Preparing for NIS 2 – from constraint to opportunity for CIOs and CISOs

Compliance with NIS 2 should not be seen solely as an administrative burden, but as a strategic project that can bring value to the company. True, the directive imposes new obligations and binding deadlines, but it can serve as a catalyst for improving overall cybersecurity and resilience posture. For CIOs and CISOs, the challenge is to transform this constraint into an opportunity: an opportunity to convince management to invest, an opportunity to clean up processes, to remove silos, to adopt better tools, etc. In short, to kill one stone with one stone. In short, kill two birds with one stone: comply with the law and be more robust in the face of cyberthreats.

A complex project requiring anticipation and coordination

Let’s face it, achieving NIS 2 compliance will be a multidisciplinary undertaking. According to estimates, a complete compliance process (analysis, remediation, implementation of tools) can take around 12 months for an average organization(NIS2 Requirements | 10 Minimum Measures to Address). Yet the regulatory deadline is short: transposition in October 2024, then immediate application (even if regulators might be tolerant for a few months, the pressure will be on). A survey carried out in 2023 showed that 55% of companies did not yet feel ready for NIS 2(Enjeux et points clés de la Directive NIS 2 pour votre organisation – Onet France). And among the IT managers questioned, 80% said they were confident of getting there in time ([Infographie] NIS2 : les entreprises entre confiance et défis)… which may reflect a slight optimism or an underestimation of the efforts still required.

CIOs/ISRs must therefore assume the role of orchestra conductor for this compliance project. This is an atypical project: at once technical (we need to improve IS security), organizational (we need to set up new procedures, train people), and legal/compliance (we need to document, account for and dialogue with the authorities). This means mobilizing several corporate functions: IT, of course, but also legal, HR (for training), purchasing (for suppliers), business continuity, etc., not forgetting top management, as we have seen.

An effective approach could draw on classic project management methods: establish project governance (steering committee, executive sponsor, dedicated project manager), define a project plan with phases and milestones, and monitor progress against these milestones. For example, the NIS 2 project can be broken down into phases: 1) initial diagnosis, 2) remediation plan & prioritization, 3) implementation of technical/organizational measures, 4) tests and adjustments, 5) final compliance audit. Each of these phases may comprise multiple tasks and sub-projects.

Obtaining resources is a critical point. You will undoubtedly need to justify a budget (consultant hours, purchase of solutions, possible recruitment) to management. To do this, use the risk and penalties argument, but also the positive discourse: “Investing €X now can save us a fine of 2% of sales and, above all, avoid a costly crisis”. Also stress that what is being done for NIS 2 will benefit other dimensions (RGPD, business continuity, etc.). In addition, mention the possibility that your customers will demand your NIS 2 compliance (cascade effect in calls for tender), so it’s also a preventive business investment.

Recommended action plan for tackling NIS 2 compliance

A successful NIS 2 project means doing the right things (security) and documenting them (compliance). Here’s a summary action plan that CIOs/CIOs can follow:

1. Project launch and governance: Appoint a project manager (e.g. the CISO or a dedicated project manager) and a management sponsor (CEO, risk manager, etc.). Set up a multi-disciplinary project team with representatives from each department involved. Organize a kick-off meeting to explain the directive, stages and timetable to everyone involved.
2. Initial diagnosis (Gap Analysis): Take stock of where you stand with regard to NIS 2 requirements. For each requirement, list where you stand. For example: “Requirement: management training – Status: not done”, “Incident notification procedure – Status: exists but needs to be formalized”, “Generalized MFA authentication – Status: 70% of applications covered”, etc. Rely on external audits if necessary to objectively assess the technique. Identify strengths too: some requirements may already have been met thanks to your previous efforts (e.g. if you were ISO 27001 or LPM/OIV compliant).
3. Prioritization and remediation plan: Based on the gap analysis, categorize the gaps to be closed as high, medium or low priority. High priority = major risks or critical obligations not met. For example, absence of incident plan = critical. For each point, define the action to be taken, the owner and the target deadline. This forms your roadmap. Try to spread the work over time, so as not to do everything at the last minute – the ideal being to aim for near-compliance by the end of 2024 for peace of mind.
4. Implementingmeasures: Carry out the plan. This will vary greatly depending on the action: it can range from “drafting a document” to “deploying a new EDR tool on 1,000 workstations”. Monitor progress regularly at steering committee meetings. Don’t hesitate to delegate certain tasks to specialized service providers or consultants, particularly on specialized subjects (e.g.: specific training of the Board of Directors by an expert, configuration audit, etc.). Keep the target date in mind, and adjust the plan in the event of drift.
5. Documentation and compliance: Alongside the technical aspects, work on your compliance documents. Prepare as of now the elements that may be requested: security policy validated by the General Manager, board training minutes, security incident register, etc. Put together an NIS 2 file where you can store all the evidence of what you’re doing. This will facilitate the final phase and any inspections.
6. Final test and mock audit: Once all the actions in the remediation plan have been completed, carry out an internal audit to check that all NIS 2 requirements are covered. Simulate a request from ANSSI, for example, and see if you can provide all the elements (documents, proof). If any weak points remain, correct them as far as possible. This dry run gives you confidence for the future.
7. Maintaining compliance: NIS 2 is not a one-shot deal; you’ll need to maintain this level of compliance over time. For example, add the annual cyber governance review to the board’s agenda, schedule regular audits, and so on. Keep an eye on developments too: security must remain aligned with the state of the art (the directive talks of “state of the art” – what is acceptable today will no longer be acceptable in 5 years’ time). Plan for continuous improvement.

By following this plan, not only will you bring your organization into compliance, but you will also have structured a genuine cybersecurity management system. This system will serve you well beyond NIS 2: for example, to comply with other standards (other European texts such as DORA – Digital Operational Resilience Act – are on their way, and you’ll already be in the starting blocks). You’ll also have raised awareness internally, clarified procedures, eliminated redundancies – in short, improved your operational efficiency. One study suggests that, properly managed, compliance can even lead to 40% greater operational efficiency through process automation and optimization. A handsome return on investment.

Smart Global Governance – your ally for successful and sustainable NIS 2 compliance

The program we have just described may seem ambitious. That’s where a solution like Smart Global Governance comes into its own: by centralizing the effort, automating monitoring and ensuring the sustainability of processes, it helps you to successfully complete your NIS 2 project and reap the benefits over the long term.

• Global project management: Smart Global Governance offers a programmatic view of compliance. You can create an NIS 2 compliance plan within the tool, with the various phases and tasks assigned. The project dashboard displays the percentage of progress, overdue tasks, etc., facilitating reporting to the steering committee. Each team member sees their tasks in their interface, with clear deadlines. This transparency improves coordination and accountability.
• Multi-business collaboration: As the platform is accessible to all stakeholders (with appropriate rights), it serves as a central point for collaboration. For example, the legal department can post revised contracts with NIS 2 clauses, the CISO can track technical deployments, and HR can certify training courses… This breaks down silos. No more scattered information in e-mails or local files: everything is gathered together, reducing the risk of forgetting and wasting time chasing information.
• Automated reminders and reminders: to keep up the pace, Smart Global Governance integrates automatic reminder mechanisms. If a task is not completed by the due date, the person in charge receives notifications, and the manager can be alerted. The same goes for recurring controls: the tool can remind you that it’s time for the annual security policy review, or to test the DRP this quarter. In this way,compliance routines can be permanently anchored without the need for manual follow-up.
• Knowledge base and best practices: Smart Global Governance includes pre-configured content and guides aligned with the directive. For example, a checklist of NIS 2 requirements is available in the tool to help you with the initial diagnosis (with a description of each requirement and, where appropriate, suggestions for controls to be put in place). In this way, you benefit from Smart Global Governance’sintegrated expertise, the fruit of its experience with numerous customers. It’s like having a virtual consultant to guide you step by step.
• Scalability and adaptability: The platform is constantly updated to incorporate the latest regulatory developments and best practices. If new directives or standards are added (and we know there will be more), you can integrate them into your Smart Global Governance ecosystem without starting from scratch. Its modularity means you can add new modules as and when you need them. Your investment is future-proof: you can use it for NIS 2 today, and for other challenges tomorrow.
• Measuring the benefits: Smart Global Governance doesn’t just help you tick boxes, it helps you measure their impact. Thanks to risk, compliance and incident indicators, you can concretely demonstrate the improvements achieved (e.g. lower residual risk levels, reduced average incident response time, etc.). These data are invaluable in enhancing the value of the work accomplished with management and stakeholders. They transform compliance into meaningful, manageable figures.

In short, Smart Global Governance acts as a gas pedal and stabilizer for your NIS 2 program. In the project phase, it accelerates the achievement of compliance by providing structure and support. In the long term, it stabilizes the gains made by ensuring that processes remain on track and that continuous improvement is the order of the day. What’s more, by centralizing everything, it saves time: our customers often see a 30-50% reduction in the time spent on administrative compliance tasks thanks to automation.

Finally, using Smart Global Governance sends a positive signal to your stakeholders (authorities, customers…): it shows that you have opted for a professional, proactive approach to managing cybersecurity and compliance. You’re not just reacting, you’re anticipating and achieving operational excellence. That’s how NIS 2 compliance becomes a real asset of confidence and performance for your organization.

Conclusion: The NIS 2 directive is a major challenge for CIOs and CISOs, but by methodically addressing its various facets – requirements, governance, third-party risks, incidents, security measures, project management – it can become a lever for strengthening your company’s overall response to cyber risks. Throughout this series of articles, we have explored the issues and best practices surrounding NIS 2. With the right mindset, the right tools and cross-functional involvement, NIS 2 compliance isn’t just another line on the list of obligations: it’s an opportunity toput cybersecurity at the heart of strategy, and gain resilience over the long term. Smart Global Governance is committed to working with you to transform these new requirements into opportunities for progress. On the road to NIS 2!