One of the main topics in the changes to the Cybersecurity Act is the introduction of appropriate and proportionate technical, operational, and organizational risk management measures. This is an important formulation because it shows that compliance with NIS 2 is not limited to a single product or a single technical configuration.The organization must assess what risks exist for its network and information systems and what measures are necessary in relation to those risks.Among the main areas that companies should pay attention to are:
These are areas where practical gaps are often identified. For example, an organization may have backups but may not have tested the recovery process. It may have access policies in place but no regular review of user permissions. It may use external providers without having assessed the risks associated with them.That is why the review of NIS 2 readiness should be structured. It is not enough to check only whether technical protection is in place. It is necessary to assess whether the measures are appropriate, proportionate, documented, and applicable in the organization’s actual operations.A professional gap analysis can show exactly that: which requirements are already covered, which are partially covered, and where gaps exist. This gives the company a clear picture and an action plan, instead of a general feeling that “something needs to be done.”
