• Facebook
  • Twitter
  • LinkedIn
  • YouTube
Nieuwsbrief
Contact
ceo gap

NIS2 verification GAPS and how to proceed now

European Enterprise owners are still thinking about cybersecurity as a technical problem. It is not. It is now a leadership, governance and survival problem.

Across Europe, many organisations still believe they are “working on security” because they have firewalls, endpoint tools, backups, a GDPR register, and maybe even a DPO. But that is not the same as being secure, and it is certainly not the same as being NIS2-ready.

That is the uncomfortable truth. The real gap in most organisations is no longer just between “secure” and “insecure.” It is the gap between basic IT protection and verified digital resilience. It is the gap between isolated controls and enterprise-wide governance. It is the gap between compliance paperwork and a living security operating model.

And while that gap remains open, attackers are not waiting. Nation-state actors, organised cybercriminals and hybrid threat groups are exploiting the seams of our society: telecom infrastructure, identity weaknesses, elderly citizens, digitally weaker users, weak supplier chains, unmanaged AI experiments, shadow AI, unverified software changes, and organisations that still assume a breach is something that happens to someone else.

It is not. This is not a drill. We are losing digital ground.

The dangerous illusion: “We have technology, so we are protected”

Too many boards still think cybersecurity is mainly a matter of buying the right technology stack. More tooling. More dashboards. More detection. More licences.

But ENISA’s latest Security by Design and Default Playbook points in a different direction. It stresses that real resilience comes from embedding security across the full lifecycle of a product or service: from requirements and design to development, deployment, maintenance and decommissioning. It also makes clear that security must be operationalised through repeatable actions, evidence, review gates and continuous improvement, not treated as a one-time technical add-on. That is the core wake-up call for Europe’s leadership teams.

Technology alone does not create trust. Governance does.
Tooling alone does not reduce risk. Decision-making does.
Compliance alone does not protect the company. Operational discipline does.

The real NIS2 gap: governance, verification and residual risk ownership

The biggest weakness in the market today is not the absence of controls. It is the absence of balance.

Many organisations have fragments:

  • some GDPR activities
  • some security tooling
  • some policies
  • some backup and recovery thinking
  • some awareness that NIS2 matters

But NIS2 demands far more than fragments. It requires a coherent, managed, reviewable, defensible posture.

ENISA’s playbook is especially important here because it shows that security must become:

  • lifecycle-driven
  • risk-driven
  • automation-first
  • evidence-based
  • owned through release and decision gates.

In other words, organisations must move from:

  • “we installed security tools”
    to
  • “we know which risks exist, which controls are working, which residual risks are accepted, by whom, until when, and based on what evidence.”

That is where the real verification gap sits today.

A Europe-wide blind spot: data protection is not enough

Let us say this clearly: GDPR is not enough.

Data protection matters. Privacy matters. Data loss prevention matters. But many companies have confused privacy compliance with cybersecurity maturity. They are not the same.

An organisation can have privacy notices, retention rules and processing registers and still be dangerously exposed through:

  • weak identity architecture
  • over-privileged access
  • poor change control
  • inadequate logging
  • unmanaged suppliers
  • insecure defaults
  • weak onboarding
  • no patch discipline
  • no tested recovery path
  • no visibility on shadow AI or experimental automation

ENISA explicitly highlights all of these as critical parts of secure-by-design and secure-by-default practice: trust boundaries, least privilege, strong identity and authentication, attack surface minimisation, defence in depth, logging and monitoring, vulnerability and patch management, supply chain controls, restrictive initial access, secure communications, unique device identity, mandatory security onboarding, automated updates, transparent security posture, and secure recovery.

That list reads less like a technical checklist and more like a diagnosis of where Europe is still structurally weak.

Meanwhile, the threat is evolving faster than governance

While organisations are still debating ownership, budgets and scope, the threat landscape has moved on.

Attackers are not only exploiting exposed systems. They are exploiting unbalanced operating models:

  • telecom trust chains used for fraud and manipulation
  • weak identity and authentication processes
  • vulnerable digital citizens, especially the elderly and the less digitally mature
  • unmanaged third parties
  • AI pilots running outside governance
  • shadow AI processing sensitive data with no risk register, no verification and no accountability

This is the modern asymmetry:
the attacker moves at machine speed;
the defender still asks who owns the spreadsheet.

And this is where the comparison becomes painful. Europe often reacts to digital compromise with psychological distance. We know the problem exists. We know the losses are real. We know people are affected daily. But because the impact is distributed, indirect or happening “somewhere else,” urgency fades. That has to stop. Because being hacked is not something that happens to another company anymore. It is an active business condition.

A final wake-up call from the field

Experts Harry van der Plas and Danny Zeegers now launch what may be the final wake-up call for boards and executive teams:

Stop treating cybersecurity as a purely technical protection exercise.
Start introducing balanced governance.
Start enterprise-wide risk assessment.
Start documenting NIS2-aligned residual accepted risks.
Start process management.
Start reviewing the digital heartbeat of your company.

Because the clock is running.

There is still a path forward.
There is still time to lead.
But only for organisations willing to act now.

April 2027 is closer than it looks

Many leaders still speak about NIS2 as if it were a future programme.

It is not. It is an active transition period. If organisations want to be verifiable, defensible and certifiable by April 2027, then they need to stop waiting for a “perfect framework” and start building a disciplined 365-day execution model now.

ENISA’s own guidance points toward exactly that kind of model. It recommends lightweight artefacts, reusable checklists, CI/CD controls, clear release gates and iterative reassessment whenever architectures, suppliers, interfaces or risk conditions change. That means the right response is not panic.
It is structured acceleration.

The CEO story Europe now needs

Picture a CEO who finally understands that digital resilience is not an IT side topic, but the heartbeat of the enterprise.

Not a CEO who delegates it away.
A CEO who takes the digital lead.

She starts with one uncomfortable question:

“What are we assuming is secure today that we have never actually verified?”

Silence follows.

The CIO talks about controls. The CISO talks about roadmaps. Legal talks about policies. Procurement talks about suppliers. Operations talks about continuity. But no one can yet show the whole story:

  • where trust really begins and ends
  • which crown jewels matter most
  • which risks are tolerated
  • which are not
  • what secure-by-default really means in practice
  • whether critical changes are reviewable
  • whether supplier security is evidenced
  • whether the company can recover with integrity after compromise

So the CEO draws a line.

No more fragmented effort.
No more security theatre.
No more policy islands.
No more unmanaged digital experimentation.

Instead, she launches a company-wide programme built on six lines of action:

1. Governance first

Security becomes a board topic with named ownership, measurable priorities and accepted residual risk decisions.

2. Risk across the enterprise

Not only cyber risk. Business risk. Operational risk. Supplier risk. AI risk. Identity risk. Customer trust risk.

3. Process before tooling expansion

The company maps how digital decisions are made, changed, approved, monitored and reviewed.

4. Verification over assumption

Every critical control must be linked to evidence, not only intent.

5. Defence in depth as a design principle

No single point of trust. No single point of failure. No single point of blindness.

6. A futureproof company model

Security, quality, continuity, compliance and digital trust are no longer separate tracks. They become one synergy pathway.

That is the futureproof company:
not the company with the most tools,
but the company with the clearest digital discipline.

Comparing the gaps with the ENISA outcome

The ENISA playbook exposes several structural gaps that organisations must close.

Gap 1: Security is still not treated as lifecycle governance

ENISA states security must be operationalised from design through end-of-life, with risk management revisited when conditions change. In practice, many firms still treat security as a project or implementation phase.

Gap 2: Trust is still assumed, not mapped

The document places major emphasis on trust boundaries, threat modelling and privileged paths. Many organisations still do not explicitly know where their trust boundaries sit across users, admins, APIs, suppliers, devices and AI services.

Gap 3: Identity is weakly governed

ENISA stresses strong identity architecture, unique identities, session control and privileged access protection. Yet shared accounts, broad rights and weak authentication remain common.

Gap 4: Default settings are too permissive

Secure by default is one of the most practical messages in the playbook: disable non-essential services, enforce restrictive initial access, secure communications, unique device identity, mandatory onboarding and automated updates. Many products and environments still arrive too open.

Gap 5: Logging and monitoring are incomplete

ENISA calls for high-signal logs, attribution, central collection, retention and actionable alerts. Too many companies still generate logs without creating visibility.

Gap 6: Change is happening faster than control

Configuration and change management are treated by ENISA as essential security disciplines: versioned, reviewed, gated, reversible. In reality, many organisations still allow silent drift and uncontrolled exceptions.

Gap 7: Vulnerability and patch handling are not board-visible

The playbook stresses triage, SLA thinking, supplier inputs, secure release and tracked exceptions. But many organisations still operate with incomplete inventories and weak remediation governance.

Gap 8: Supply-chain trust is too informal

ENISA’s supply chain controls clearly call for SBOM visibility, dependency review, pipeline protection, supplier expectations and documented exceptions. That is still missing in many sectors.

Gap 9: Evidence is missing

Perhaps the biggest gap of all: organisations claim security maturity without machine-readable, reviewable evidence. ENISA’s section on machine-readable security attestation shows where the future is going: demonstrability, verifiability, reusability and reliability.

The 365-day priority plan

This is how organisations should proceed now.

Days 1–30: face reality

Establish executive sponsorship. Name accountable owners. Identify the crown jewels. Define what the business cannot afford to lose, stop or expose. Start a board-level NIS2 steering rhythm.

Output:

  • named executive ownership
  • top critical services and assets
  • first enterprise risk lens
  • decision that cybersecurity is not only an IT responsibility

Days 31–60: map the trust landscape

Map trust boundaries, external interfaces, privileged paths, suppliers, identities, AI use cases and shadow processes. Build a first lightweight but honest digital reality map.

Output:

  • trust boundary overview
  • identity and privileged access picture
  • AI and shadow AI inventory
  • critical supplier exposure map

Days 61–90: define the baseline

Set non-negotiables. Define secure-by-default principles for the enterprise. Determine which residual risks are unacceptable, which are temporarily tolerated, and who must sign them off.

Output:

  • risk acceptance model
  • secure baseline principles
  • residual risk ownership model
  • first executive-approved exceptions register

Days 91–120: stabilise the heartbeat

Review the digital heartbeat: access, changes, logging, patching, incident paths, backups, recovery, supplier changes, onboarding and offboarding. Convert scattered activity into managed processes.

Output:

  • process map for key digital controls
  • gap list against NIS2 operating expectations
  • first process owners per domain
  • measurable review cadence

Days 121–180: build defence in depth

Start with practical priorities: least privilege, MFA for privileged users, secure onboarding, segmentation, central logging, change control, vulnerability intake, supplier review, recovery validation.

Output:

  • first defence-in-depth architecture decisions
  • reduced blast radius
  • critical monitoring improvements
  • stronger operational resilience

Days 181–240: verify and evidence

Move from intention to proof. Link critical controls to evidence. Create minimum verifiable outputs for identity, logging, patching, onboarding, updates, suppliers and incident readiness.

Output:

  • evidence catalogue
  • control-to-evidence mapping
  • internal verification gates
  • first structured posture reporting

Days 241–300: integrate governance and operations

Bring legal, IT, security, operations, procurement, quality and executive management into one operating language. Use risks, controls, exceptions and evidence to drive decisions.

Output:

  • enterprise-wide governance rhythm
  • integrated risk view
  • supplier/security/legal alignment
  • clear escalation logic

Days 301–365: rehearse the futureproof company

Stress-test the model. Run simulations. Review residual risks. Update the roadmap. Define what the next 12 months must deliver before April 2027.

Output:

  • management-reviewed risk posture
  • tested response and recovery assumptions
  • updated NIS2 roadmap
  • certification-readiness acceleration plan

What leaders must remember now

The organisations that win the next phase of digital trust will not be the ones that bought the most security products.

They will be the ones that:

  • govern risk in balance
  • know their trust boundaries
  • verify their controls
  • own their residual risks
  • manage change with discipline
  • design for defence in depth
  • make security visible
  • turn resilience into daily management practice

That is the real message.

Not fear.
Not compliance fatigue.
Not another technical project.

A leadership choice.

Europe still has time to respond.
But the response must begin with honesty.

We are not as ready as we thought.
We are not as protected as we assumed.
And no, this is not happening to someone else.

This is the moment to act.

Harry van der Plas and Danny Zeegers are right to frame this as a final wake-up call.
The next 365 days will decide which organisations become futureproof companies, and which remain vulnerable, fragmented and late.

The digital lead must now come from the top.

Laat een reactie achter

Deel dit artikel

Aanbevolen artikels

Meer items

Blijf up to date met NIS2.news

Schrijf je in voor de nis2.news nieuwsbrief en mis nooit het laaste nieuws over NIS2