My phone rang at three in the morning. The voice on the other end was that of someone who had not slept, and for the right reasons: ransomware, live and spreading. Even though the dashboard was green the day before—and technically still was when the call started, since no one had updated it—the damage was already done.
I have lived versions of this scene more than once over the past few years. The Network and Information Security Directive (NIS2) has been in force in Belgium since October 2024. Frameworks are in place, and authorities are operating. Yet, across the nearly 50 missions I oversaw, I keep seeing the same silent mechanisms turning organizations that look compliant on paper into organizations that are not resilient when it actually matters.
Six patterns. Six mechanisms are likely to surface in other member states as transposition advances. And one particular call in the middle of the night.
The Compliance Illusion
Why does NIS2 keep becoming a checklist?
The answer is not regulatory. It is psychological. NIS2 was built with a governance ambition: bring leadership into the cybersecurity conversation, structure risk management, and formalize accountability. But a directive cannot change a culture. At best, it creates the conditions for change.
The organizational reflex when facing NIS2 has been the same as with ISO/IEC 27001, the General Data Protection Regulation (GDPR), and every prior obligation: translate it into deliverables, assign it to a function, get sign-off, and file it. The green dashboard is the symbolic completion of that reflex. It says, ” It is done, and we can move on”.
In cybersecurity, the green dashboard is rarely the truth. It is a representation that the truth is safe.
The CyberFundamentals (CyFun) framework deployed by the Center for Cybersecurity Belgium (CCB) is one of the most pragmatic transpositions I have seen in Europe. The framework is not the issue. What organizations do with it is. And what they do falls into six patterns I now recognize at a glance.
Pattern 1: The Shelf Assessment
A medium-sized industrial group in Wallonia. Late 2024. We delivered a CyFun gap assessment with prioritized recommendations, a costed remediation roadmap, and a clear governance framework. The CEO thanked us. The CISO filed it. Nobody opened it again.
Eighteen months later, the same group called me back. They needed a new gap assessment. I asked what had been done with the previous one. The answer came after a long pause: nothing. The report was on a shared drive. The remediation roadmap had not been started. The risk acceptance decisions had not been documented. The deliverable had been confused with the outcome.
I see this pattern frequently. Organizations commission a gap assessment because the directive requires one, and they treat the production of the report as the satisfaction of the obligation. The mission was scoped to produce a document, not a decision.
NIS2 Article 21 is not asking for a document. It is asking for measures. Measures imply choices. Choices imply a moment when someone, with a name and a function, says: We will do this, we will not do that, and here is why. Knowing your risk and deciding to act are two different things. Most organizations stop at the first step.
Pattern 2: When the Shelf Becomes a Crater
Pattern 1 is what happens when nothing happens. Pattern 2 is what happens when something does.
Early 2025. First NIS2 gap analysis of the year on a Big Belgian player in the food industry, with over 100 million euros turnover. Full scope, assessment plus penetration test. The organization was a mess. But we were not there to judge. We were there to help.
Here is the ethos I try to infuse into the team. We want our clients to be independent of us. We overdeliver. We make sure they have every card in their hands to take action, even if it is not with us. Because I want people to be secure, not married to me.
We delivered the report. Catastrophic. Honest. Complete. Every recommendation was costed and prioritized. The company thanked us: very thorough, our internal team will take it from here, and we will follow your recommendations. Fine.
Three months later, the call came in the middle of the night. You know that call. Ransomware. The organization was down. The backups were corrupt. Nothing could be recovered. They did not ask for incident response. They asked us to find a specialist who could negotiate with the ransomware group so they could pay a lower fee.
Ten million asked. One million paid.
Between the report on the table and the phone call at night, three months had passed. Three months during which nothing had happened. The action plan had stayed in the closet. Nobody had taken a single decision. Despite everything being written black on white, with prices, with priorities, with names attached.
This is the shelf assessment, weaponized by reality. The shelf was not just storing a report. It was storing the future of the company.
Knowing your risk and deciding to act are two completely different things. Most organizations stop at knowing. The few that do not don’t get mentioned in articles like this one. They sleep at night.
Pattern 3: The Ghost CISO
Antwerp, last November. I am sitting across from a woman who could be running an entire practice if anyone had given her the conditions. Certified. Ten years of experience. A large pharmaceutical group appointed a CISO eighteen months earlier.
I ask her one question: When was the last time you presented your risk posture to the board?
She looks at me for a moment. And she answers: I have never been invited.
Never. Been. Invited. She is responsible for protecting an organization that handles sensitive clinical data, a supply chain across three continents, and regulatory obligations that would keep most senior executives awake at night. The people who decide the budget have never heard her speak.
She writes excellent reports. Color-coded matrices. Quarterly dashboards. Nobody reads them. Not because they are bad. Because they arrive in an inbox that the CFO scrolls past once a month.
NIS2 article 20 requires the management body to approve cybersecurity risk management measures and oversee their implementation. It does not just require a CISO to exist. It requires that the CISO have the conditions to exist meaningfully.
A CISO without a seat at the table is a CISO who writes reports nobody reads. A CISO without a budget can name problems but not solve them. A CISO without a mandate is a regulatory placeholder. Organizations are still treating the appointment of a CISO as a checkbox, not as a structural decision about how cybersecurity flows through their leadership.
Pattern 4: The Untested Control
A regional Belgian hospital. ISO 27001 certified for years, NIS2 compliant on paper, full incident response plan documented to the last detail, business continuity plan spanning every clinical service. We ran a tabletop exercise. The first scenario was a ransomware incident affecting the patient record system during the morning shift change.
The IRP designated, as escalation lead, a security manager who had left the hospital a year earlier. The deputy was on parental leave. The third in the chain did not know he was in the chain. The clinical continuity plan referred to manual procedures that nobody had practiced since the last accreditation drill, two years prior. The contact list of critical suppliers contained two phone numbers that had been deactivated.
Forty-five minutes into the exercise, the room had stopped pretending. Nobody knew who would call the cybersecurity authority. Nobody knew under which legal framework patient data could be temporarily moved to a backup system. Nobody had ever practiced the conversation with the clinical director about postponing scheduled surgeries.
This pattern is invisible until tested. Plans are written, signed, audited, and never played. Backups are documented but not restored. Failover procedures exist on paper but have never been triggered. In healthcare, the gap between paper and reality is not just a compliance issue. It is a clinical safety issue.
The response is always the same: we do not test because if we test it and it does not work, then we have a problem. So we do not test. Which is the same as having an alarm system you have never plugged in, and feeling safe because you can see it on the wall.
A control that has not been tested under pressure is a hypothesis. Not a control. The whole point of cybersecurity governance is to convert hypotheses into knowledge. Most organizations are still avoiding that conversion.
Pattern 5: The Translation That Never Happened
A retail group, board meeting, agenda item on cybersecurity risk acceptance. The CISO presents. The slides are technically excellent. The risk register is reviewed. The board nods. Risk acceptance signed. Meeting moves on. Eleven minutes.
I was in the room. I knew the risks being signed. They were not minor. One of them, properly understood, would have justified a board-level conversation about a six-figure investment and a strategic shift in supplier governance.
For a long time, I thought this pattern was about board disengagement. I was wrong. The board did not ratify because it was disengaged. The board ratified because nobody had translated. The CISO had presented cyber risk in cyber language. CVSS scores. Control gaps. ISO clauses. The board, sitting in front of that material, had no way to convert what they were hearing into a business decision they could own. So they did the only thing they could do. They trusted the expert in the room and signed.
Cyber risk is not a separate category of risk. It is a business risk. A ransomware that takes down your production line is an operational risk. A breach that exposes client data is a reputational and legal risk. A supplier compromise that interrupts your supply chain is a financial risk. The cyber dimension is the vector. The risk itself is always business.
When the cyber risk is not translated into the business risk it actually is, the conversation defaults to ratification. Not because boards do not care. Because they cannot decide on something they cannot evaluate.
If the board does not engage, it is rarely the board’s fault first. It is the fault of whoever framed the conversation in technical terms instead of business terms. NIS2 article 20 made cyber risk a board-level topic. It did not give boards the language to engage with it. That language has to be brought in by the cyber professionals. And it is not optional.
Pattern 6: The Documentation Trap
CyFun, like most modern frameworks, scores organizations on two distinct axes: documentation maturity and implementation maturity. The intent is sound. A control that exists in someone’s head but nowhere on paper is a control that disappears the day that person leaves. Writing down what you do is institutional memory.
But a perverse effect has emerged. Documentation is being scored. Documentation is being valorized. Documentation is being counted as part of the implementation itself.
I have seen organizations spend six months producing a documentation set that pushed their CyFun maturity score from level 1 to level 3, without changing a single technical control. The numbers improved. The dashboard turned greener. The audit went smoothly. And the actual security posture was identical to what it had been before the project started.
The trap is in the framework’s symmetry. Documentation maturity and implementation maturity look like equal axes. They are not. Documentation describes what you do. Implementation is what you do. When a measurement system treats them as equivalent, organizations rationally optimize for the cheapest one. Producing a policy is faster, cheaper, and lower-risk than rebuilding an access control infrastructure. So the policy gets written. The infrastructure does not get touched.
A signed policy is not a control. A written procedure is not an executed procedure. A documented test is not a tested control. The day an incident hits, it is implementation that responds. If the implementation has been neglected because the documentation looked sufficient, the gap is discovered in the worst conditions. Sometimes at three in the morning.
Europe at Different Speeds
These six patterns are not Belgian. They are organizational. Which means they will surface, with statistical regularity, in every other member state as transposition advances.
Belgium transposed early and chose a national framework, the CyFun, that is structured, scaled, and explicit. France is rolling out the ReCyF with a two-year lag. Germany is moving slowly. The Netherlands is drawing inspiration from the Belgian model. Italy transposed without a binding national framework. Each country will live, in its own way, the same six patterns.
The patterns are not caused by the directive, the framework, or the consultants. They are caused by how organizations metabolize regulatory obligations. That metabolism is not Belgian, French, German, or Italian. It is corporate.
Most countries will still make the same mistakes because the patterns are not cognitive errors. They are structural defects of governance. They will not be corrected by communication, training, or documentation. They will be corrected by leadership decisions inside individual organizations, one at a time.
What happened in Belgium is your mirror, not your exception.
What Actually Works
On 40 missions, I count a small handful where NIS2 became a real catalyst rather than a formality. Their common traits have nothing to do with size, sector, or initial maturity. They have to do with three things, and three things only.
First, the board asked the right questions. Don’t show me the dashboard. But show me the three things that scare you most. The conversation started with friction, not with compliance.
Second, the CISO spoke about euros and downtime. Not CVSS scores, not ISO control numbers. The risk was translated into the language the executive team uses every day. Once translated, the decision followed naturally.
Third, someone said it is on me. Not the consultant, not the CISO alone. A member of the executive team. The moment one person publicly takes ownership of the cyber agenda is the moment the organization shifts. I have watched it happen. It is unmistakable.
There is no hack. No magic platform, no miracle framework, no shortcut certification. What works is discipline and ownership. Always. Everywhere. The organizations that succeeded with NIS2 did not buy more. They decided more.
The world does not need another cybersecurity expert. Europe has plenty of those. What the world needs is people willing to challenge the status quo. People who pick honesty over cleverness. Ownership of blame. Decision on ratification. Implementation over documentation. And who refuse, as professionals, to capitulate to the gravitational pull of the checklist.
What the Next Two Years Will Tell Us
NIS2 is not a compliance project. It is a maturity test for European organizational governance. The next two years will tell us whether the continent can move from paper to reality, from dashboard to decision, from function to mandate.
Belgium has a two-year head start. What comes out of it will not be measured by audits passed, but by incidents that did not happen, by decisions made in time, by phone calls in the middle of the night that did not need to happen, because someone, three months earlier, had taken the report off the shelf and turned it into a decision.
Compliance is the floor. Leadership is the ceiling. The space between the two is where European cyber resilience will actually live or die.
If you are reading this, you are most likely one of the professionals who can shape that space. A CISO, a risk officer, a board advisor, a regulator, an auditor. You have the technical understanding to see the patterns. You have the position to challenge them. The temptation, when frameworks pile up, is to capitulate. To produce the document, file it, and accept the green dashboard as the goal.
Do not capitulate. The patterns described here persist because too many capable professionals choose, every quarter, to satisfy the system rather than challenge it. The result is not a failure. The result is something more insidious: organizations that look protected and are not. And the phone calls at three in the morning that follow.
Belgium just gave you the map. The decision is yours. Now.







