With most EU member states slow-rolling NIS2 implementation, organizations face uncertainty about compliance requirements while simultaneously addressing growing cybersecurity demands from customers and investors. Hans Kayaert, general counsel at Aikido Security, cuts through the fog of compliance theater to expose the significant disconnect between legal teams churning out paperwork and the technical experts who must translate bureaucratic jargon into actual security measures.
Uncertainty — not ideal for compliance, but that’s how I’d describe the landscape for NIS2 implementation across Europe. Local implementations have been stalled or delayed in most member states — with one notable exception. Belgium has taken a tough position, but there’s a silver lining: What the Belgians have implemented is essentially a copy of the ISO 27001 standard.
This matters because ISO 27001 is fundamentally voluntary, and NIS2 simply makes this obligatory. Belgium’s early adoption, while seemingly severe, is actually helping to create a good level of standardization that other member states could — and should — follow.
The paper tiger problem
Why all the panic? Well, we’ve seen this before. I was in the trenches when GDPR hit Europe, and all I saw in response was what I like to call “papering up,” a generic reaction that involved an avalanche of policies and documents. A whole industry was doing a lot of busy work around legal policies that, in the absence of actually talking with the technical side, just felt like smoke and mirrors.
With NIS2, the legal and compliance consulting industry do exactly the same thing. I’ve seen plenty of ads from legal tech companies doing AI — and suddenly they’re all talking about policy documents for the Cyber Resilience Act, which entered into force in December, when it’s just about making sure your code isn’t vulnerable and fixing issues when they happen.
The easy part is making paper tigers. What actually matters is having conversations with the people who are, let’s say, two or three levels down in the organization, the ones actually looking at the software.
Why CISOs and Boards Must Speak the Same Language on Cybersecurity
Translating cyber risks into boardroom terms is essential for resilience
Read moreDetailsEnterprise has it hardest
The reality gets more complex when we look at larger enterprises. While a startup might have just one piece of software to worry about, larger companies are often the consequence of mergers and acquisitions, and these legacy software applications come along for the ride. What you end up with isn’t just one piece of software; with a large enterprise, you often see dozens of pieces of software that need to be secured and monitored.
This complexity often leads to what I call “compliance theater,” with companies waving around certifications that only apply to a cherry-picked combination of repositories or cloud configurations. They basically just certify a tiny bit of it.
This is particularly relevant in M&A situations — we’re seeing this becoming part of standard due diligence now. For instance, private equity groups that are buying software companies are running security scans of their targets’ whole infrastructure and source code as part of their due diligence process. It makes sense: If part of M&A due diligence is legal due diligence, you need to jump from lawyers looking at policy documents to actually understanding the technical side.
The communication gap
A core challenge is communication. When a compliance requirement like NIS2 comes in, it typically lands first with legal teams and chief information security officers who are far away from the actual understanding of what vulnerability means.
What happens next is that the conversation needs to trickle down to those people who actually understand the technical reality. That’s where things start breaking down; people start talking different languages because it gets technical. The compliance people need reports that map to their frameworks and language, while the technical people need to see what needs fixing.
How to move forward (practically)
What’s the practical way forward? If you already have ISO 27001 certification, you’re basically good to go — unless you’re running nuclear power plants or other critical infrastructure. We need to stop panicking about NIS2 and think about practical implementations that create real security improvements.
Take the supply chain requirements, for example. Instead of just pushing paperwork down the chain, organizations can require vendors to be transparent about their security posture and incident response times. We’re seeing this approach work well because it establishes trust through demonstration rather than documentation. Trust in traditional certifications like SOC 2 is diminishing; what matters now is having actual evidence of security in practice.
At some point, we need to move beyond the approach where people make money on the lawyer-elite compliance side without furthering the objective of the regulation, which is to improve security. This means establishing some sort of standardized approach that focuses on practical implementation rather than just documentation.
If you’re not well-organized in dealing with these requests coming in, you may lose trust and you may lose revenue or renewals because you are not able to establish trust with your clients. That’s your top-line problem.
Then on the development side, if you enforce these vulnerability measures ineffectively, you will drown your developers with false positives, which is a drain on time. That’s more than just an expense issue: Those developers typically make software that is critical to your growth. This is hitting home, from impacting trust at the sales side to hampering the innovation capabilities of your company.
Hans Kayaert is general counsel at Aikido Security, an application security platform. 
