Why “trying” is not a strategy: Building actionable, provable resilience under the NIS2 Directive
There’s no such thing as “trying” to be resilient when your systems are down, your customers are locked out, and your boardroom is facing the wrath of national regulators. Under the NIS2 Directive, the days of aspirational cybersecurity and half-hearted continuity plans are over. The language of compliance has shifted — from “intent” to “impact,” from “best effort” to “proven results.” Europe’s most critical sectors are being told in no uncertain terms: You either are resilient, or you are not. And in a crisis, only the former survives — reputationally, operationally, and legally.
The New Reality: NIS2’s Mandatory Resilience Expectations
Resilience is no longer a buzzword. Under NIS2, it’s a legal requirement. The directive doesn’t just target IT teams and CISOs — it puts boards and C-level executives directly in the regulatory firing line. Articles 21 to 26 of NIS2 demand provable governance, tested incident response, operational continuity, and cyber risk management — not just in your own operations, but across your entire supply chain.
In short: NIS2 doesn’t care how well you “intend” to respond. It demands that you can demonstrate, on paper and in practice, that your business can take a hit and keep operating.
These aren’t abstract obligations. Supervisory authorities will audit you, and post-incident investigations may request proof of board-level reviews, supplier risk assessments, continuity tests, and response rehearsals. There is no hiding behind technical jargon or shifting accountability. C-level leadership is now inseparable from operational resilience.
Five Brutal Truths of Business Resilience Under NIS2
1. Resilience is not the same as redundancy.
Many executives still equate business resilience with having a backup server, a DR site, or some vague insurance policy “just in case.” But NIS2 raises the bar. Resilience now means being able to deliver essential services continuously — even in the face of systemic cyber threats. If your fallback plan is a dusty PDF on a shared drive, regulators won’t be impressed. Nor will your customers, investors, or the media.
2. You are only as strong as your weakest supplier.
Third-party risk is no longer a footnote in the risk register. Under NIS2, your supply chain is your problem — legally, operationally, reputationally. Whether it’s your cloud provider, your managed IT partner, or a niche SaaS vendor embedded in your stack, their security failures could soon become your regulatory liability. C-level leadership must stop treating vendor management as procurement’s problem. It’s not. It’s yours.
3. Crisis plans that haven’t been tested might as well not exist.
Real resilience isn’t built in boardrooms — it’s tested in war rooms. If your business continuity plan hasn’t been put through a realistic tabletop exercise in the past 12 months, you don’t have a plan — you have a false sense of security. Resilience under pressure demands muscle memory, not manuals.
4. Paper policies don’t stop real-world attacks.
Many companies are still hiding behind glossy policies that look great in audit reports but fall apart during real events. NIS2 compliance demands living processes — not just documents. Ask yourself: can your team actually execute that policy under pressure, or was it written to satisfy the auditor?
5. You can’t outsource accountability.
You can outsource services, systems, even security — but not responsibility. If a breach happens, the regulatory spotlight will fall directly on your leadership table. Under NIS2, directors and executives are explicitly accountable for ensuring adequate cyber risk governance and incident readiness. Inaction is no longer defensible.
Digital Drones and Bots Are Already at Your First Lines of Defence
If you think your first line of defence is a firewall, think again. It may already be breached — not with an explosion, but with a silent ping.
We are entering an era where digital surveillance is no longer a cyberpunk fantasy — it’s a strategy deployed in peacetime by geopolitical actors. In recent months, Russian drones have reportedly violated NATO airspace, not to attack, but to observe and measure — probing the edges, noting the reaction time, learning the patterns. In cyberspace, the same logic applies. And your infrastructure is being watched.
Unidentified bots, “accidental” connection attempts, malformed queries — these are the digital equivalents of test flights. They’re not random. They are recon missions, and they’re gathering metadata about your organisation’s resilience: where it’s strong, where it’s slow, and where it’s sleeping.
Now ask yourself: what are they seeing?
It’s time to turn the table — not by fortifying the walls alone, but by misleading the attacker into a twilight reality. At Qfirst, we call this The Business Twilight Zone — a hardened digital architecture where attackers are not just denied, but deceived.
Here’s how it works:
- Your critical business processes and crown jewels are no longer in the obvious places. They’ve been migrated to an ultra-hardened, compartmentalized architecture.
- Processes are strictly separated, and one-to-one connections follow a Zero Trust blueprint, with identities continuously verified at each stage of interaction.
- Any digital intruder is led — by design — into an old environment, a sandboxed decoy rigged with digital mines: sniffers, triggers, and analytics that map attacker behaviour while protecting the real assets.
- All business-critical storage is encrypted, governed by Zero Trust key management, ensuring that access without authorization results in gibberish, not gold.
- MFA isn’t basic — it’s hardened. What we deploy is SALTY2FA: salted, hardware-backed, and tightly bound to hardened endpoints. No SMS. No convenience over control.
This isn’t a vision. It’s a cyber battlefield reality. You can’t stop adversaries from testing your defences — but you can ensure they’re testing the wrong ones.
From TRY to DO – Building Real Resilience
Hackers don’t just steal data — they feed on visibility. Every unnecessary connection, exposed port, or verbose error message is a free meal for an adversary. Business resilience today starts with a mindset shift: you are not just defending your infrastructure, you are denying the attacker access to insight.
NIS2 demands outcomes — not intentions. The transition from “try” to “do” requires engineering resilience into your processes, your architecture, and your governance model. This isn’t about buying another security tool. It’s about changing the rules of engagement.
Step 1: Implement Zero Trust from the inside out.
Every business-critical process must be isolated, monitored, and hardened. Don’t let internal systems assume trust based on network proximity. Assume breach. Verify always. Enforce identity — continuously, not once at login.
Step 2: Develop a roadmap of deceptive architecture.
If attackers come looking, let them find a trap. By rerouting traffic to decoy systems, you create a noise layer — a digital fog that prevents reconnaissance. These honeypots don’t just slow down intrusions — they expose attacker methods in real time.
Step 3: Encrypt everything — and govern the keys.
Data at rest, in transit, and in use — encrypted. But just as importantly, ensure your encryption keys are not managed by the same system they protect. Split governance. Enforce Zero Trust on key access too.
Step 4: Redefine what “multi-factor” really means.
Most MFA setups are still brittle. If you’re relying on push notifications or mobile apps tied to cloud-based logins, you’re still in the danger zone. Harden your access with SALTY2FA — using hardware-backed tokens, salted authentication flows, and restricted contextual access based on device health and behavior.
Step 5: Embed resilience into your playbooks — and test them like war games.
A continuity plan isn’t worth the paper it’s printed on unless it’s tested under pressure. That means cross-functional crisis exercises where IT, compliance, communications, legal, and business owners rehearse failure. Simulate ransomware, simulate outage, simulate regulator calls. What breaks? What delays the response? Fix it before the attack does.
At Qfirst, we design resilience not as a feature — but as an operational doctrine. Visibility is earned, not given. Processes are hardened, not hopeful. And intruders? They’re shown only what we want them to see.
You don’t need to outgun every attacker. But you do need to out-prepare them. That’s not compliance — that’s strategy.
Boardroom Insight
“Business resilience isn’t just about surviving a cyberattack. It’s about continuing to deliver — even while under attack.”
– Qfirst Executive Strategy Brief, 2025
Too many boardrooms still treat cybersecurity as a defensive layer — a cost center. Under NIS2, that framing is outdated. Cyber resilience is now a growth enabler, a trust differentiator, and a regulatory obligation. The organisations that thrive will be those who shift security from IT to strategy — who treat resilience not as a bolt-on, but as a core competency.
Just as ESG transformed financial reporting, NIS2 is transforming operational credibility. Your investors, your partners, and your regulators are all watching how you prepare — not just how you respond.
Compliance Is a Floor, Not a Ceiling
Let’s be clear: NIS2 is not asking for excellence — it’s asking for adequacy. Compliance is the bare minimum. And that minimum is rising fast.
Too many executives are setting their targets around “being NIS2-compliant” instead of building an organisation that is actually resilient. But tick-box compliance is a liability — not a shield. In the face of systemic failure, downtime, or breach, simply proving that you met Article 21 won’t be enough to preserve trust, reputation, or market share.
Resilience isn’t the result of passing an audit.
Resilience is when your operations don’t blink, even as others fall.
Forward-thinking organisations are already going beyond. They’re aligning NIS2 with ISO 27001, DORA, TIBER, and national regulatory expectations — building unified security frameworks that are provable, repeatable, and multi-regulator ready. This is especially urgent for:
- Financial and fintech organisations navigating both NIS2 and DORA.
- ICT service providers balancing TIBER-like testing, NIS2 governance, and client SLAs.
- Essential infrastructure operators who may soon face Red Team exercises as mandatory resilience proof.
The message is clear: build for resilience, not for compliance. Because when the next major digital crisis hits — and it will — no one will care how compliant you were. They’ll care if you kept running.
The Executive Scorecard: Are You DOING or Just TRYING?
The true test of business resilience isn’t whether you passed the last audit — it’s whether your organisation can take a digital punch and keep delivering, without chaos or compromise. NIS2 expects proof, not promises.
Here’s your executive scorecard. Be honest:
| Resilience Element | Status |
| Crisis-tested business continuity playbook | ✅ / ⚠️ / ❌ |
| Incident response rehearsals involving the C-suite | ✅ / ⚠️ / ❌ |
| Proven supplier risk classification and controls | ✅ / ⚠️ / ❌ |
| Zero Trust architecture for critical business processes | ✅ / ⚠️ / ❌ |
| Encrypted data storage with key governance separation | ✅ / ⚠️ / ❌ |
| Hardware-based MFA on critical endpoints | ✅ / ⚠️ / ❌ |
| Honeypots and deception layers in production | ✅ / ⚠️ / ❌ |
| Board minutes evidencing risk oversight (NIS2 Art. 21) | ✅ / ⚠️ / ❌ |
Each check mark is more than a box — it’s a bulletproofed layer between your organisation and disruption. Every ⚠️ or ❌ is an opportunity for an attacker — and a liability for you.
Closing Call to Action: Rise, Knights of the Horizon Table
In the realm of NIS2, resilience isn’t built by fear. It’s forged by leadership.
The digital battlefield is no longer hypothetical — it’s active, asymmetric, and constantly evolving. But so is your ability to fight back. Around Europe, a new class of leadership is rising: the Digital Knights of the Round NIS2 Horizon Table — CISOs, CIOs, General Counsels, and CEOs who don’t just comply but champion resilience.
Queen Guinevere and the Black Knight are not mere legends — they’re your internal archetypes. Your ethics, your defenders, your strategists. If they haven’t spoken in your boardroom yet, it’s time to let them lead.
Those who start the conversation today will survive tomorrow.
Those who inspire their teams will harden their future.
Stand up. Share this insight with your leadership circle. Invite your teams to challenge the status quo.
Because in the end, the organisations that endure aren’t the ones that “try” — they’re the ones that act, adapt, and lead from the front.
True leadership gets stronger from attacks.
🛡️ Do or do not. There is no TRY.
