How to implement NIS2
How to implement NIS2
NIS2 Implementation Scenario in Portugal
In recent months, many Portuguese companies have finally started to pay closer attention to NIS2.
However, the market remains confused.
It is still common to believe that NIS2 compliance can be achieved simply by engaging lawyers or legal advisors to “handle the legal side”.
This view is incomplete and can create real risks.
NIS2 is not just a legal directive.
It is an operational, organisational and strategicdirective that impacts how a company manages risk, security, processes and executive accountability.
Understanding how to implement NIS2 in practice requires a clear grasp of what the directive demands, who must be involved, and what type of support is needed to ensure a consistent and effective implementation.
How to implement NIS2: what the directive requires from companies
Organisational obligations under NIS2
The implementation of the NIS2 Directive goes far beyond a legal framework.
Companies covered by the directive must demonstrate that they have:
- Cyber risk management processes
- Technical and organisational security measures
- Incident response procedures
- Continuous monitoring and control
In other words, NIS2 compliance requires practical evidence that security is embedded in the organisation’s day-to-day operations.
Responsibilities of top management
One of the core pillars of NIS2 is management accountability.
The directive establishes that leadership must:
- Approve cyber risk management measures
- Oversee their implementation
- Ensure that adequate resources are in place
This makes NIS2 a governance issue, not merely a matter of formal compliance.
The impact of NIS2 on daily business operations
In practice, NIS2 affects operational, technological and organisational decisions.
From internal policies to the way suppliers are assessed, security becomes an integral part of the business.
How to Implement NIS2: What the Directive Requires from Companies
Limitations of a purely legal approach
The legal framework is important, but it does not address:
- Real risk assessment
- Definition of technical controls
- Integration with IT and information security
- Operationalisation of the required measures
A legal opinion does not implement processes, nor does it ensure that the organisation is prepared to respond to an incident.
Difference between legal framework and practical implementation
Lawyers interpret the directive.
Implementing NIS2 requires translating that interpretation into operational, technological and organisational decisions, as mentioned above.
These are different layers, requiring different skills and expertise.
Risks of an incomplete interpretation of NIS2
When NIS2 is treated solely as a legal matter, several risks may arise:
- A false sense of compliance
- Measures misaligned with the organisation’s real context
- Failures in incident response
- Exposure to sanctions and reputational impact
How to implement NIS2: the role of specialised consultancy
What Strongstep does as an NIS2 consultancy
A specialised NIS2 consultancy acts as a bridge between the directive and the company’s day-to-day operations.
The focus is not merely on “compliance”, but on implementing NIS2 in a way that is truly aligned with the real context of the business..
Maturity and risk assessment
The starting point is to understand:
- The organisation’s current level of security maturity
- The critical risks faced by the organisation
- The gaps in relation to NIS2 requirements
Without this diagnosis, any implementation will be either incomplete or excessive.
Definition of an implementation roadmap
Based on the assessment, a clear, phased and prioritised roadmap is defined.
This plan enables the organisation to understand what needs to be done, when it should be done, and with what impact, reducing uncertainty and ad-hoc decision-making.
How to implement NIS2: how to get started in a structured way
When it makes sense to work with a consultancy
Whenever a company needs to translate legal requirements into practical, structured decisions aligned with the business.
What a company should prepare internally
Before starting, it is important to identify responsible stakeholders, align management expectations, and ensure availability to support the process.
How to reduce risk and uncertainty from the outset
A structured approach, combining diagnosis, a clear roadmap and specialised support, reduces errors, rework and decisions based on assumptions.
Next step
NIS2 requires more than legal interpretation.
It requires understanding, structure and the ability to implement measures in practice.
For a more in-depth view of NIS2, its requirements and how it impacts business operations, you can explore our NIS2 training programmes, where the topic is addressed in a clear, practical and business-oriented way.
