Individual security measures are not yet NIS2 compliance

You've enabled two-factor authentication. There's an incident response plan in place. Someone has put together a list of suppliers. All sensible steps. Yet that's not the same as being NIS2-compliant, and the difference is greater than most organisations realise.

The trap is called false security. You're doing a lot around security, it feels like you're on the right track, but you have no idea what risks you're still exposed to. This article isn't about which measures you need. It's about the moment you realise that individual measures don't add up to a system, and how you bring structure to that.

Why individual measures create false security

Individual measures emerge reactively. A customer asks for a security policy, so one gets written. A news story about ransomware leads to the purchase of a detection tool. Each measure makes sense on its own, but together they don't form a whole. They can't be traced back to a risk analysis, they're not linked to a responsible owner, and they're not part of a cycle of evaluation and adjustment.

The result: nobody has the full picture. The IT department knows the technical measures, but not which risks management has consciously accepted. Management knows that policies exist, but not whether they're being followed. The legal team has signed data processing agreements, but nobody checks whether suppliers are actually complying. This creates an organisation that has arranged a lot on paper and is in practice vulnerable in exactly the spots nobody is watching.

This is what's known in practice as the "checkbox mentality": treating security as a list you tick off for an audit, rather than as an ongoing practice. The problem only comes to light during a regulatory inspection or, worse, during a real incident. It then turns out that measures that once worked have since become outdated, and that you can't demonstrate that your decisions are based on a current analysis.

The recognition moment

There are several signals that tell you you've crossed the line from individual measures into needing structure. None of them is alarming on its own, but together they form a pattern.

You can't provide an up-to-date picture of your compliance status within a day if someone asks for it. There are measures where you're not sure who the owner is. Evidence of what you've arranged is scattered across inboxes, shared folders, a CRM, and a ticketing system. Policy documents are more than a year old and nobody knows whether they're still accurate. Management is asking questions you can't quickly answer.

If you recognise three or more of these signals, the question isn't whether you need to bring in structure, but when. And the answer is sooner rather than later, because setting up a structural approach takes months, not weeks.

Three shifts that make the difference

The transition from individual measures to a working system can be captured in three shifts. None of them requires adding more measures. They require a different way of organising.

From document to owner

In an ad hoc approach, a policy document is the end point: written, approved, stored. In a structural approach, it's a starting point. The policy describes the framework, that framework is translated into concrete measures, and every measure gets an owner. That owner is responsible for implementation, maintenance, and evidence that the measure works.

Ownership goes further than a name in a spreadsheet. It means someone understands why the measure was chosen and knows what to do if it no longer meets requirements. It also means there's an escalation path: if an owner identifies that a measure is no longer feasible or appropriate, that finding reaches somewhere that action can follow. Without ownership, measures get stuck in good intentions, and it's exactly those neglected measures that a regulator will expose.

From incident-driven to risk-driven

In an ad hoc approach, you implement measures in response to something: an incident, an audit, a customer request. It's a defensive posture where you solve problems as they appear. In a structural approach, you reverse that. You identify risks upfront and choose measures to prevent them or limit their impact. Every measure can be traced back to a concrete risk from your risk analysis.

That link between measure and risk is what NIS2 means by "appropriate and proportionate". If you can't link a measure to a risk, the question is whether that measure is necessary at all. If a risk exists without a corresponding measure, that's a gap. The benefit isn't just compliance: you invest your time and budget where the risk is greatest, rather than reacting to whichever complaint is loudest. And you can explain to management and the regulator why you've made certain choices.

From snapshot to continuous visibility

A measure that was correctly configured at installation may have been changed months later without anyone noticing. A supplier that scored well at the first assessment may since have been acquired by a party with a different security level. In an ad hoc approach, you check this at most during the annual audit, and in between you have no visibility.

NIS2 expects the opposite. The regulator doesn't want to know how things stood at your last audit, but how things stand right now. That requires continuous visibility rather than a snapshot. In practice, this means automated checks at fixed intervals verify whether configurations are still correct and whether access rights are still current, with an alert as soon as something deviates. That model is more reliable and less dependent on one person who has it all in their head than manual checks.

Start with an honest inventory

The first step towards structure isn't adding measures, but mapping what you already have. Which measures have been implemented? Where are they documented? Who is responsible? Is there evidence they work? And which risk are they linked to?

That inventory often produces a sobering picture. It turns out there are measures nobody is maintaining anymore, risks without a corresponding measure, and policies that no longer reflect reality. That's no reason for panic, but an honest starting point. From that overview you can prioritise with purpose, rather than blindly adding new measures to a pile you already can't oversee. A framework like ISO 27001 helps: it forces you to systematically cover all areas rather than selectively picking the easy ones.

How Tidal Control supports this

The coherence between measures, risks, ownership, and evidence is manageable manually with a handful of measures. As the number grows, keeping track in spreadsheets and scattered folders becomes unworkable. Tidal Control centralises those components in one place: measures linked to risks, owners assigned, evidence attached to the right measure, and deviations tracked until they're resolved.

The platform includes pre-built controls and policy templates, with tasks, deadlines, and ownership per measure. Evidence is collected automatically via integrations with your cloud environments and development tools, and more than 300 automated tests continuously check whether measures are working. Workflows ensure that reassessments don't get left behind and that deviations are escalated if they remain open too long. That way, compliance is no longer dependent on a few key people, but is embedded in a process that keeps running.

Want to know where your organisation stands?

Before you bring in structure, you want to know where you are right now. Which measures do you already have, which lack coherence, and where are the biggest gaps?

Take the free Quickscan and get a first picture of your position and the logical next steps in five minutes. No sales call, no obligations.

Take the free Quickscan →

Frequently asked questions

What is the difference between individual measures and structural compliance?

Individual measures solve individual problems, but lack coherence, ownership, and an improvement cycle. Structural compliance means that measures stem from a risk analysis, have an owner and evidence, and are maintained in an ongoing process. It's the difference between a collection of documents and a working system you can demonstrate.

How do I know it's time to make the transition?

When oversight starts to slip away. You can't quickly provide an up-to-date picture of your status, measures don't have a clear owner, evidence is scattered across multiple systems, or management is asking questions you can't immediately answer. If you recognise three or more of those signals, that's the moment.

What is most often overlooked during this transition?

Three things. Linking measures to concrete risks, so you can substantiate why you're doing something. Ownership, because measures without an owner become outdated without anyone noticing. And the improvement cycle, where lessons from incidents and audits are structurally incorporated rather than handled as a one-off.

How do I prevent structure from becoming too bureaucratic?

By using proportionality as your guiding principle. Not every measure needs the same level of depth, and not every risk assessment needs to be an exhaustive document. Start small, focus on the measures with the highest impact, and opt for concise policies that people actually read rather than documents that end up in a drawer.

Do I necessarily need a platform for this?

Not necessarily. With a small number of measures, manual oversight is feasible. The tipping point comes when the number of measures, suppliers, and stakeholders grows and manual tracking can no longer guarantee coherence. From that point on, a central platform prevents information from fragmenting and compliance from depending on a single person.