Possible pitfalls in the use of NIS2

When implementing the NIS2 Directive, companies can make various mistakes that not only jeopardize security, but can also lead to significant sanctions and personal liability. The sources identify the following critical areas in particular:

1. Neglecting governance and management responsibility

A key mistake is to treat cybersecurity merely as an IT issue rather than a matter for executive management.

• Insufficient involvement of senior management: Management bodies must not only approve risk-management measures, but also actively monitor their implementation.

• Ignoring personal liability: Members of management can be held personally liable for breaches of due diligence obligations in the area of risk management.

• Lack of training: Management bodies are explicitly required to participate in training so they can assess cyber risks. Failure to meet this training obligation constitutes a direct compliance violation.

2. Too narrow a focus in risk management

Companies often make the mistake of focusing only on technical cyber defense and ignoring other risks.

• Missing all-hazards approach: NIS2 requires systems to be protected against all physical and digital events. It would be incorrect to exclude physical threats such as theft, fire, flooding, or power outages from security concepts.

• Insufficient consideration of the supply chain: Companies must assess the security practices of their direct suppliers and service providers. Failing to review supply-chain security (for example through contractual arrangements) is explicitly identified as a risk.

• Lack of effectiveness review: It is not enough to implement measures once. A mistake is the absence of procedures to regularly review and assess the effectiveness of these measures.

3. Errors in incident reporting

The multi-stage reporting process is strictly time-bound; delays can be treated as serious violations.

• Missing the 24-hour deadline: The “early warning” must be issued within 24 hours of     becoming aware of a significant incident. Many companies underestimate how quickly this must happen.

• Incomplete reporting: After the early warning, a detailed assessment must be submitted within 72 hours. A common mistake is insufficient preparation for these short intervals.

• Failure to inform users: If an incident could affect service recipients, they must be informed without delay. Failing to do so can undermine trust and have legal consequences.

4. Weaknesses in the organizational foundation (“cyber hygiene”)

Implementation often fails because of basic organizational shortcomings.

• Lack of cyber hygiene: The Directive requires basic procedures such as software updates, secure password rules, and network segmentation. Relying on complex tools while neglecting these basic measures is a strategic mistake.

• Inadequate authentication solutions: NIS2 requires the use of multi-factor authentication (MFA) where appropriate. Omitting this creates a significant security gap.

5. Incorrect assessment of applicability

A fundamental mistake is misinterpreting the scope of application.

• Underestimating the “size-cap” criterion: Companies may wrongly assume they are not covered because of their size (for example, as an SME), even though they still fall within the Directive due to their sector affiliation or their role as the sole provider of a critical service.

• Failure to register: Affected entities must submit certain basic information (name, IP addresses, sectors) to the authorities. Failing to do so impedes government oversight and is subject to sanctions.

Editorial note: This text does not reflect CANCOM’s opinion, and it is neither legal advice nor a recommendation.