it becomes binding only after it is implemented into national law.
However, this formal milestone does not change the reality of cyber risks. An incident does not follow the legislative timetable or the effective date of a law. An attacker does not distinguish between the period “before” and “after” transposition, nor does it matter whether an official decision or notification has already been issued by the authorities.
Waiting may delay the emergence of a legal obligation.
It does not delay the risk itself or the responsibility for its consequences.
A Document Is Not a Control
Many organizations unknowingly confuse a document with a control. The logic seems simple – if there is an internal security policy, then a security control exists. Reality, however, works differently. A policy describes how things are supposed to work. A control is what continues to work even when there is no time to read documents.
Document-only approach
- Backup policy stored in PDF
- Incident response plan on SharePoint
- Signed, approved – rarely used
Real security control
- Regularly tested backups
- Incident playbooks executed in drills
- Clear ownership with defined decision authority
The difference is not in documentation. The difference is in execution.
Regulatory frameworks, including NIS2, are not designed to reward formal confirmations or “paper-based” approvals. They primarily assess whether the adopted measures genuinely reduce risk and are usable in everyday practice. What matters is not their form, but their ability to function effectively even without an audit, a presentation, or additional explanation.
What the Difference Looks Like in Practice
The difference between a document and a control becomes most visible in real situations.
A backup policy alone guarantees nothing. The actual control is having offline backups that are regularly tested.
An incident response plan stored in a PDF will not prevent chaos if people do not know whom to call and what to do in the first minutes of an incident.
Training fulfills its purpose only when it is reflected in employees’ behavior – not in a signed attendance sheet.
During an audit, an organization has the opportunity to provide explanations, submit documentation, and respond to questions. During an incident, time does not exist. Decisions are made under pressure, with incomplete information and with real impact on the business. This is exactly the moment regulation looks back at – not by asking whether a document existed, but whether the adopted measures actually worked.
What This Means
A PDF may pass an audit. A security control must survive an incident.
The difference between documentation and real preparedness often becomes visible only when there is no longer time for explanations. That is precisely why it is risky to treat regulation as a formal obligation that will only be addressed once it is legislatively “confirmed.”
Security is not about what you have stored on a drive.
It is about what works when things get tough.
At Tazilla, we therefore approach policies and controls as part of an interconnected system – linked to specific risks, services, and designated owners. Documentation is not the goal. It is a by-product of effective risk governance.
Because preparedness is not demonstrated by paperwork.
It is demonstrated when, in a critical moment, everyone knows exactly what to do.
