NIS2: From Awareness to Readiness

October 17^th, 2024 was the deadline for EU member states to transpose the NIS2 Directive into applicable, national law. While many member states have missed the deadline, all are currently working to implement the Directive. This is a pivotal moment for CISOs and organisation leaders. According to a recent report conducted by IDC and Microsoft, while 74 percent of organizations are aware of NIS2, only 14 percent feel fully prepared. The time to act is now.

To support the journey toward readiness, we have commissioned IDC to create a NIS2 Self-Assessment Workbook that will allow you to discover how ready you are across four key dimensions: Awareness and Knowledge; Compliance and Governance; Risk Management and Practices; Strategic Alignment and Information Channels.

Each of these dimensions is essential to shifting from basic awareness to a state of operational readiness. Here is how to make that shift.

1. Awareness and knowledge: Build understanding across the business

Awareness is the foundation of NIS2 readiness. Yet many organizations still rely on ad hoc updates or selective training. Without broad understanding across all levels of the business, compliance becomes fragmented and key risks may go unrecognized.

Galp Energia’s approach is a great example of what effective training can look like in practice. By using Microsoft Defender for Office 365 and leveraging built-in training tools, they significantly reduced the number of users clicking on phishing emails – transforming awareness into real behavioural change.

So, in a practical sense, what does this mean that you and your team should consider doing:

• Set up continuous cybersecurity training that is tailored to roles and responsibilities using Microsoft 365’s built in solutions like phishing simulations and learning modules to deliver engaging and role-specific training.
• Create a centralized hub for NIS2-related updates, guidance, and documentation
• Integrate cybersecurity awareness into business strategy and executive decision-making by using tools like Microsoft Secure Score to provide visibility into current risks.
• Foster a culture of continuous learning and proactive improvement

Knowledge must become operational. This means moving from isolated initiatives to a workplace culture where security is understood as a shared responsibility.

2. Compliance and governance: Embed responsibility, not just rules

One of the most significant shifts under NIS2 is the heightened accountability placed on senior leadership. Board engagement is no longer optional; it is a regulatory requirement. However, IDC reports that 58 percent of leaders are not actively driving compliance efforts.

To help create the governance structures that your organization needs it is worth considering:

• Forming a task force that brings together IT, legal, compliance, and risk management experts.
• Providing regular updates to senior leadership on NIS2 gaps, risks, and progress. Microsoft Purview compliance manager provides real-time dashboards and reports tailored for executive oversight.
• Defining clear KPIs and metrics to measure cybersecurity performance.
• Incorporating compliance responsibilities into the organization’s broader governance framework such as automating policy reviews and document version control using Microsoft 365 and aligning these processes with your risk register via Purview.

A great example is Belgian Human Resources service specialist, House of HR, which has embedded Microsoft Purview into their security governance improving visibility and accelerating compliance efforts.

Organizations that take a cross-functional approach will be better positioned to manage complexity and ensure consistent oversight. The most advanced organizations will embed NIS2 compliance into broader governance frameworks. With structured assessments, formal policy reviews, and regular leadership reporting, they ensure accountability is not just assigned but actively owned.

3. Risk management and security practices: Operationalize risk, prioritize agility

Understanding risks is one thing. Managing them in a fast-changing environment is another. Risk prioritization, agility, and continuous adaptation are now essential capabilities.

In terms of what this means for your teams here are some priorities and next steps for you to consider:

• Conduct regular risk assessments and categorize threats based on impact and
  likelihood. Leverage Microsoft Defender for Cloud, Microsoft Sentinel and Data Security
  Posture Management for comprehensive risk assessments.
• Regularly test incident response plans with involvement from key departments
• Integrate threat intelligence into daily operations to respond quickly to new threats by
  using Microsoft Defender to automatically detect, investigate and contain threats at
  Scale.
• Strengthen third-party risk management by reviewing vendors and supply chain partners
• Explore how data analytics and AI can support faster threat detection and resolution

Taking a proactive approach is key. Danish industrial machinery manufacturer, Danfoss, is using Microsoft Sentinel to strengthen threat detection and streamline incident response across a complex, global environment. The results speak for themselves reducing identity theft attempts by 80%.

NIS2 places a strong emphasis on demonstrable control. Leaders must be able to show that risk is not only identified, but actively managed, documented, and mitigated. Advanced organizations are also starting to embrace generative AI to enhance risk management. From surfacing emerging vulnerabilities to automating incident triage, AI offers a scalable approach to staying ahead of evolving threats, a vital asset as threat surfaces continue to expand.

4. Strategic alignment and information channels: Strengthen internal and external
collaboration

Even the strongest cybersecurity strategy will fall short without alignment across departments, partners and regulators. IDC found that 29 percent of organizations do not yet know who their national authority is under NIS2. This is a significant risk.

To help assess what this means for day-to-day operations and upcoming plans for your teams your team should consider focusing on:

• Aligning cybersecurity objectives with business priorities and strategic goals
• Building long-term partnerships with trusted advisors and industry peers
• Defining clear communication procedures for reporting incidents and sharing intelligence with Microsoft Teams and Viva Engage helping to maintain up-to-date escalation practices.
• Making sure all employees know how to report issues and where to access threat updates
• Positioning cybersecurity as a trust builder and business differentiator by using Microsoft’s Zero Trust model and compliance tools, organisations can demonstrate leadership and build reputational value.

Organizations with mature security postures go a step further – integrating cybersecurity with business strategy. By aligning investments to business goals and establishing strategic partnerships with security providers, they transform compliance from a checkbox exercise into a competitive advantage.

Next steps for security leaders

Whether your organization is in the early stages or already implementing structured policies, now is the time to take concrete steps toward readiness. Use the Readiness Framework to assess maturity across all four dimensions. Identify the most pressing gaps. Build your roadmap.

The end goal is not just to meet regulatory requirements. It is to create a resilient organization that is ready for the future of cyber risk. Leaders who embed cybersecurity into every part of their operations will not only achieve compliance but will raise the standard for what effective security leadership looks like.

Find out more about your organization’s readiness and the steps you can take in the NIS2 Self-Assessment Workbook here.