Soukaina MAMOUN, Senior Manager, Cyber Security Consulting and Abdelhay TOUDMA, Partner, Governance, Risk and Compliance Leader (EY Luxembourg)

 

A decisive moment, built on what came before

Luxembourg has now entered a new phase in its NIS2 journey with the publication of the law transposing the directive on 5 May 2026, and its entry into force on 10 May 2026.

At first glance, this may appear as a familiar situation: a directive, a transposition, and a future compliance deadline.

 

In practice, the dynamic is already different

Across organizations, expectations are evolving ahead of formal enforcement. Regulators, clients, and partners are no longer looking for intent, they are looking for evidence of readiness.

• This creates a subtle but important shift.NIS2 does not start with the law. It starts with the ability to demonstrate control.

 

From regulatory timeline to operational readiness

Many organizations still approach NIS2 through a timing lens:
When will it apply? When do we need to be ready?

This perspective is understandable, but increasingly insufficient.

Experience from similar regulations shows that readiness is not assessed based on when a law enters into force, but on whether organizations are already capable of:

• understanding their exposure
• managing their risks
• responding effectively to incidents

This is where the challenge lies.

NIS2 readiness is not a short-term exercise. It requires aligning governance, risk management, operational processes, and technical capabilities, often across multiple functions.

Waiting for clarity may simplify planning, it rarely simplifies execution.

 

 

What NIS2 really changes

NIS2 is often described as a reinforcement of existing requirements.

While this is true at a high level, the underlying shift is more structural.

The directive moves organizations:

• from documenting controls to demonstrating effectiveness
• from technical ownership to management accountability
• from isolated initiatives to end-to-end operational capabilities

In particular, the explicit responsibility placed on executive bodies changes how cybersecurity is positioned internally.

It is no longer only a technical or compliance topic.
It becomes a matter of governance, decision-making, and accountability.

 

 

Bridging the gap between design and execution

When organizations start translating NIS2 into concrete actions, a recurring pattern emerges.

On the one hand, most organizations are not starting from zero.
Frameworks are in place, policies exist, and controls have been defined often aligned with standards such as ISO 27001.

On the other hand, when looking at how these elements operate in practice, gaps appear.

• Procedures may exist but are not always actionable.
• Roles may be defined but not fully understood.
• Plans may be documented but rarely tested.

These gaps tend to surface at the same moment:
when organizations consider how they would react in a real incident, under time pressure and regulatory constraints.

NIS2 does not create these weaknesses, it requires organizations to address them.

 

 

Recurring challenges observed in the field

Several friction points consistently arise during NIS2 readiness initiatives.

A first challenge is the definition of scope.
Eligibility criteria are sometimes misinterpreted, dependencies are not fully mapped, and subsidiaries assume coverage at group level. What initially appears as a classification exercise often turns into a broader governance discussion.

A second challenge relates to operational readiness.
Organizations frequently realize that while they are well documented, they are not always prepared to execute particularly in areas such as incident response and crisis management, where timelines are constrained.

A third dimension, often underestimated, is the supply chain.
Critical third parties are not always formally identified, contractual requirements may be inconsistent, and risk assessments remain fragmented. Under NIS2, however, accountability extends across the entire value chain.

Final key feedback if avoiding over-complexity in the approach. Faced with these gaps, the natural reaction is often to increase the level of control: more documentation, more processes, more requirements.

While this may improve formal alignment, it can also introduce complexity that slows down execution.

In practice, the most advanced organizations adopt a different approach.

Rather than aiming for completeness, they focus on:

• critical services
• high-impact risks
• decision-making capabilities

They prioritize what needs to work first and expand from there.

This approach is not about doing less. It is about doing what matters in the right order.

 

 “NIS2 does not require perfection it requires clarity on what matters, and the ability to be both pragmatic and compliant where it counts.” – Soukaina MAMOUN, EY Luxembourg Senior Manager, Cyber Security Consulting

 

 

From fragmentation to coherence

Another structural challenge organizations face is not the lack of frameworks, but their accumulation.

NIS2 rarely exists in isolation. It overlaps with ISO 27001, OT related standards such as IEC 62443, other regulatory requirements like DORA, as well as internal control frameworks and sector-specific obligations.

Taken individually, these frameworks are well understood.
Taken together, they often create fragmentation duplicated controls, inconsistent structures, and increasing operational complexity.

Addressing NIS2 effectively therefore requires more than adding another layer. It requires introducing coherence.

A more sustainable approach consists in structuring cybersecurity around core capabilities, rather than individual regulations.

These capabilities (governance, protection, detection, response, and resilience) provide a stable and operational foundation onto which regulatory requirements and best practices can be mapped in a consistent manner.

This approach is most effective when it is not theoretical.
 A capability‑based structure can be used to align NIS2, ISO 27001, DORA and other requirements into a single, coherent structure.

This allows organizations to:

• maintain a unified cybersecurity model across regulatory landscapes
• reuse controls, processes, and evidence across multiple obligations
• reduce duplication and implementation effort
• and adapt more efficiently as regulatory expectations evolve

Ultimately, the objective is not to simplify NIS2.
It is to ensure that compliance is operationally sustainable and scalable over time.

 

“Beyond the deadline, what does NIS2 really test: compliance, or confidence? The answer is clear; it’s about proving your organization can withstand disruption and stay in control when it matters most.” – Abdelhay TOUDMA, EY Luxembourg Partner, Governance, Risk and Compliance Leader

 

 

Structuring and accelerating NIS2 readiness

How to support organizations in translating NIS2 into practical, defensible, and operational outcomes?

By a simple approach designed to be pragmatic, progressive, and contextualized with existing environments.

Structure engagements around four key steps.

1 – Clarifying the real scope

Beyond formal classification, we identify the true perimeter of exposure:
critical services, supporting systems, third-party dependencies, and applicable supervisory authorities.

This step often reveals gaps between perceived and actual scope and ensures that efforts are focused where accountability and risk truly lie.

2 – Focusing on what drives impact
Rather than conducting exhaustive, checklist-driven reviews, we focus on the areas that drive both regulatory compliance and operational resilience.

This includes targeted assessments of:

• governance and management accountability
• cyber risk management and control effectiveness aligned with NIS2 Article 21 and local transposition (in Luxembourg and other EU countries, when applicable), using our own meta-framework.
• third-party and supply chain risk

The objective is not to measure everything, but to identify what must evolve to withstand real-world scenarios and regulatory scrutiny.

3 – Building a realistic roadmap

Translating findings into a sequenced transformation plan (quick wins, foundations projects, efficiency improvement projects, etc.).

This roadmap is:

• risk-based and prioritized
• aligned with business constraints and ongoing initiatives
• designed to deliver incremental, measurable improvements

Where relevant, we integrate with existing programs (e.g. ISO 27001, DORA, internal control frameworks) to avoid duplication and ensure consistency.

4 – Enabling operational readiness
Supporting organizations in the end-to-end implementation of their roadmap, ensuring that capabilities are not only defined but fully operational, integrated, and effective in practice.

This includes both organizational and technical initiatives, such as:

• implementation or enhancement of security controls (e.g. access management, logging & monitoring, vulnerability management)
• structuring of governance and decision-making frameworks
• strengthening of incident response and crisis management capabilities
• integration of third-party risk management into operational processes

We also ensure that these capabilities are usable and validated under real conditions:

• development of actionable and testable procedures
• execution of crisis simulations, including executive-level exercises
• validation of roles, escalation paths, and decision-making processes
• preparation for regulatory interactions, reporting, and inspections

The objective is to move from defined measures to capabilities that perform under pressure and can be demonstrated when required.

 

 

Final perspective

NIS2 should not be seen as a standalone compliance exercise.

It is an opportunity to strengthen how organizations:

• govern cybersecurity
• prioritize risk
• detect and respond to incidents
• and demonstrate control

In that sense, it acts less as a regulatory constraint and more as a catalyst for maturity. The key question is therefore not whether organizations will comply. It is: “Will they be ready when it matters?”