5 common mistakes in NIS2 compliance and how to avoid them 

Staying compliant with NIS2, the EU’s upgraded cybersecurity rulebook, is now a top priority for organizations across Europe. Companies in critical industries – like energy, health and transport – should meet strict regulatory standards and secure their digital infrastructure. But let’s be honest: navigating the path to NIS2 compliance can be tricky. Here are 5 common mistakes to avoid if you want to stay on track with NIS2 compliance. 

Mistake 1 – underestimating the scope of NIS2 compliance 

 If you think that NIS2 compliance only applies to your IT department or requires a limited set of security measurements, you’re in for a surprise! NIS2’s scope extends across your entire organization. That means it’s not just about IT; all your departments – including legal, HR and procurement – partners and vendors need to be aligned. Everyone needs to be on the same page, so your business is not caught off guard by penalties or security gaps. 

**The Marriott International data breach of 2018 exposed the personal data of approximately 500 million guests. Marriott forgot to properly secure the IT systems of Starwood Hotels, which they had just acquired. This lack of thorough security alignment resulted in significant fines, including a £18.4 million GDPR penalty.** 

 

How to avoid it: 

  • Start with a comprehensive gap analysis and maturity assessment to understand where your organization currently stands and what areas need improvement. 
  • Implement cross-department coordination and foster a culture of cybersecurity awareness throughout your organization. Ensure that all departments – not just IT – are aware of their roles in maintaining NIS2 compliance. 

 

Mistake 2 – overlooking third-party and supply chain risk 

Many organizations mistakenly assume that if their own security is solid, their supply chain security must be too. But that assumption can come back to bite you. Ignoring third-party risks can open the door to vulnerabilities and can lead to data loss, regulatory fines and serious reputational damage. NIS2 compliance doesn’t just focus on your company’s cybersecurity – it extends to your entire supply chain. That means you’re not only responsible for your own NIS2 compliance; you also have to ensure that your partners and suppliers are up to standard. 

 

**In 2013, hackers compromised the credentials of a HVAC vendor and used this as a gateway into Target’s network. Target’s failure to ensure security compliance across all departments and external partners resulted in the theft of 40 million credit and debit card numbers, not to mention severe reputational damage.** 

 

How to avoid it: 

  • Implement a third-party risk management tool that helps to assess and monitor the security posture of suppliers and partners. If you work with suppliers who don’t follow proper security protocols, they could become an entry point for cyberattacks. 
  • Ensure that third-party contracts include cybersecurity clauses that align with NIS2 requirements. Clearly outline the security expectations and responsibilities of your suppliers and partners within the contract. 
  • Conduct regular training and awareness sessions for your third-party partners. Ensure everyone understands the importance of cybersecurity and their role in maintaining it. 

 

Mistake 3 – inadequate incident response planning 

Many organizations have an incomplete or outdated incident response plan. Often, they also haven’t integrated SoC (Security Operations Centers) or MDR (Managed Detection and Response) services, which are essential for real-time incident detection and response. The result? Companies face severe damage and even heavy penalties if they don’t report significant cyber incidents to authorities within NIS2’s deadline. That’s right – only implementing strong security measures is not enough. Effective response planning and timely reporting are equally important for NIS2 compliance. 

 

How to avoid it: 

  • Develop a robust incident response plan that includes clear procedures for detecting, reporting and mitigating cyber incidents. Regularly update this plan and conduct simulations to ensure your team is prepared for real-world scenarios. 
  • Integrate SoC or MDR services into your operations to improve detection and response times. These services provide 24/7 monitoring and rapid incident detection, allowing your organization to act quickly in case of a breach.  
  • Set up clear internal protocols to report significant incidents. Any significant cyber incident needs to be reported to the relevant supervisory authorities within 24 hours of detection. An intermediate report should be submitted within 72 hours and a full incident report within a month. 

 

Mistake 4 – not implementing training and awareness programs 

Cybersecurity isn’t just the IT department’s job – it’s everyone’s responsibility. Many companies focus on upgrading their technology to prevent cyber threats, but overlook the importance of proper training programs. This is crucial, however, to educate employees about their role in maintaining security and to make them aware about cyberdangers. If they fall for phishing attacks or mishandle sensitive data, all your company’s security efforts go to dust – just like that. Regular, hands-on training can help your team spot red flags and get closer to NIS2 compliance 

 

**Remember when Crelan Bank lost around €70 million due to a phishing scam? An attacker gained access to an executive’s email and tricked employees into transferring money to the wrong account. The breach wasn’t due to a technical failure, but rather a lack of employee awareness about phishing threats.** 

 

How to avoid it: 

  • Create a comprehensive training program that educates all employees about NIS2 compliance, cybersecurity best practices and how to recognize and respond to potential threats. Regularly update these programs to reflect the latest security trends and threats. 
  • Integrate regular phishing simulations to improve awareness. These ‘fake attacks’ test employees in real-world scenarios and highlight vulnerabilities before actual threats take place. The more your employees understand and recognize potential threats, the stronger your protection will be. 

 

Mistake 5 – neglecting continuous risk assessments  

Risk management is a fundamental part of NIS2 compliance, but many organizations treat it like a once-a-year task instead of an ongoing effort. The truth is, cybersecurity threats evolve constantly, and a one-time assessment just won’t cut it. Continuous risk assessments are crucial to staying ahead of new risks. On top of that, many organizations overlook vulnerability management to detect and fix weaknesses before cybercriminals exploit them. This leaves them with unpatched systems, outdated software and hidden vulnerabilities – a recipe for disaster.  

 

How to avoid it: 

  • Implement a continuous risk assessment process and regularly review it based on real-time threat intelligence and internal system changes. 
  • Integrate a robust vulnerability management program. Use automated vulnerability scanning tools and patch management systems to identify and fix security gaps. 
  • Train employees on cyber hygiene and create a culture of security awareness, so everyone’s equipped to spot risks early and prevent potential vulnerabilities from being exploited. 

Looking for an expert in NIS2 compliance?

Successful NIS2 compliance isn’t just about avoiding penalties—it’s about building a stronger, more resilient organization in the face of today’s ever-evolving cyber threats. By including all your departments, securing the supply chain, properly preparing for incidents, ensuring organization-wide awareness and investing in continuous risk and vulnerability management, you improve your cybersecurity posture and avoid costly fines. On the website of ‘Centre for Cybersecurity Belgium’ you find more information and a handy list of frequently asked questions about NIS2 compliance. 

Need a hand to get everything in place? At Uptime Security, we’ve got your back. Our cybersecurity experts will investigate if you are making any of the mistakes above and will help you to implement the right measures to be NIS2 compliant 

Secure your business with Uptime Security

More insights

Proactive Defense: stay ahead of cybersecurity threats

Tired of reactive cybersecurity measures that leave you vulnerable to emerging threats? Uptime Security introduces ‘Proactive Defense’, powered by Qualys — an advanced cybersecurity service that goes beyond traditional defenses....
Read more

What is a third-party risk, and why should it be a concern for supply chain security threats in non-subjected companies?

Protect your digital future and win the trust of NIS2-compliant partners. Download our whitepaper for insights on supply chain security threats....
Read more

Webinar: Cybersecurity in Healthcare

Our (Dutch) webinar for everyone working with sensitive health records....
Read more