The European Union’s NIS2 Directive is considered a milestone in cybersecurity. It requires companies to engage much more deeply with risk management, incident handling, and secure communication. The goal: protection against cyber threats through structured processes, technical measures, and organizational clarity. Many organizations are currently implementing the directive and encounter similar hurdles.

Looking at common mistakes shows where the pitfalls lie – and which measures can help implement the requirements effectively and sustainably.

❌ 1. Mistake: Cybersecurity without clear responsibilities
Many companies start with technical measures without first clarifying responsibilities or processes. Security is then considered only in isolated areas, without being sustainably embedded in a complete strategy.

👉 What helps: A holistic approach. Organizations that treat cybersecurity as a cross-functional task define clear roles, maintain structured approval processes, and document policies transparently. This creates a foundation upon which further measures can be built.

❌ 2. Mistake: One-time risk assessments instead of continuous evaluation
Risk assessments are a core requirement of NIS2. Yet, companies often conduct them only once or do not define them precisely enough for their organization.

👉 What helps: A regular evaluation rhythm. Changes in infrastructure, new products, or external influences should always trigger a reassessment. Continuous monitoring of risks allows proactive action instead of reactive crisis management.

❌ 3. Mistake: Insecure or unstructured communication with external partners
Secure collaboration with customers, service providers, and suppliers is especially sensitive. Yet, clear access rights or encrypted transmission methods are often missing in these cases.

👉 What helps: Only consistent security of external communication truly protects sensitive information. Platforms with end-to-end encryption, clearly defined roles, and complete access control create a reliable security level and strengthen trust across the supply chain.

❌ 4. Mistake: Missing procedures for security incidents
Security incidents can never be completely ruled out. However, many organizations lack clear response procedures, defined responsibilities, and transparent reporting processes – both internally and with authorities.

👉 What helps: A structured incident response plan defines who does what and when. Responsibilities, deadlines, and communication channels should be clearly defined – including with external partners and authorities. Regular tests and training ensure that procedures work in real situations.

❌ 5. Untested or poorly maintained emergency plans
A business continuity plan alone is not enough. Many organizations have emergency documents but rarely test or update them.

👉 What helps: Regular simulations. Recovery procedures, backups, and alternative data locations should not only exist but also work reliably in emergencies. Systematic testing increases operational resilience.

❌ 6. Gaps in logging and traceability
NIS2 requires traceability: access, changes, and configurations must be documented without gaps.

👉 What helps: Opt for solutions that offer comprehensive logging mechanisms – ideally with cryptographic security and access control. A combination of audit trails, timestamps, and granular permissions is particularly effective.

❌ 7. Insufficient employee training and awareness
Technology only protects as much as it is consciously applied. If personnel are not sufficiently trained, mistakes are likely – whether through phishing, weak passwords, or poor reporting behavior.

👉 What helps: Practice-oriented training. Security awareness should be an integral part of onboarding and ongoing training. Feedback opportunities and clear points of contact strengthen the organization’s security culture.

Compliance is not a one-off task

Avoiding these mistakes lays the foundation for a strong security culture. NIS2 then becomes not a hurdle, but an opportunity – for greater resilience, clear processes, and sustainable trust in digital infrastructure. Companies that implement it systematically keep risks in view and create internal orientation and security. With a solid foundation, compliance can not only be demonstrated externally but actively incorporated in day-to-day operations.

Learn more about how Tresorit can support NIS2 compliance for your organization.