Every NIS2 project begins with the same predictable hurdle: resistance to change. Compliance deadlines feel distant, processes feel complex, and employees ask the same questions — “Why now? Why us?”
But what if the answer lies not in stricter rules or longer presentations, but in the science of positivity?
When the board of NordSec Systems, a mid-sized European ICT provider, first discussed NIS2 in late 2023, the reaction was predictable: silence, sighs, and a few eye rolls.
The compliance officer, Elise, remembers it well. “Management saw it as a bureaucratic monster,” she says. “There was no excitement — just fear of costs and disruption.”
Deadlines were approaching, stakeholders were unmotivated, and Elise knew the project was on track to fail before it even began.
The Breaking Point
By early 2024, resistance was peaking. Departments delayed tasks, management questioned timelines, and project updates became dreaded moments. “I felt like I was pushing a rock uphill, and everyone else was waiting for me to let go,” Elise recalls.
It was then she stumbled upon the teachings of Shawn Achor and Jay Shetty. What if compliance wasn’t about pushing harder, but leading differently?
Reframing the Why
Instead of starting her next update with technical jargon, Elise asked the board a simple Simon Sinek-inspired question: “Why do we need NIS2?”
Her answer: “Because it’s not about passing an audit. It’s about keeping our services alive when others collapse. It’s about trust.”
Suddenly, the conversation shifted. NIS2 became a story of resilience and reputation, not just regulation.
Small Wins, Big Momentum
Taking inspiration from Shawn Achor, Elise celebrated tiny milestones.
When IT completed their first vulnerability scan, she treated it like a major win.
When HR updated screening policies, she spotlighted their effort across the company intranet.
“It felt good to be recognized,” says Johan, head of HR. “It stopped feeling like a chore and started feeling like progress.”
Building Mental Resilience
Drawing from Jay Shetty’s playbook, Elise also changed how she showed up as a leader:
She grounded herself before every steering meeting with a few minutes of silence.
She told stories instead of listing risks — like the one about a rival company that lost a major contract after a cyber incident.
She radiated calm and confidence.
“When Elise stopped sounding stressed, the rest of us stopped feeling stressed,” admits Erik, a senior manager. “It was contagious.”
From Project Manager to Chief Energy Officer
By mid-2025, NordSec’s NIS2 project looked unrecognizable. Instead of a defensive posture, management leaned forward. Stakeholders asked how they could help. Department heads competed to deliver results first.
The once-feared deadline of April 2026 now looked like an opportunity to prove their strength.
“It wasn’t magic,” Elise says. “It was energy. Positive energy. When I stopped dragging people, they started running with me.”
The Happiness Advantage Meets NIS2
Shawn Achor, author of The Happiness Advantage, argues that positivity isn’t the outcome of success — it’s the precursor. Applied to NIS2, this flips the script:
Instead of waiting until April 2026 to celebrate “success,” teams can celebrate the small wins along the way.
Instead of framing compliance as an audit exercise, leaders can reframe it as resilience-building.
Bysetting an optimistic tone early, the compliance officer reduces friction and inspires cooperation.
Achor’s research shows that optimism improves problem-solving and resilience — exactly what a regulation-heavy transformation project demands.
Jay Shetty’s Lessons in Resilience
If positivity is the spark, resilience is the fuel. Jay Shetty’s teachings on mindful leadership remind us that energy is contagious.
For a compliance officer, that means:
Grounding before meetings — to walk in calm, not frantic.
Telling stories that resonate — linking compliance to real-world cyber risks and customer trust.
Leading with calm confidence — because when management feels inspired, stakeholders follow.
As Shetty often says: “You can’t control events, but you can control your response.” That mantra is gold for a project where not everyone will be pleased.
The Compliance Officer as “Chief Energy Officer”
In NIS2 projects, the compliance officer is not only a guardian of controls but also the bearer of energy. By bringing positivity to management first, they set the cultural tone for the entire company. When leaders see compliance as an opportunity instead of a cost, resistance melts away.
A Top 10 Formula for Success in NIS2 projects (and Business)
- Do the work — get started.
- Share a realistic timeline with stakeholders.
- Be productive early; leave low-value tasks for later.
- Focus on what you can control.
- Don’t waste energy on ideas that add no value.
- Accept that you cannot please everyone.
- Communicate clearly and often.
- Celebrate progress, not just results.
- Empower champions in every department.
- Keep the “why” visible — compliance builds resilience and trust.
A Journey of Risk and Resilience: How One NIS2 Team Found Its Rhythm
At first, the word risk assessment sent a groan through the room. For the engineers, it sounded like bureaucracy. For management, it sounded like slowing down. For the compliance officer, Elise, it sounded like the part of the project everyone would postpone until the last minute.
But this time, something different happened.
Phase 1: Framing the Why
Instead of presenting a dry methodology, Elise walked into the first session with a story. She described a competitor that had suffered a ransomware attack. Customers fled, contracts were cancelled, trust was broken.
Then she asked: “What if we had spotted the risks earlier? What would have been different?”
Suddenly, the room leaned forward. The risk assessment wasn’t just a report anymore — it was a way to keep the company alive, trusted, and respected. Inspired by Simon Sinek’s Start With Why, the team now saw a purpose behind every question.
Phase 2: Celebrating Small Wins
Shawn Achor’s happiness advantage came next. Instead of waiting until the full register was complete, Elise celebrated each risk identified and treated as a victory.
When IT flagged outdated firewalls, it wasn’t shame — it was progress.
When HR documented gaps in access control, they were applauded for protecting the human side of security.
By reframing risks as opportunities to strengthen, the assessment became an energizing process, not a painful audit.
Phase 3: Building Resilience
The process was demanding, and resistance still surfaced. That’s where Jay Shetty’s resilience lessons came in. Elise encouraged mindful pauses before intense sessions. She reminded the team that you can’t control every threat, but you can control how you prepare for it.
This mindset transformed how managers reacted to findings. Instead of panicking about vulnerabilities, they calmly focused on solutions. They became resilient, not reactive.
Phase 4: Integrating Into Every Step
By mid-project, risk assessment was no longer an isolated phase. It became the compass for every decision:
Procurement asked, “What risks come with this new vendor?”
IT asked, “What risk does this configuration reduce?”
Management asked, “What risks are we willing to accept, and why?”
The exercise had evolved into a culture of asking questions at every step, making the company stronger and more aligned.
The Turning Point
By the time April 2026 drew closer, NordSec Systems wasn’t scrambling to prepare. They had turned risk assessment into a continuous rhythm. Every phase of the NIS2 project had been energized by positivity and resilience.
“It stopped being about fear of fines,” Elise said. “It became about building trust, one risk at a time.”
The Difference:
Sinek’s WHY gave the team purpose.
Teams positivity made every risk a chance to celebrate improvement.
Company resilience gave management the calm strength to lead through uncertainty.
Instead of resistance, the team found inspiration. Instead of fear, they built confidence. And instead of checking boxes, they created a culture that will outlive the April 2026 deadline.
We are ONE team
Key Project Members for NIS2 Verification Success (April 2026)
Executive Sponsor (CEO / COO / CIO)
Provides authority, budget, and alignment with strategy.
Sets the tone from the top that compliance is an opportunity, not a burden.
Compliance Officer / NIS2 Project Lead
The orchestrator of the entire program.
Coordinates between legal, IT, security, and business units.
Ensures timelines, reporting, and scope are aligned with regulatory requirements.
CISO / Security Lead
Design and implements technical and organizational measures.
Oversees vulnerability management, incident response, and risk treatment.
Ensures controls align with ISO/IEC 27001 and NIS2 essentials.
IT Infrastructure Manager
Owns networks, servers, endpoints, and cloud environments.
Implements monitoring, logging, patching, and system hardening.
Risk & Governance Manager
Runs the formal risk assessments.
Aligns outcomes with the board’s risk appetite and regulatory expectations.
Documents the why and how behind each risk treatment decision.
Legal & Regulatory Counsel
Interprets NIS2 obligations in context of national implementation.
Advises on liability, reporting duties, and contractual obligations with third parties.
Data Protection Officer (DPO)
Ensures GDPR and NIS2 requirements are harmonized.
Advises on incident reporting, data breach overlap, and privacy by design.
HR & People Manager
Embeds awareness and training programs.
Ensures background checks, screening, and role-based access align with compliance needs.
Finance & Procurement
Monitors budgets for compliance tools and external partners.
Ensures suppliers and service providers meet NIS2 requirements (third-party risk).
Departmental Champions (Ops, Sales, Customer Service, R&D)
Act as compliance ambassadors in their domains.
Bridge the gap between policy and day-to-day operations.
Incident Response Team (Red/Blue/White Cells)
Executes crisis simulations and live response.
Ensures reporting readiness within 24 hours of an incident (as NIS2 requires).
External Advisors / Auditors
Provide independent verification and gap analysis.
Bring in best practices from other sectors and projects.
Why This Team Matters
NIS2 isn’t a one-man compliance exercise — it’s a cross-company transformation.
Every member contributes resilience: technical, organizational, legal, cultural.
Together, they ensure that April 2026 isn’t a deadline feared, but a milestone achieved.
The Bigger Picture
April 2026 is more than a deadline. It is a moment of choice: companies can treat NIS2 as a checkbox exercise, or as a catalyst for culture, trust, and business continuity.
With Shawn Achor’s optimism and Jay Shetty’s resilience, compliance officers have the tools not just to deliver a project, but to inspire a transformation.
And perhaps that is the real success of NIS2: not just meeting the law, but leaving an organization stronger, more united, and future-ready.
