Fejléc

Practical NIS2 preparation: insights beyond compliance

Szerző ikon Expert of the InfoSec division

Dátum ikon 2026.07.02

For many organizations, NIS2 preparation has proved to be far more than documentation. Our GRC team has supported clients with risk analyses, policies, security plans, inventories, business continuity materials, incident procedures and audit preparation. The real effort depended strongly on client maturity: missing inputs, parallel projects and limited resources often slowed progress.

The key lesson is simple: successful preparation starts with understanding systems, processes, responsibilities and risks.

The main challenge: lack of foundational elements

In many projects, the basic prerequisites were only partially available. System lists were incomplete or outdated, process inventories were missing, data asset inventories were not available, or the exact scope was unclear.

NIS2 deliverables build on each other. Risk analysis needs a reliable system and process view; a system security plan needs classification, tailored controls and a clear reference structure. During the audit, controls must be demonstrated.

Preparation begins with transparency, not document production.

Factors determining project success

Project efficiency depended less on methodology and more on whether the necessary client-side information was available.

The most important conditions were:

  • Accurate identification of systems
  • Clear assignment of responsibilities
  • Clarified operational processes
  • Timely delivery of required inputs


Where these foundations existed, preparation was faster. Where they were missing, filling the gaps required extra work. Preparation is not linear: tasks build on each other, run in parallel and need refinement.

Cost: not just documentation

The work usually appeared in two areas: creating and approving documents, and collecting and structuring the information behind them. In many cases, both required similar effort, so NIS2 should not be planned as simple document writing.

Methodology: consistent foundations adapted to each client

Regulatory changes and unclear expectations made preparation harder. The methodology had to rely on stable professional foundations, while adapting to size, IT complexity, outsourcing, maturity and risk profile.

Audit: evidence is a key issue

Audit requests usually expect answers that describe the operational solution, identify the evidence and connect it to the requirement. What is not properly documented is difficult to defend. Incomplete controls can still be managed if they are identified as deviations and supported by an action plan.

How artificial intelligence contributes

AI proved useful for drafting, structuring and accelerating certain tasks. However, audit materials must reflect real operations, existing documentation and available evidence. AI can speed up work, but it cannot replace GRC, IT security and operational expertise.

Leadership attention is a real result

A positive effect of NIS2 is that information security has reached management level in many organizations. In several cases, compliance pressure also led to clearer responsibilities, more conscious risk management and stronger attention to security investments.

Compliance requires ongoing effort

NIS2 compliance does not end with the audit. Long-term operation requires:

  • Continuous maintenance of documentation
  • Regular risk analysis updates
  • Management of deficiencies through an improvement plan
  • Up-to-date records
  • Risk-based internal security assessments


Successful organizations embed the requirements into daily operations instead of restarting before each audit.

Key takeaways for organizations

NIS2 is not only complex; it requires preparation. Success depends on clear scope, up-to-date inventories, realistic risk analysis, structured documentation, proper evidence and management commitment.

External experts can support the process, but cannot replace an organization’s own operational knowledge. NIS2 creates real value when compliance also improves transparency, risk awareness and cybersecurity resilience.

Read the full article on our International subsidiary’s website by clicking on the logo:

Do you have any questions? Get in touch with our colleagues!