When an organization understands that it is subject to NIS2, the question is often not whether to act, but how to act without getting lost along the way. The directive is clear in its objectives, but deliberately open in the “how”. And that is where the doubts begin, the dispersion of efforts and, in many cases, the feeling of always reacting late.
Before going into specific tools or solutions, a first strategic decision must be made: how to approach the implementation of NIS2. In practice, there is no single valid approach, but different combinations of internal responsibility, expert support and operational support.
Some organizations opt for a completely in-house approach. This is a viable path when there is previous maturity and capacity to sustain the effort over time. The challenge is rarely in understanding what the board is asking for, but rather in maintaining consistency, continuity and discipline throughout the process, preventing compliance from depending on specific individuals or one-off efforts.
Other organizations rely on external consultants to accelerate start-up, correctly interpret requirements and avoid common mistakes. The value of the consultant lies in analysis, professional judgment and comparative experience. But NIS2 is clear on one fundamental point: responsibility is not delegated. Decisions, risk acceptance and governance remain with the organization itself.
This is where technological support makes sense. A SaaS platform does not replace either the internal team or the judgment of an auditor or consultant, but it does act as an organizational accelerator. It provides a common base on which people and decisions can work coherently, reducing friction, duplication and loss of information.
One of the most common mistakes when approaching NIS2 is to think of it as a set of documents to be produced. In reality, the directive requires something rather more complex: that the organization is able to identify risks, make decisions, demonstrate governance and continually review its security posture.
Doing all this manually is possible, but it is often slow, fragile and highly dependent on specific individuals. A platform makes it possible to transform that requirement into a single system, where assets, risks, decisions, controls and incidents are interrelated and mutually reinforcing. It does not simplify the NIS2 in terms of requirement, but it does make it operable, traceable and sustainable over time.
Acceleration starts by sharing the same base
One of the big blockages when starting with the implementation of NIS2 is the lack of a common vision in the organization. There are long discussions about scope, about what goes in and what doesn’t, about what is really critical. Without a shared foundation, every conversation starts from scratch.
Asset inventory plays a key role here. You cannot manage what you do not know, and NIS2 insists precisely on identifying essential services, critical assets and external dependencies. A platform makes it possible to build and maintain a living inventory, which does not remain a static snapshot, but connects assets with services, suppliers, risks and incidents.
When that information is integrated, many discussions disappear on their own. Scope ceases to be an opinion and becomes tangible and shared. Faster NIS2 compliance does not mean doing more things in less time, but reducing friction, avoiding duplicate work, and making decisions on a common basis. In practice, the difference between moving forward and getting stuck is often not in technical knowledge, but in how compliance is organized.
Policies that order
Policies are mandatory in NIS2, but writing them from scratch is often one of the most time-consuming and frustrating tasks. Not only because of the time it takes, but also because it is easy for inconsistencies to appear between documents or for texts to be written that nobody uses. A SaaS platform accelerates this by offering policy templates that ensure minimum coverage, maintain consistency between documents and adapt to the real context of the organization. It is not a matter of copying and pasting, but of avoiding mechanical work to focus on what is important: what is decided, why and how it is applied.
Risk management
Risk management is at the heart of NIS2 and, paradoxically, one of the most unnecessarily repeated processes. Spreadsheets that get duplicated, versions that get lost, assessments that don’t connect to treatments.
A SaaS platform makes it possible to assess risks in a homogeneous manner, apply clear acceptance criteria and automatically connect the assessment with the treatment. The process becomes more agile, yes, but above all more consistent, which is essential when you have to demonstrate governance to an auditor or a competent authority.
In addition, NIS2 makes it clear that certain risks cannot be accepted “silently”. The platform forces approvals where appropriate, records who decides and when, and leaves clear evidence of the process. This eliminates one of the biggest sources of organizational uncertainty: actually knowing who has taken what risk.
Incidents: when there is no time to improvise
When an incident occurs, speed matters. And not only to resolve it, but also to report it correctly and understand its real impact. If at that moment you have to search for scattered information or reconstruct past decisions, the margin of error increases. A platform makes it possible to record incidents in a structured way, relate them to risks and assets, analyze their impact and leave a complete traceability of what happened. The organization does not improvise: it acts on an already built base.
All in one place: the difference for the consultant
From the perspective of a consultant accompanying organizations on their compliance journey, a centralized platform makes a clear difference. Having policies, controls, risks, evidence and progress statuses connected in a single environment reduces operational friction and eliminates much of the manual and repetitive work.
Structured and always up-to-date information allows the consultant to work with greater precision, accelerate diagnoses, facilitate periodic reviews and offer recommendations based on a complete and coherent vision of the real state of the organization. The result is a more efficient and valuable support: less time spent gathering information and more focus on analysis, professional judgment and strategic support to the client.
In platforms specifically designed for regulatory compliance – such as Ithikios –the goal is not to automate decisions, but to make them visible, consistent and traceable.
Evidence
Another less visible – but decisive – effect of a SaaS platform is that evidence is not generated after the fact, but as a natural part of daily work.
In many manual approaches, compliance means reconstructing the past: searching for mailings, justifying old decisions, explaining why something was accepted or prioritized in a certain way. That is time-consuming, stressful and increases the risk of inconsistencies. When decisions, approvals, reviews and changes occur within a platform, the evidence exists from the very beginning. There is no need to “prepare” it for an audit or a review: it is already there, linked to the risk, the asset and the person responsible for it.
This speeds up compliance because it eliminates one of the slowest and most fragile phases of any regulatory process: demonstrating what has already been done.
Sustainability
Another key – and seldom recognized – benefit is the reduction of dependence on specific individuals. In many organizations, knowledge about risks, decisions or exceptions lives in the heads of a few people. When those people change roles, leave or are simply unavailable, the system suffers. A SaaS platform moves that knowledge from individual memory to the system itself. Decisions are recorded, criteria documented and context preserved. The organization does not depend on “who knows,” but on how it is governed. This not only improves internal resilience, but accelerates NIS2 compliance by keeping the system running even as the organization changes.
Conclusion
NIS2 is not a one-time milestone, but a commitment that must be sustained over time. Real compliance requires continuity: automatic reminders, regular reviews, updated evidence and the ability to detect deviations before they become non-compliances. In this context, a SaaS platform allows the organization to remain permanently prepared, without relying on deadlines, one-off audits or someone “raising their hand”.
As we said at the beginning, a SaaS platform does not simplify NIS2 in terms of requirements, but it does make it governable. It centralizes control, eliminates duplication, reduces operational noise and transforms the policy into a live system that works on a daily basis. And that sense of continuous control is what really accelerates and consolidates compliance.
The difference between complying with the NIS2 and living permanently on the verge of non-compliance does not lie in how much is known, but in how it is governed. And that, today, is hardly sustainable without a system that thinks in the long term.
