That distinction matters. Knowing the nine security areas is one thing. Building a system that continuously documents, tracks and reports against them is something else entirely.
This article is about the latter. Not what the law says, but what a structured compliance programme looks like in practice, and what that means for how your system support needs to be configured.
Why most NIS2 implementations go wrong
Misconception: NIS2 implementation is a project with an end date.
Reality: The NIS2 Directive requires an ongoing state of compliance, not a one-time effort. Organisations that treat it as a project run into trouble when reality changes: a new supplier, a new incident, a new system configuration. None of that gets captured by a project that has been signed off as complete.
This is something we see directly in how organisations set up their compliance workflows. Those that succeed build a system. Those that struggle build a report.
Step 1: Gap analysis against the nine requirements
The starting point is always a mapping of the current state against NIS2's nine security areas. Not to tick a checklist, but to understand where the actual risks and gaps are.
A gap analysis done in a spreadsheet is not a gap analysis, it is a snapshot. What matters is whether the system continuously keeps that picture updated as the organisation changes.
Hy5 structures the gap analysis against the regulation's requirements and keeps the status live, not as a one-time document but as an ongoing state that updates when controls change or new risks are identified.
Step 2: Prioritise by risk, not by regulatory order
Not all nine security areas carry equal weight for every organisation. A healthcare organisation has a different risk profile from one operating digital infrastructure.
A question that comes up often in our customer dialogues is how to prioritise when resources are limited. The answer is that prioritisation should be driven by risk assessment, not by the order in which requirements happen to appear in the legislation.
This directly affects how a compliance system needs to be configured. Hy5 connects each requirement to a risk assessment so the organisation always knows where the most critical gaps are, not just which requirements are technically met.
Step 3: Leadership accountability is not optional
NIS2 is explicit on a point that is frequently underestimated: senior management carries personal accountability. It is not enough for the IT department to have oversight. The board and management team must be able to demonstrate that they are actively governing and following up on security work.
This is a system question, not just a culture question. Leadership needs access to the right information in the right format to be able to carry that responsibility. Reporting that requires manual consolidation every quarter is not a sustainable basis for management accountability.
Hy5 generates continuous compliance reports adapted for leadership level, without manual administration.
Step 4: Supplier review in practice
Supply chain security is one of the requirements that creates the most friction in implementation. How far down the supply chain should you go? What is reasonable to require of a sub-supplier?
Supervisory authorities have not yet issued clear guidance on exactly what is expected here. What we do know is that organisations must be able to demonstrate that they have assessed and are managing risks in their supply chain.
That means the system support needs to track which suppliers have been reviewed, when the review took place and what the outcome was. Hy5 handles supplier review as an integrated part of the compliance programme, not as a separate process.
Step 5: Compliance is a state, not a project
The fifth step is really a principle that runs through all the others: compliance under NIS2 is not something you achieve, it is something you maintain.
That requires continuous monitoring, automated controls and a system that flags deviations before they become incidents or supervisory issues.
Organisations that try to maintain this with manual processes and spreadsheets spend resources on administration instead of on actual security.
Want to see how Hy5 structures NIS2 compliance?
What does a structured NIS2 compliance programme look like in your system today?
Hy5 handles gap analysis, risk prioritisation, leadership reporting and supplier review in a single platform. Used by organisations to operationalise NIS2 without parallel processes and manual administration.
Hy5 kan drastiskt öka effektiviteten och precision för compliancearbete.
