NIS2: Here We Go Again, More Regulation… Or Is It?

“Here we go again. More regulation.”

That is the chorus line I have been hearing in webinars, coaching calls, and boardrooms for the past eighteen months as Irish organisations have grappled with the NIS2 Directive and its transposition into Irish law via the forthcoming National Cyber Security Bill.

It is a reasonable complaint. Between GDPR, the EU AI Act, the Data Governance Act, the Data Act, DORA, the Digital Services Act, and now NIS2 (with the Digital Omnibus proposals warming up in the wings) even the most stoic data governance and compliance professional could be forgiven for reaching for the whiskey bottle. Or hemlock.

But here is the thing: NIS2 is not really more regulation.

NIS2 is the same conversation we have been trying to have with Boards and executives for the best part of three decades, the one about data being a critical asset of the organisation. It’s just wearing a cybersecurity hat this time, and has some slightly sharper teeth.

The same old song, in a new NIS2 key

When I wrote The Data Strategy and Governance Toolkit back in 2011, the opening line of the blurb was “Data is your company’s greatest asset and its greatest risk.” That sentence has aged depressingly well. Every subsequent wave of data-related regulation, from GDPR in 2018 to the AI Act, DORA, the Data Act, the EU Data Governance Act, and NIS2, is fundamentally an attempt by legislators to force organisations to take that statement seriously. 

Not to tick a box. Not to produce a policy nobody reads. To actually govern data, and the information systems and processes that create and consume it, as something worth governing.

If we strip the cyber jargon out of NIS2 and look at what it actually asks of in-scope entities, a very familiar pattern emerges.

• Management body accountability. GDPR said this. The AI Act says this. NIS2 says it with personal liability, administrative fines, and temporary bans on directors of essential entities for good measure. (And it’s worth remembering that Section 146 of the Data Protection Act 2018 has personal liability for managers, officers, and directors of bodies corporate for offences committed under the Act).
• Risk-based identification of critical assets and services. This is Governance 101. We have been teaching this for at least as long as there has been a DAMA DMBOK to teach from.
• Supply chain risk management. Article 28 GDPR in a hi-vis vest? But a fundamental of Business Continuity planning for an eternity.
• Incident detection, response, and regulator notification on tight clocks. Personal data breach notification, meet cyber incident early warning. You two have a lot to talk about.
• Policies, procedures, training, and awareness. The human factors in data governance, dressed up for a different audience.
• Documentation and evidence of effectiveness. The ROPA’s cousin nobody thought to invite to the wedding, and have we all forgotten about Article 5(2) and Article 24 of GDPR?

None of this is genuinely new. Heck, the Sarbanes-Oxley Act (where I cut my Data Governance teeth long before we had the label) had CFO and Executive level liability for data accuracy.

What is new is the scope, the sectors in frame, and the potential enforcement muscle.

The governance thread that ties it all together

One thing I have been saying a lot to clients recently , and to colleagues at the recent Data Leaders’ Summit, is that organisations which approached GDPR as a project (a one-off effort to get to compliance and park it) find themselves repeatedly ambushed by each new regulatory wave. Organisations which approached GDPR as a governance programme that is implementing an organisational capability for governance and accountability for information are finding NIS2 and the AI Act more straightforward to integrate.

Why? Because the underlying governance primitives are the same in every case:

1. Know what you have — data, systems, services, suppliers, dependencies.
2. Know what matters — which of those are critical to achieving organisational objectives, and to whom.
3. Know who is accountable — and how decisions actually get made.
4. Know how you know it is working — measurement, assurance, and the capacity to learn.

This is not, at root, a cybersecurity problem. It is a governance problem that expresses itself at a different altitude, and a different attitude, depending on which regulation you happen to be looking through.

As I argued in Data Governance — An Engine for Innovation?, the fundamental point of data governance is to govern data as an asset of the organisation. It is about paying attention to what the organisation needs to do with that data, and to the risks that arise from having it. NIS2 is simply the cybersecurity expression of the same underlying logic. And you need to know your essential or important services, know the data and systems that underpin them, and govern accordingly.

NIS2 is a resilience regulation, not a security one

This is where a bit of academic theory earns its keep. Duchek’s resilience model (anticipation, coping, adaptation) is a useful lens for thinking about NIS2. NIS2 is, at its heart, a resilience directive. It recognises that perfect prevention is impossible. It requires that organisations are able to anticipate disruptions to critical services, cope when they occur, and adapt learnings back into the system.

That is a data and information governance challenge, not a firewall question.

You cannot anticipate disruption to a service you have not properly identified and catalogued. You cannot cope with an incident if your data about who-did-what-when-to-which-system is patchy or missing entirely. And you cannot adapt if you lack the organisational memory and sense-making capacity to turn an incident into a lesson learned rather than a lesson repeated.

Ashby’s Law of Requisite Variety, for those who enjoy their cybernetics with their coffee, tells us that the variety of a control system must match the variety of the system it is controlling. Your NIS2 governance response must therefore match the complexity of your actual data and information estate. Not the simplified version of it that lives in a spreadsheet on someone’s laptop and was last updated two reorganisations ago.

(Which is, incidentally, why buying a shiny new SIEM platform is not, in fact, an NIS2 strategy. Just like buying a consent management platform wasn’t a GDPR strategy and buying Collibra isn’t a data governance strategy).

So what actually works?

We have been advising clients to approach NIS2 in precisely the same way we have been advising them to approach the AI Act, GDPR, and the rest of the regulatory chorus. It is a strand of an integrated data governance programme, underpinned by a clear data strategy that is in turn aligned to the organisation’s strategy.

I wrote some years back in that data strategies exist to help organisations navigate both the practical icebergs (access control, change control, technology, architecture) and the political icebergs (accountability, culture, the distribution of power). NIS2 does not change that calculus. It sharpens it. The icebergs have gotten a bit bigger. The margin for error has gotten a lot smaller. And the captain of the ship is now personally liable for steering. And everyone’s panicking they might be on the Titanic.

Connect the Dots with Fundamental Questions

An integrated approach to NIS2 doesn’t start with a gap analysis against Article 21 (though you will need one of those eventually). It starts with three antecedent questions:

1. What are our critical services, and what is the data and information environment that underpins them? This is not a CISO question. It is a strategic question that joins information, operations, risk, and the Board. What breaks when the data breaks? Who gets impacted? What really matters?

2. How do our existing governance structures for data protection, data quality, records management, AI, change, third parties management etc, relate to what NIS2 is asking of us? In most of the organisations we work with, a large amount of what NIS2 demands is either already being done for another reason or is an extension of something already being done. The work is integration, not reinvention, exposure and promotion, not creation. By taking a holistic view and looking for overlaps, the change and challenge can become incremental not insurmountable.

3. Where is our governance actually brittle? NIS2’s enforcement model, with its personal liability and its emphasis on management body oversight, punishes governance theatre. A policy that nobody in operations has ever heard of will not survive a competent authority’s audit. And there’s a good chance neither will the director who signed it off. Governance-on-Paper needs to match Governance-in-Practice. But it always needed to. There’s just a stick now for in-scope entities.

That last point is where the “human factors” thread in our research and advisory work at Castlebridge becomes very practical very quickly. Governance that exists only on paper is not resilient governance. It is, to borrow a phrase from my hero Eric Morecambe, “playing all the right notes, just not necessarily in the right order”.

The costumes change. The song does not.

The opening chord of every regulatory moment of the past quarter-century has been a version of the same refrain: data matters, govern it properly, treat it as a critical asset. We have sung it under the titles Data Quality, Data Governance, GDPR, Data Ethics, AI Governance, and now NIS2 and cyber resilience. The costumes change. The song does not.

The organisations that will thrive under NIS2 will not be the ones that treat it as a project to be survived. They will be the ones that use it as yet another reason to finally take seriously the idea that their data, their information systems, and the people who operate them are among the most critical assets they own.

If “here we go again, more regulation” is where you are starting from, you are not wrong. You are just behind. The regulation is not the thing. The governance of data as a critical asset to deliver services, create value, or produce outcomes for people in society is. It always has been.

And for what it is worth: it always will be.

---

Castlebridge has been helping organisations govern data as a critical asset since 2009. You can browse our Insights on data strategy and governance, or get in touch to talk about how we can help you integrate NIS2 into your existing data governance programme rather than building it from scratch.