In combat sports, the person with the most strength does not always win. Nor does the one with the most spectacular technique. Anyone who has ever truly stood on a mat knows that everything begins with something much simpler: balance. A good stance. Feet planted firmly. Control over your body, your timing, your response. The moment that foundation is missing, defeat often begins before the first real blow is even struck. One wrong movement, one moment of instability, and you are no longer in control. What follows is not just a hit or a fall, but often a chain reaction that you can no longer stop.

Digital resilience works in exactly the same way.

Here too, it is not about one expensive tool, one clever trick, or one impressive security measure. It is about balance across every phase: preparation, detection, response, recovery, and governance. Those who stand unevenly, who rely too heavily on technology without discipline, on compliance without practice, or on trust without verification, will sooner or later lose their balance. And in a digital fight, that rarely means an isolated incident. It quickly becomes a domino effect: a compromised account leads to lateral movement, a weak supplier opens the door to core systems, and a delayed response turns a breach into a crisis.

That is precisely the harsh reality Europe must face today. While critical and essential entities are still struggling with the practical translation of NIS2 into their daily operations, nation-state hackers often seem to have done their homework better. They do not wait for policy discussions, implementation roadmaps, or interpretative frameworks. They analyze, test, rehearse, and strike where balance is missing. Not necessarily where the defense looks weak, but where it is structurally unstable.

The painful question at the launch of NIS2 is therefore not only whether Europe has built a strong regulatory framework. The real question is whether that framework is being put into practice in time, consistently, and maturely enough to hold when the first real pressure comes. A resilience strategy that sounds good on paper but fails to create a stable operational foundation is like a fighter with beautiful technique but no ground beneath his feet: impressive until first contact, and dangerously vulnerable after that.

If NIS2 is to be an answer to the growing threat of state-sponsored cyberattacks, then its rollout cannot become an administrative exercise. Because cyberspace follows the same law as the ring: whoever loses their balance loses control. And whoever loses control rarely drags only themselves down.

Then came the day when it was no longer theoretical. No more risk analysis, no more maturity slide, no more board memo with open action points, but a screen in the office displaying a short, cold message from the attacker: we have moved your data to a safe location over the past few weeks. What still felt like ‘normal operations’ to the company turned out, in reality, to have been a digitally occupied environment for months. Systems were infected, administrative rights had been systematically taken over, access paths had been replaced by accounts controlled by the attacker, including the associated MFA. The doors were not merely open; the locks had already been changed.

While the company was still trying to reassure itself with the thought that ‘the core was still running,’ the enemy had long since mapped the digital heartbeat: who had access, which processes were critical, which integrations were essential, which backups were usable, and which were not. Then came the merciless logic of dismantling: file encryption, halted processes, unreliable communication, management left blind, IT stripped of control, and an organization that was not merely attacked, but digitally demolished.

In companies that lack coherence across systems, governance, and risk management, such an attack does not become an incident but a dismantling. Then you see what happens when resilience is not built across all ZT9 layers. Technology then operates separately from policy, risks were once listed but never translated into real choices, responsibilities are fragmented, suppliers are deeply embedded in the chain without sufficient oversight, and crisis procedures exist mainly on paper. The result is devastatingly simple: nobody sees the full picture, nobody intervenes in time, and everyone discovers too late that the attacker understood the organization better than the organization understood itself. At that point, this is no longer a company that is ‘under pressure.’ It is an enterprise being stripped operationally, administratively, and strategically at the same time — not in one explosion, but in a series of perfectly placed pushes against a structure that had long been out of balance.

NIS2 is specifically intended to prevent that scenario. Not by giving companies another binder of procedures, but by forcing them to finally treat digital resilience as a matter of governance responsibility. The directive rightly starts from the idea that cybersecurity does not end with firewalls, antivirus, or an IT team that ‘is doing its best.’ It is about risk management, supply-chain control, responsibility, detection, response, and recovery — in short, about governance grip over digital continuity. But that is exactly where failure at launch threatens to occur. In too many organizations, NIS2 is still approached as a compliance project, as a checklist, as a documentation exercise that mainly has to demonstrate that people are ‘working on it.’ Nation-state attackers, however, do not wait for audits. They do not attack based on what is missing on paper, but on what does not work in practice.

And that is where it becomes painful. Because when a company does not have its foundations in order, it does not help that somewhere a policy has been approved, a risk register exists, or a supplier has been contractually ‘assessed.’ If governance does not intervene, if risk analysis does not lead to real measures, if detection comes too late, and if recovery has not been tested, then NIS2 remains a starting gun without acceleration. Then you get a launch platform without carrying capacity: formally launched, but operationally still loose sand. And it is precisely in that gap between ambition and execution that the adversary settles in. Not because Europe has no rules, but because too many organizations still behave as though time, discipline, and structural exercise are optional.

The Domino Effect

Successful policy is not about transforming people into ‘human firewalls,’ but about realistically incorporating human failure into resilience.

That term may sound attractive, but it often starts from a dangerous illusion: as if people, given enough training, could become an infallible defensive wall. In practice, we know that even a literal firewall can fail because of a production defect in the power supply, overload, a wrong intervention by an engineer, or the absence of redundancy. Why, then, would we expect people to function perfectly under pressure? Human beings built the digital world, but along the way they sometimes forgot that they are not gods. In every system designed, managed, and used by people, failure is always lurking somewhere as well. That is not an exception to human nature; it is a fixed part of it.

That is precisely why resilience must start from realism, not slogans. Panic arises during an attack. That is human. Yet it is exactly in those moments that logical thinking should be the guide. The problem is that acting logically under pressure does not arise automatically. It requires preparation, rehearsal, role clarity, clear escalation, and above all an organization that understands that people are not a perfect control layer, but a crucial link in a larger whole of governance, processes, technology, and decision-making. Anyone who treats staff as the last defensive wall is really building a strategy on hope. Anyone who sees staff as a factor that must be supported, trained, guided, and structurally embedded is building real resilience.

Again and again, root-cause analyses of severe cyber incidents reveal the same painful conclusion: the signals were there, the weaknesses were visible, but they were not recognized, named, or translated into action in time. What often then surfaces is an almost predictable top ten of shortcomings that a well-trained and critically functioning internal audit capability should have seen coming. Not because auditors must know everything, but because their role is precisely this: to look through the illusion of certainty, expose organizational self-deception, and dare to name where training, governance, and risk management in reality fall short.

Top 10 Findings That Almost Always Surface After a Devastating Attack

After a major cyberattack, the same humiliating conclusion often follows: the attack was advanced, but the company’s collapse usually was not. That collapse was often banal, predictable, and human. In the root-cause analysis, no magical sabotage formula appears, but rather a painful top ten of shortcomings that were able to grow for months or years beneath the surface. More often than not, they were visible to anyone who genuinely wanted to look. It simply did not happen, or far too late.

1) Training was mandatory, not an embedded competence. Employees attended training because they had to. They clicked through awareness modules, signed attendance lists, and perhaps even achieved a neat quiz score. But under pressure, that knowledge did not live in behavior, decision-making, or escalation. Training had become compliance, not readiness. And when the attack came, people did not react badly out of unwillingness, but out of lack of preparation.

2) The organization believed in the myth of the human firewall. People acted as if staff were the final, strong defensive wall, while forgetting at the same time that people can also panic, hesitate, misinterpret, or freeze under pressure. An organization that builds its resilience on the assumption that personnel will always act rationally and flawlessly is not building a defense, but an illusion. People must be supported by processes, clear roles, good tooling, and rehearsed decision-making — not glorified as a miracle cure.

3) The digital general sold management a system with expensive words and poor results. In many organizations, the same figure appears sooner or later: the digital general. The person who speaks with great flair about maturity, zero trust, AI detection, next-generation architecture, threat intelligence, resilience frameworks, and strategic roadmap transformations. In meeting rooms it sounds impressive. In dashboards it looks reassuring. But when the attack really comes, it turns out that behind the expensive words there was no robust operational striking power. Detection came too late, escalation got stuck, access management was not in order, recovery had not been tested, and management discovered too late that it had mostly bought a story — not resilience.

4) Governance watched, but did not steer. Cybersecurity was formally discussed, but rarely truly governed. The board received summaries, KPIs, and status updates, but asked too few difficult questions about dependencies, residual risks, crisis readiness, and measurable resilience. This created a dangerous governance blindness: people thought control existed because reporting existed. But reporting without steering is not governance. It is administration with reassuring formatting.

5) Risk management was a register, not a guiding instrument. Risks had once been neatly listed, classified, and perhaps even given colors and scores. But they had not been translated into concrete choices, priorities, and investments. As a result, risk management lived beside the operation instead of within it. During the attack, it then became clear that the real crown jewels were not adequately protected, that critical dependencies were not sharply understood, and that the organization was mainly good at describing risks, not controlling them.

6) Internal audit saw forms, not reality. In too many cases, audit was reduced to checking the presence of documents, signatures, records, and procedural texts. But an internal auditor who is insufficiently trained, lacks enough operational insight, or remains too close to the internal comfort zone misses exactly what matters: the gap between paper and practice. Then an audit passes while escalation paths are unclear, access rights are drifting, logging is barely usable, and crisis teams have never exercised together. The attack then reveals what audit should have dared to name.

7) No real tabletop exercises were conducted. This is often one of the most destructive shortcomings. On paper, a crisis plan existed. There may even have been an incident procedure. But the CEO, Finance, Marketing, Compliance, Legal, and IT had never practiced together in realistic scenarios. As a result, exactly what you want to avoid arose during the crisis: confusion, contradictory messages, delayed decisions, and an organization that already sounded internally divided before the outside world had heard anything. Communication became a blur. The CEO waited for technical confirmation, Finance thought about payment and liability, Marketing wanted to reassure, Compliance asked about notification duties, and nobody still brought the whole together. Customers feel that immediately. Trust is then lost not only because of the attack itself, but because of the chaotic way in which a company communicates while visibly losing control.

8) Identities and access were treated as IT administration, not as a strategic control layer. Many organizations underestimate how quickly an attacker can truly take over an environment when admin rights are poorly managed, shared accounts continue to exist, privileges are insufficiently restricted, and MFA is used as a tick-box rather than as a robust control mechanism. As soon as the attacker manipulates or replaces administrative identities, the balance of power shifts completely. From that moment onward, the organization is no longer defending itself, but discovering that its own keys no longer belong to it.

9) Recovery capability was assumed, not proven. Backups were ‘present,’ disaster recovery ‘existed,’ and people assumed systems could simply be restarted. But there is a world of difference between theoretical recovery and demonstrable recovery. During the attack, it became clear that backups were incomplete, recovery sequences were unclear, dependencies were underestimated, and responsibilities during recovery had not been sharply assigned. It then becomes painfully obvious that a company is failing not only in prevention, but also in the ability to get back on its feet.

10) The organization did not know its own digital heartbeat. Perhaps the harshest conclusion of all. The attacker often knew better than the company itself which processes were critical, which suppliers were essential, which mailboxes were strategic, which data was sensitive, which decision-makers were delaying, and where the real pressure points of the enterprise were. That is the moment when the illusion completely breaks: not only was security weak, but self-understanding was too. An organization that does not know its own digital heartbeat gives the adversary the chance to map it — and then shut it down deliberately.

Perhaps the most painful lesson is not that these shortcomings exist, but that they are rarely unexpected. They grow in silence, fed by overconfidence, fatigue, internal false certainty, and the comfort of words that sound stronger than reality. That is exactly why ZT9 is not an exercise in fear, but in honesty: not to declare people unbreakable walls, but to bring an organization into such balance that human failure does not automatically lead to digital collapse.

‘Preparation Is Half the Work’

Although the NIS2 transposition deadline was already 17 October 2024, ENISA still emphasized throughout 2025 and 2026 that practical implementation remains a challenge and that additional technical guidance is needed for real execution. That is exactly the field in which professional attackers thrive: they do not wait until critical companies have finished their homework. They prepare methodically, often better than their target does.

In plain language, the preparation of a well-organized attacker often looks like this:

1) They do not choose a victim, but an imbalance. They do not first look for the biggest company, but for the organization where technology, governance, and crisis readiness are out of balance.

2) They study the digital heartbeat. They map which processes are critical, who makes decisions, where dependencies lie, and which systems absolutely must not fail.

3) They gather human intelligence. They look at functions, hierarchy, suppliers, absences, communication style, and which people have access, influence, or time pressure.

4) They test the front door without making noise. Phishing, stolen credentials, abuse of external access, or a weak supplier often provide access faster than brute force does.

5) They look for administrative rights, not just files. Because whoever controls admin rights ultimately also controls recovery, logging, access, and decision-making.

6) They remain quiet long enough to seem normal. Not every attack starts with encryption. First they want to understand, copy, position themselves, and only then disrupt.

7) They move laterally through the network. From one account to multiple systems, from one mistake to structural control, from an incident to a company-wide crisis.

8) They undermine trust before they strike. They manipulate mailboxes, accounts, rights, and sometimes even MFA, so that at the crucial moment the organization no longer knows what is still reliable.

9) They count on chaos in the boardroom. If the CEO, Finance, Marketing, Legal, and Compliance have never exercised together, they know that communication will quickly break down before recovery even begins.

10) They strike hard only once the exit has also been blocked. Only once data is gone, access is under control, and recovery proves weak does the visible blow follow: encryption, extortion, and public humiliation.

Conclusion

And while critical companies are still debating the roadmap, budget, and responsibilities, the adversary may already have been in the locker room for months, warmed up and ready — tight plan, clear roles, no noise, no doubt.

From False Confidence to Cyber Resilience: An Action Plan with Clear Objectives

If Europe wants to avoid NIS2 being remembered as a strong law with a weak landing, then more is needed than deadlines, policy notes, and compliance overviews. Cyber resilience does not arise by itself. It is built — step by step, layer by layer, person by person. Not as a reaction to panic, but as a deliberate choice to break the domino effect before it begins.

A good action plan therefore does not start from the question of how an organization can appear ‘safe enough,’ but from the question of how it remains standing when things go wrong. That requires clear objectives.

The first objective is governance grip.

Executive management and the board must treat cyber resilience as a continuity and survival issue, not as a technical side file. That means taking ownership, setting priorities, understanding residual risks, and enforcing that risk analyses lead to real measures. Governance must not only receive reports, but provide direction.

The second objective is to gain visibility over the digital heartbeat.

Every organization must know exactly which processes are critical, which systems are essential, which suppliers create supply-chain risk, and which data makes the difference between temporary disruption and strategic dislocation. Whoever does not know their own nervous system cannot protect it. And whoever does not protect it gives the attacker free rein to shut it down.

The third objective is to make access control and recovery a core priority.

Identities, admin rights, MFA, segmentation, logging, backups, and recovery procedures must not remain fragmented IT topics. These are the links that determine whether an attack remains an incident or grows into a systemic crisis. Organizations must therefore not only implement controls, but prove that they work — even under pressure.

The fourth objective is to treat people not as the weak link or as a miracle cure, but as organized strength.

The solution does not lie in slogans about human firewalls. The solution lies in people who know what their role is, how to escalate, who decides, which information is reliable, and how to act together under pressure. Training must therefore evolve from mandatory awareness to practiced readiness. Not learning to click the right answer, but learning to trigger the right collaboration in moments of crisis.

The fifth objective is to rehearse crisis communication until it remains clear under stress.

An attack tests not only technology, but also alignment between people. The CEO, Finance, Marketing, Legal, Compliance, and IT must rehearse realistic tabletop scenarios together in advance. Otherwise, at the moment of crisis, exactly what the attacker needs will emerge: confusion, delay, contradictory messages, and a visible loss of control. Customers rarely lose trust solely because of the incident itself. They lose it above all when they notice that the company no longer has a single voice.

The sixth objective is to sharpen internal audit again.

Audit must not be satisfied with documents that exist; it must test whether systems, roles, escalations, recovery, and crisis operations actually function effectively. A good auditor does not search for paper calm, but for operational truth. That is essential, because most major shortcomings are visible in advance — but only to those who truly dare to look.

The seventh objective is to make cyber resilience measurable in behavior and outcomes.

Not only the number of policies, but the time to detection. Not only the existence of a plan, but the ability to recover. Not only the number of trainings completed, but the quality of collaboration during exercises. Resilience must become visible in choices, response speed, clarity, and recovery strength.

The core of this action plan is simple: stop building the appearance of control, and start building coherence. Because the domino effect of an attack rarely starts with a single technical mistake. It begins where technology, governance, risk, communication, and human behavior are not aligned with one another. That is where unstable balance emerges. That is where the fall begins.

Real cyber resilience is therefore not a wall. It is a stance. A firm footing. An organization that knows where its weight lies, how it moves under pressure, and how people catch one another when the first shock comes. Not because failure becomes impossible, but because failure no longer automatically leads to collapse.

And perhaps that is the most important lesson of all: the adversary does not win only because it is strong, but above all when we are still divided, unpracticed, and out of balance. Whoever wants to change that must no longer see cyber resilience as a technical project, but as an organized human performance.

At the cinema