10 common NIS2 compliance mistakes (and how to avoid them)

Introduction

After helping hundreds of organizations assess their NIS2 eligibility, we've observed certain errors that repeat. Here are the 10 most common mistakes and how to avoid them.

1. "It doesn't affect us - we're too small"

The mistake:

Many assume that only large corporations need to comply with NIS2.

The reality:

The thresholds are lower than many think:

• Over 50 employees, OR
• Turnover over €10 million

Plus, there are exceptions that can include even smaller organizations if they:

• Are the sole provider of an essential service
• An incident would have cross-border impact
• Provide critical services for public safety

What to do:

Use the eligibility calculator - it takes only 3 minutes and is free.

2. "We have ISO 27001 certification, so we're NIS2 compliant"

The mistake:

Assuming that an existing certification automatically covers NIS2 requirements.

The reality:

ISO 27001 is a solid starting point, but NIS2 has specific requirements that ISO doesn't cover:

• DNSC registration
• Incident reporting within specific timeframes (24h/72h)
• Annex 1 and Annex 2 forms
• Specific supply chain requirements

What to do:

Treat ISO 27001 as a foundation, but conduct a specific gap analysis for NIS2.

3. "We have time - the deadline is in 2026"

The mistake:

Postponing preparation until close to the deadline.

The reality:

The compliance process takes on average 8-15 weeks for a medium-sized organization:

• Information gathering: 2-4 weeks
• Control self-assessment: 4-8 weeks
• Document completion: 1-2 weeks
• Internal review: 1 week

Plus, after registration you have other deadlines:

• 60 days for risk assessment
• 60 days for maturity self-assessment

What to do:

Start now. Even if you don't finish everything immediately, you'll have time to remediate gaps.

4. Wrong sector selection

The mistake:

Choosing a single sector when the organization operates in multiple ones.

The reality:

Many organizations have activities in multiple sectors:

• A transport company may also be a digital logistics operator
• A manufacturer may also be a B2B service provider
• An IT company may be both an MSP and a software developer

What to do:

Analyze all activities, not just the primary one. If you operate in multiple sectors, you may be classified as essential for one and important for another.

5. Ignoring the supply chain

The mistake:

Focusing exclusively on internal systems.

The reality:

NIS2 explicitly requires supply chain risk management:

• Cloud providers
• Software developers
• IT service providers
• Any third party with access to your systems

What to do:

Inventory critical suppliers, assess their risks, include security requirements in contracts.

6. Insufficient documentation

The mistake:

Implementing security measures without documenting them.

The reality:

During audits, it's not just what you do that matters, but what you can demonstrate:

• Written and approved policies
• Documented procedures
• Evidence of implementation
• Training records
• Logs and reports

What to do:

Document everything. Use NIS2 Manager to centralize and organize documentation.

7. Neglecting management training

The mistake:

Treating NIS2 as exclusively a technical or IT problem.

The reality:

NIS2 introduces personal responsibility for management:

• Must approve security measures
• Must oversee implementation
• Must participate in training

What to do:

Include management in the compliance process from the beginning. Ensure they understand their responsibilities.

8. Unprepared incident reporting

The mistake:

Waiting for an incident to happen to establish the reporting process.

The reality:

The deadlines are tight:

• 24 hours for initial alert
• 72 hours for complete notification

You don't have time to create the process in the middle of a crisis.

What to do:

Establish the process now:

• Who detects incidents?
• Who decides if it's significant?
• Who completes the report?
• How to communicate with DNSC?

9. Underestimating required resources

The mistake:

Assuming a single person can manage entire compliance.

The reality:

NIS2 compliance involves multiple disciplines:

• IT and cybersecurity
• Legal and compliance
• Operations and business continuity
• Human resources (for training)
• Management (for approval and oversight)

What to do:

Form a multidisciplinary team or outsource to consultants, but maintain internal ownership.

10. The "tick the box" approach

The mistake:

Treating compliance as a bureaucratic box-checking exercise.

The reality:

DNSC will verify not just the existence of policies, but effective implementation:

• Policies must be applied, not just written
• Controls must function, not just exist
• People must know the procedures, not just have signed them

What to do:

Build a security culture, not just a compliance folder. Regularly test if measures work.

Conclusion

NIS2 isn't about perfection, but about demonstrating a mature cybersecurity management process. Avoid these common mistakes and you'll be much better prepared for what's ahead.

Start with a free eligibility check and continue with a systematic self-assessment.

---

This article is part of the NIS2 resource series offered by NIS2 Manager, a BetterQA product - one of Europe's top software testing companies.