Europe is no longer waiting for the next cyber wake-up call. It is already ringing.
Across our hospitals, municipalities, ports, railways, water utilities, managed service providers and digital infrastructure, the same warning signs are becoming impossible to ignore. The systems that keep society running are more connected, more dependent on third parties, more exposed to geopolitical pressure and more attractive to attackers than ever before. Yet the maturity to defend them is still uneven. Some sectors are moving forward. Others are still catching up. And attackers do not wait for policy alignment, budget cycles or internal governance meetings.
NIS2 was never meant to be a paper exercise. It was designed as Europe’s collective response to a hard truth: our digital borders are only as strong as the weakest link in the chain. When one Member State delays enforcement, when one essential entity treats cybersecurity as an IT problem, when one supplier remains unmanaged, or when one board postpones investment, the risk does not stay local. It travels through supply chains, cloud platforms, managed services, public networks and shared dependencies.
This is why the moment is bigger than compliance. NIS2 is not simply a legal deadline. It is a leadership test.
Stakeholders now face a choice. They can continue to interpret cyber resilience as fragmented obligations, separate audits and sector-by-sector checklists. Or they can recognise what the threat landscape is already telling us: Europe needs a stronger, clearer and more coordinated voice. A voice that brings regulators, competent authorities, essential entities, important entities, MSPs, MSSPs, auditors, certification bodies and national cyber agencies into the same operational direction.
Belgium has shown that certification readiness can become a practical route forward. With structured frameworks, evidence-based maturity and a clearer path for organisations to demonstrate resilience, the country is well positioned to act as a catalyst. But leadership only matters if it is used. The challenge now is to concentrate resources where risk is highest, support the sectors that are falling behind and turn NIS2 from a regulatory obligation into a resilience movement.
It is five over 12.
The time for passive awareness is over. The time for coordinated cyber resilience has begun. HarmonyQ represents that next step: aligning governance, assurance, certification readiness and operational support so that Europe can stop absorbing the pressure and start fighting back.
Strategic read of ENISA NIS360 2026
The report’s central message is clear: Europe is improving, but not fast enough where it matters most. ENISA defines the risk zone as sectors where maturity is below average while criticality exceeds preparedness; in plain terms, these sectors matter more to society than they are currently ready to defend. The NIS360 risk zone includes health, railway, maritime, ICT service management, space, public administrations, drinking water and waste water.
Domains of risk needing urgent support
| Urgent domain | Why it needs support now | Consequence if neglected |
| ICT service management: MSPs and MSSPs | This is the multiplier risk. MSPs and MSSPs support other critical sectors, but ENISA finds fragmented risk management, ad hoc operational readiness, weak structured collaboration, and insufficient supervisory capacity. | One compromised provider can become a bridge into many customers, sectors and Member States. This is the weakest point for cascade attacks. |
| Public administrations | ENISA states this sector remains one of the most targeted and has uneven maturity, weak management involvement, slow patching and gaps in information sharing. | Public trust erodes, citizen services fail, sensitive state data leaks, and adversaries gain leverage over national decision-making. |
| Health | Hospitals and healthcare providers remain in the risk zone despite political attention. ENISA highlights legacy systems, IoMT expansion, supply-chain exposure, budget constraints and lower incident preparedness. | Disruption affects patient care directly: cancelled operations, diverted ambulances, exposed patient data and potential loss of life. |
| Drinking water and waste water | These are among the least mature sectors. ENISA points to reactive/ad hoc risk management, limited detection, untested response and recovery, legacy systems, weak skills and limited information sharing. | Attacks can force manual operations, disrupt sanitation or water supply, and create public-health and environmental consequences. |
| Railway and maritime | Both remain in the risk zone. Railway criticality has increased due to military logistics and threat exposure, while maritime disruption can cascade into global supply chains. | Hybrid conflict, logistics delays, military mobility disruption, port paralysis and supply-chain instability. |
| Space | Space has become one of the most critical sectors because of dependency, time-criticality and societal reliance, while its maturity remains low-moderate and uneven. | Loss or manipulation of navigation, timing, earth observation or secure communications undermines strategic autonomy. |
| Cross-sector digital infrastructure: cloud, data centres, core internet | ENISA places these at high criticality with upper-moderate maturity; they are above average, but the dependency level is so high that “good” is no longer enough. | Outages or attacks propagate immediately across finance, health, transport, public services and industry. |
Countries “being lazy” in NIS2 enforcement
For public or executive language, I would not use “lazy”; I would use delayed, fragmented, politically under-prioritised, or enforcement-lagging. But the point is valid: some Member States have weakened Europe’s digital border by failing to move at the same speed.
The European Commission formally called out 19 Member States on 7 May 2025 for failing to notify full NIS2 transposition: Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, the Netherlands, Austria, Poland, Portugal, Slovenia, Finland and Sweden. The Commission warned that if they did not respond and take the necessary measures, cases could be referred to the Court of Justice of the EU.
That list should be framed carefully because national status may have evolved since the Commission’s 2025 action. The policy message remains: Europe cannot claim collective cyber resilience while national enforcement, registration, supervision, reporting routes and penalties move at different speeds. The Commission itself says full implementation is key to improving resilience and incident response across critical sectors and the EU as a whole.
Consequences of weak or delayed NIS2 enforcement
Delayed enforcement creates four concrete consequences.
First, it produces uneven obligations. A critical entity in one Member State may face registration, control evidence and supervisory pressure, while a comparable entity elsewhere waits in uncertainty.
Second, it creates cross-border blind spots. Attackers do not respect national transposition calendars. If one country is slow, it becomes an easier operational route into European supply chains.
Third, it weakens incident coordination. If reporting thresholds, competent authorities, sector definitions and supervision routes are not aligned, Europe loses time during the first hours of a serious incident.
Fourth, it damages strategic autonomy. ENISA’s emerging context stresses AI-enabled attacks, supply-chain risk and geopolitical volatility; fragmented enforcement gives adversaries exactly the asymmetry they need.
Belgium as a certification-ready leader
Belgium’s importance is that it has moved beyond “policy talk” into an operational compliance route. The Belgian NIS2 law entered into force on 18 October 2024, and the CCB has set a binding 18 April 2026 regulatory checkpoint for essential entities.
Belgium’s CyberFundamentals / CyFun® framework gives organisations a practical route with maturity levels such as Basic, Important and Essential, and the CCB positions it as an accessible roadmap for digital resilience. The framework is also mapped against recognised sources including NIST CSF, ISO 27001/27002, IEC 62443 and CIS Controls, which makes Belgium more certification-ready than countries that only have abstract legal obligations.
This is why Belgium can credibly position itself as a certification-ready cyber resilience leader: not because it has solved everything, but because it has a usable framework, a supervisory anchor, evidence expectations and a route for organisations to prove maturity.
The strategic message: no consistent voice means weakened digital borders
Europe has the legislation, but not yet a unified operational voice. ENISA shows that the weakest sectors are not peripheral; they are the connective tissue of society: MSPs, public administrations, health, water, transport, space and digital infrastructure. When these sectors are unevenly governed, Europe’s digital borders become porous.
This is the moment for HarmonyQ in cyber resilience: concentrate scarce expertise, standardise evidence, align certification readiness, prioritise risk-zone sectors, and move from fragmented compliance to coordinated defence. The objective should not be more paperwork. The objective should be to concentrate resources, close the risk-zone gap, and start to fight back as a European digital ecosystem.
Grounding note: ENISA’s NIS360 2026 approach assesses maturity through policy framework, risk management, collaboration/information sharing and operational preparedness, and explicitly stresses that legislation should be judged by coherence and practical impact rather than by the number of rules.
From NIS2 Labyrinth to Certification Readiness
Many business leaders are now facing an uncomfortable reality: in trying to respond to NIS2, resilience, ISO, supplier risk, incident reporting, continuity, audit evidence and sector-specific obligations, they have unintentionally created a NIS2 and resilience labyrinth. The result is often more complexity, more meetings, more policies and less clarity about what actually needs to be controlled, tested and proven.
The way out is not another isolated framework. The way out is structure.
By introducing enforced ITIL 5 service management discipline, organisations can turn cyber resilience into repeatable operational practices: incident management, change control, asset and configuration visibility, supplier control, service continuity and measurable service ownership. By applying PRINCE2 governance, NIS2 readiness becomes a controlled transformation programme with clear roles, decisions, milestones, risks, tolerances and accountability.
This is where the START2 Internal Audit Cyfun course becomes a practical accelerator. It helps organisations review their current certification readiness, understand the evidence expected by auditors and authorities, and build a realistic pathway towards NIS2 certification readiness by April 2027. The goal is not to create more paperwork. The goal is to create a board-level, auditable and operationally tested route from confusion to control.
ENISA’s current direction confirms this need. Its NIS360 approach does not simplify NIS2 by lowering cyber readiness. It simplifies the discussion by focusing on what matters most: policy effectiveness, risk management, collaboration, information sharing and operational preparedness. In other words, the future of NIS2 is not about checking boxes. It is about proving that critical organisations can govern risk, protect services, respond to incidents and recover when society depends on them.
Top 10 Actions to Escape the NIS2 and Resilience Labyrinth
- Start with coherence, not more rules
Business leaders should stop adding isolated policies and controls without a clear operating model. NIS2 readiness must be judged by coherence and practical impact, not by the number of documents, frameworks or committees created. - Create one board-owned resilience roadmap
NIS2, cyber resilience, supplier assurance, incident reporting, continuity, audit readiness and certification should be managed as one integrated transformation programme, not as separate compliance tracks. - Use ITIL 5 to operationalise resilience
Apply service management discipline to incident management, change enablement, asset and configuration management, service continuity, supplier control and service ownership. This turns cyber resilience into daily operational practice. - Use PRINCE2 to govern the transformation
Treat NIS2 readiness as a controlled programme with clear roles, decision points, milestones, risk tolerances, escalation paths and executive accountability. Without programme governance, NIS2 becomes a labyrinth. - Assess maturity through the ENISA lens
Review maturity across four practical dimensions: policy framework, risk management, collaboration and information sharing, and operational preparedness. These dimensions help leaders understand where their organisation is genuinely resilient and where it is only administratively compliant. - Prioritise risk management over policy volume
Organisations should prove that risks are identified, prioritised, treated, monitored and followed up. A smaller set of effective controls is more valuable than a large library of policies that are not implemented, tested or owned. - Strengthen collaboration and information sharing
NIS2 resilience depends on trust and coordination across internal teams, suppliers, MSPs, MSSPs, sector peers, authorities and auditors. Leaders should build structured mechanisms for sharing threat information, lessons learned and operational dependencies. - Test operational preparedness before the auditor asks
Incident response, crisis management, disaster recovery, backup restoration and business continuity plans should be exercised regularly. Certification readiness depends on evidence that the organisation can respond and recover, not only that plans exist. - Use START2 Internal Audit Cyfun as the readiness accelerator
The START2 Internal Audit Cyfun course helps internal teams understand certification expectations, gather audit evidence, assess maturity, identify gaps and prepare a realistic pathway towards NIS2 certification readiness by April 2027. - Move from compliance theatre to resilience proof
The final objective is not to look compliant. It is to demonstrate that essential and important services can withstand disruption, protect stakeholders, recover under pressure and maintain trust. NIS2 certification readiness must become a proof of resilience, not a paper shield.
AI help or failure booster
AI is not the enemy. The real nonsense is pretending that AI will magically steal control, leak data and make decisions on its own, while ignoring the real failure pattern we have seen for years with ISO 9001, ISO 27001, ISO 27005 and every other framework that was implemented without strategy, ownership or disciplined execution.
AI will fail when it is pushed into the same labyrinth of unclear responsibilities, disconnected controls, poor project management and boardroom confusion. But when business leaders and cybersecurity strategists approach AI with clarity, it becomes a defensive force multiplier. It can help counter hackers with their own speed, detect anomalies in network traffic, deploy digital deception mines, isolate critical systems in digital heartbeat bunkers, anonymise sensitive data and strengthen resilience before damage spreads.
The lesson is simple: AI does not need fear-driven theatre; it needs 2030 leadership, governance, measurable purpose and business-proof execution. KISSED: Keep It Simple, Strategic, Secure, Effective and Defensive.
Conclusion: The Labyrinth Has No Mercy
ENISA’s NIS360 approach makes one thing painfully clear: cyber resilience is not won by stacking rules on top of rules until nobody can see the exit anymore. The maturity of an organisation, a sector or even a country is not measured by the thickness of its policy binder. It is measured by whether the policy framework makes sense, whether risks are actively managed, whether people share information before the damage spreads, and whether the organisation can still operate when the attack is already inside the walls.
That is the brutal lesson of NIS2.
A law without coherence becomes noise. A control without ownership becomes theatre. A risk register without action becomes a comfort blanket. And an incident response plan that has never been tested becomes fiction at the exact moment society needs it to be real.
This is why the next phase cannot be another compliance maze. It must be a disciplined pathway towards practical impact. Business leaders need to simplify without weakening. They need to govern without paralysing. They need to prove maturity through four hard questions: Is our policy framework coherent? Are our risks truly managed? Do we collaborate and share information fast enough? Are we operationally prepared when services, citizens and customers depend on us?
If the answer is unclear, then the organisation is not ready.
NIS2 is five over 12. The time for fragmented interpretation is over. The time for certification readiness, operational proof and coordinated resilience has begun.
Danny Zeegers & Karin Printemps
Source https://www.enisa.europa.eu/enisa-nis360-2026 (published 28 May 2026)
