10 Questions You Need to Ask About the NIS2 Directive – and Why It Concerns Us All

If you’ve been following our blog, you’ve probably noticed we’re dedicating more and more attention to the NIS2 directive. The reason is simple: this regulation has the potential to significantly strengthen the cybersecurity resilience of organizations—not only those formally covered by it, but also any organization that wants to operate responsibly, sustainably, and securely.

We’ve already written about what’s coming with NIS2, DORA, and the Cybersecurity Act, and we’ve also covered penetration testing as a concrete protective measure. The message is clear: cybersecurity is no longer something to be handled “when we get around to it,” but one of today’s key business challenges.

Now is the right time to open a dialogue—not just with the IT team, but across all management levels. That’s because this is where the key shift brought by NIS2 lies: responsibility is no longer only technical—it’s managerial. Executive leadership and management take on an active role, and IT becomes a key partner in implementing real-world measures.

That’s why we’re bringing you 10 questions every organization should ask—internally, to their IT team, and to management. The goal is not control, but collaboration: to make sure we all know where we stand, where we’re going, and how we’ll get there.

1. Are We Sure Whether We Fall Under NIS2—or Not?

Ideal scenario:
“Yes, we’ve done the assessment and know exactly where we fall based on size, sector, and service type. We’re also following national implementation, as additional guidelines may be issued.”

Why it matters:
NIS2 covers a much broader range of sectors than its predecessor—including IT services, finance, energy, healthcare, transport, digital services and infrastructure, public administration, and other essential or important entities.

The assessment is not just a formality—an incorrect assumption about whether you’re covered can lead to serious consequences, including fines and reputational risk.

Even if you’re not directly covered, you’re not “off the hook”—NIS2 obligations extend through the supply chain. Covered organizations will be required to assess the security level of their partners and suppliers, which could put you under scrutiny. Ultimately, this should be a joint decision—IT, legal, and executive leadership must assess the status and associated risks.

2. Do We Have a Clear Cybersecurity Strategy?

What we should all understand:
“We have a documented plan for security measures, a timeline, responsible persons, and regular updates. The strategy includes risk management, education, threat detection, and recovery plans.”

Why it matters:
Improvisation is no longer an option. Cybersecurity must be integrated into the business strategy and monitored as part of overall risk management. If security isn’t a strategic topic—it will become a crisis. The strategy must not be just another document—it’s a planning tool and a clarity framework for moments of crisis.

3. Do We Know Where Our Greatest Risks Lie?

Ideal scenario:
“We have an up-to-date risk assessment. We know which systems need the most protection and we’re working on them continuously.”

Why it matters:
You can’t fix vulnerabilities you don’t know about. Management and IT must have a shared view of risk hotspots. This assessment is not just for protection, but for budgeting, partner selection, and employee education.

You don’t have to fix everything at once—what’s key is understanding the risks and whether they’re acceptable in your business context. It’s essential to have a mitigation plan and to set priorities deliberately and strategically. A plan alone is already a strong foundation for implementation and for demonstrating a responsible security approach—especially during audits or when engaging with partners.

4. How Are We Protecting Ourselves—And How Do We Know It’s Working?

Ideal scenario:
“We use multilayered protection and regularly test its effectiveness through simulations, monitoring, and tool evaluation. Results are documented and available to management.”

Why it matters:
Having tools isn’t enough—you need to know they’ll work when it matters most. Cyber protection must be dynamic and constantly monitored. Transparency is key.

Multilayered protection involves several defense mechanisms: access control, multifactor authentication, antivirus systems, backups, network segmentation, employee training, and incident response procedures.

Testing includes technical checks (e.g., penetration tests, phishing simulations), and organizational preparedness—who knows what to do in case of an attack?

The system must not be “set and forgotten”—it should be tested, evaluated, and transparently reported to management, so that security is a conscious business decision—not an assumption.

5. Do We Have a Clear Incident Response Plan?

What we should all understand:
“We know who does what in case of an incident, how to report it, how we communicate externally, and how to restore systems. We’ve practiced it at least once a year.”

Why it matters:
In crisis situations, there’s no time to improvise. The first hours determine the scope of damage. NIS2 requires reporting within 24 hours—that’s only possible if the process is well-rehearsed.

6. Do We Have Enough People and Expertise to Implement Everything?

Ideal scenario:
“We currently cover key competencies internally and with external partners. Team members are regularly trained, and we hire certified experts for specialized tasks.”

Why it matters:
NIS2 explicitly states that organizations must have adequate, competent, and experienced staff to manage security obligations. The reality is that most teams—especially in small and medium-sized organizations—can’t cover all areas on their own.

Hiring external experts is often not a cost, but a faster, more effective way to implement quality measures, ensure faster responses, and reduce the risk of mistakes. Management needs to understand the workload and be willing to support training, external help, or new hires—because without the right people, there’s no real security.

7. Do We Regularly Test Our Security?

Ideal scenario:
“Yes—we conduct vulnerability scans, security audits, and at least one annual penetration test. We also plan regular testing of employee awareness and compliance with internal rules (e.g., phishing simulations, password use checks, remote work rules).”

Why it matters:
Not testing means assuming everything is fine—until someone proves you wrong. Regular testing shows you’re not waiting to be hacked, but actively building your defense.

You’re not just testing technical systems—you’re testing how aware employees are of security protocols and how well they follow them. People are often the weakest link—but also the most important line of defense.

8. Are We Compliant with GDPR and ISO 27001?

Ideal scenario:
“We comply with GDPR and either have or are working on ISO 27001 certification. We understand how these align and use them to meet NIS2 requirements more efficiently.”

Why it matters:
If you’ve already worked on data and information system protection—you’re not starting from scratch. NIS2 builds on existing obligations, without duplicating them. Good coordination avoids overlaps, overload, and unnecessary costs.

9. Do We Know Who’s Responsible for NIS2 in Our Organization?

Ideal scenario:
“We have a clearly designated person or team that coordinates, reports, and monitors everything related to NIS2. Management is regularly informed.”

Why it matters:
One of the biggest novelties is the personal responsibility of management. Without a clearly defined lead, it’s impossible to coordinate implementation or demonstrate compliance during an inspection.

10. Do We Have a Crisis Plan—and Do We Know How to Execute It?

Ideal scenario:
“We have up-to-date business continuity (BCP) and disaster recovery (DRP) plans. We know who does what, how we communicate internally and externally, which systems are restored first, and within what timeframe. These plans are tested regularly and we know how to activate them during attacks, outages, or data loss.”

Why it matters:
A resilient organization doesn’t only prevent incidents—it reacts quickly and effectively when they happen. A solid plan minimizes damage, shortens recovery time, and preserves trust with users, partners, and regulators—foundations of digital credibility.

Conclusion

Cybersecurity is no longer the responsibility of one team or one person—it’s a shared task across the entire organization. The IT team still plays a vital operational role, but NIS2 places clear responsibility on senior management. That’s why this guide exists—to help you open a dialogue based on real questions between IT, leadership, and key stakeholders. Because true resilience isn’t built on regulation, but on collaboration.

It’s time to stop thinking of cybersecurity as a technical issue—and start treating it for what it truly is: a strategic priority.