Skip to content
Knowledge base Updated: February 5, 2026

How to implement NIS2 and not go crazy? Use regulation as leverage to get a budget for OT security

You see the list of NIS2 directive requirements and feel a growing frustration. More tasks, more responsibilities, and the budget and resources are still the same. It's a natural reaction. But what if we told you that this regulation is the best thing that could have happened to your security progra

Grzegorz Gnych Grzegorz Gnych

For many Chief Information Security Officers (CISOs) and IT managers, the first encounter with the NIS2 directive resembles a collision with an iceberg. The enormity of the regulations, the wide range of responsibilities, the stringent deadlines and the threat of gigantic financial penalties can all be overwhelming and lead to a sense of helplessness. The natural reflex is to see NIS2 as just another bureaucratic monster that will add work and stress, with nothing in return but the threat of penalties.

This approach, while understandable, is a strategic mistake. Experienced security leaders know that any such regulation can be viewed in two ways: as an onerous obligation or as an unprecedented opportunity. NIS2, because of its reach and emphasis on board accountability, is perhaps the most powerful tool security professionals have received in a decade to finally get their message through to top management.

This is no longer another budget request for “some firewalls.” It’s a conversation about compliance, business risk and, most importantly, personal responsibility for managers. The key to success is to change the narrative. You need to stop being a technical expert asking for money, and become a strategic advisor who shows management how to safely guide the company through the new rough regulatory waters.

Shortcuts

Why does the first look at NIS2 cause mostly headaches for IT and security departments?

The first reaction to NIS2 is often frustration, as the directive exposes all the years of neglect and problems in the security area, especially at the interface between IT and OT. The list of requirements - from risk analysis to incident management to supply chain security - is a de facto list of all the fundamental projects that until now “there was no time,” “no budget” or “couldn’t get along with production.”

Security professionals look at this list and see the enormous amount of work that needs to be done, often with unchanged resources. They see the need to confront problems that have been pushed aside until now: lack of resource inventory, flat network architecture or lack of formal procedures. This sense of overwhelm is natural.

Moreover, NIS2 is written in legal rather than technical language. Translating general requirements, such as “implementing appropriate and proportionate measures,” into specific technological and organizational projects is a major challenge in itself. All this makes for a negative first impression - we see NIS2 as a list of problems, not a list of solutions.

📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać

How do you change your perspective from “another onerous chore” to “the best opportunity in a decade”?

The key to success is a 180-degree mental shift. You need to stop looking at NIS2 as a to-do list and start seeing it as an external, irrefutable business case for everything you’ve wanted to do for a long time anyway. The NIS2 directive is your new best friend when talking to your board and CFO.

Until now, when you asked for a budget for OT network segmentation, you had to explain complicated technical risks. Now you can say, “We need to implement segmentation because it’s a key risk management measure that Article 21 of the NIS2 Directive requires us to do, and non-compliance risks fines of up to €10 million.” This completely changes the dynamics of the conversation.

NIS2 moves the security discussion from the technical level of “it would be nice to have” to the strategic level of “we must have in order to be legally compliant and avoid liability.” Your role shifts from “asker” to “advisor” who helps the company and its management avoid serious legal and financial problems. This is the strongest negotiating position you’ve ever had.

What is FUD (Fear, Uncertainty, Doubt) and how to ethically use it when talking to management?

FUD, or Fear, Uncertainty and Doubt, is a frequently criticized tactic in marketing. However, in the risk conversation, ethical and fact-based use of these emotions is not only acceptable, but necessary to cut through the information noise and draw decision-makers’ attention to the seriousness of the situation.

The NIS2 directive provides you with powerful, fact-based arguments that naturally build a sense of urgency. You no longer have to scare people with hypothetical hackers. You can talk about concrete consequences written into the law. Fear comes from the threat of gigantic financial penalties and personal liability. Uncertainty comes from the complexity of the directive itself and questions of “are we sure we’re doing everything we need to do?” Doubt comes from whether current, underfunded safeguards can meet the new requirements.

The ethical use of FUD is that you not only present the risks, but immediately present a clear plan to mitigate them. Your goal is not to paralyze the board with fear, but to motivate them to action by showing that there is a safe and thoughtful way to achieve compliance. Your proposal becomes a solution to a problem you have defined for yourself.

Why is the risk analysis required by NIS2 your most important argument in the budget battle?

The NIS2 directive says that the security measures you implement must be based on risk analysis. This seemingly simple sentence is your most powerful weapon. It means that the first, mandatory step is to conduct a formal, documented risk assessment for your entire OT environment. And the results of this assessment become the objective, irrefutable foundation for all your subsequent budget requests.

Instead of a subjective opinion of “I think we should hedge this,” you present the board with a formal document that says: “The risk analysis, conducted in accordance with NIS2 requirements, has identified risk R1 with a potential financial impact of X million zlotys. The recommended countermeasure is a P1 project with a cost of Y.”

Such an argument is extremely difficult to refute. To refuse to fund a project that mitigates formally identified and documented risks would be on the part of management to deliberately ignore legal requirements and take on a huge liability in the event of an incident. Risk analysis turns your requests into logical, businesslike recommendations.

How do you translate abstract vulnerabilities into tangible financial losses understood by the CFO?

The chief financial officer (CFO) thinks in the language of numbers, cash flow and return on investment. Talking to him about “buffer overflow vulnerabilities” is completely pointless. To win his support, you must learn to translate technical risks into their potential financial consequences. Business impact analysis (BIA), part of risk analysis, is an ideal tool for this.

Instead of talking about a gap in the SCADA system, talk about what happens when that gap is exploited. Calculate how much one hour of downtime costs for a key production line that this system controls. Multiply that by the estimated time it takes to restore the system after an attack. Add to that the potential contractual penalties for late deliveries and the cost of the incident response team.

By presenting these numbers, you completely change the context of the conversation. An investment in securing a SCADA system ceases to be a cost. It becomes an investment in risk reduction (Risk Reduction Investment). You show that by spending 100K on a security project, the company avoids a potential multi-million dollar loss. This is language that every CFO understands very well.

How to “sell” OT security to management: 3 key strategies

StrategyDescriptionExample of the message1. speak the language of compliance and riskInstead of asking for technology, present projects as necessary actions to achieve compliance and mitigate documented business risks.”In order to meet the requirement of Article 21 of NIS2 and reduce the identified risk of X amount of downtime, we need to implement a network segmentation project.”2. tie each cost to a requirementEach element of the budget proposal should be directly linked to a specific requirement of the directive.”The investment in the PAM system is necessary to fulfill the obligation to secure the supply chain and remote access.”3. emphasize personal responsibilityIn a tactful but unambiguous manner, remind them of the legal and financial consequences that the directive personally imposes on executives.”The implementation of this plan is key to documenting the due diligence that we as a board are now personally responsible for.”

How to link each security project to a specific article of the directive to make it “essential”?

When creating a budget request or presentation to the board, don’t present a list of tools. Instead, present a list of NIS2 requirements and show what projects are needed to implement them. This structure completely changes the perception of your proposals.

Instead of asking for “purchase of a SIEM system,” create an item for “Implementation of the Incident Handling and Reporting Obligation (Articles 21 and 23),” and within it explain that the necessary tool for this is a SIEM-class system that allows for the central collection and analysis of logs. Instead of asking for “training awareness,” create an item for “Implementation of the duty of cyber security training and hygiene (Art. 21).”

This approach means that the discussion is no longer about “do we need this tool,” but about “how to best and most effectively meet this particular legal requirement.” You, as the expert, present a recommended solution. Any project that is directly related to the letter of the law gains priority status and becomes much harder to reject.

How can we use NIS2 to finally get funding for fundamental projects like resource inventory?

Any OT security specialist knows that no meaningful protection can be built without having a complete inventory of assets. At the same time, this is one of the most difficult projects to fund, because its direct return on investment is difficult to demonstrate. NIS2 gives you the perfect argument for this.

You can now tell the board directly: “The NIS2 directive requires us to perform risk analysis, vulnerability management, supply chain protection and business continuity planning. We can’t fulfill any of these responsibilities if we don’t know what resources we have on our network. Therefore, the first, absolutely fundamental step to compliance is to implement an inventory project.”

In this way, a project that until now has been seen as a “technical fad” becomes a cornerstone and prerequisite for the entire NIS2 compliance program. Investment in passive monitoring tools becomes inevitable.

How does NIS2 become an excuse to create a steering committee and break down IT/OT silos?

As described in a previous article, breaking down the barriers between IT and OT is critical to success. However, many companies lack the impetus and mandate to do so. NIS2 is the perfect excuse to create such a mandate.

You can address the board with the following message: “The NIS2 directive imposes responsibilities that apply to both IT and OT systems, and the responsibilities are shared. In order to effectively manage this program and avoid chaos, it is absolutely necessary to establish a formal cross-functional steering committee as a platform for cooperation and decision-making.”

Citing a legal requirement and the need for central oversight of compliance is a much stronger argument than general slogans about “the need for cooperation.” NIS2 gives you a formal reason to force conflicting departments to meet regularly and work together, with the blessing and supervision of the board itself.

Why present the board with a multi-year roadmap to compliance rather than a shopping list?

Management thinks in terms of strategies, plans and multi-year budgets. Presenting it with a haphazard “shopping list” for the next quarter is ineffective and short-sighted. A much better approach is to develop a strategic, multi-year roadmap that shows how the company, step by step, will get to full NIS2 compliance.

The roadmap should be divided into phases, for example, over 2-3 years. Phase one can focus on fundamental activities (committee formation, risk analysis, inventory). Phase two on preventive actions (segmentation, hardening). Phase three on advanced activities (monitoring, incident response).

Such a roadmap shows management that you have a well-thought-out, long-term strategy, not just a list of immediate needs. It allows you to stagger your investments and plan them over successive budget cycles. It also gives the board a sense of control and predictability, which greatly increases the chance that the entire program will be approved.

How to justify investments in training and team development based on NIS2 requirements?

NIS2 also places a strong emphasis on the human factor, requiring companies to provide adequate training for personnel and to be competent in incident response. This is another excellent argument to exploit.

You can now justify investments in specialized training for the security team and OT engineers, arguing that they are necessary to build the internal competencies required by the directive. You can also use NIS2 to get a budget for security awareness programs for all employees, showing that this is one of the basic organizational measures required by the law.

What’s more, the requirement to have an incident response capability is a great justification for investing in “tabletop” exercises or even building an internal CSIRT team. Any investment in people, which until now might have been seen as a “soft” cost, now becomes a hard regulatory requirement.

How do you report progress to maintain board commitment and funding continuity?

Getting the initial budget is only half the battle. It is equally important to keep the board engaged and ensure continued funding in subsequent years. The key to this is regular and transparent reporting of progress.

Create a simple, easy-to-understand dashboard (dashboard) that shows the progress of the roadmap to NIS2 compliance. Use simple indicators and visualizations (e.g., pie charts showing the percentage of compliance achieved in a given area). Present these results regularly at steering committee meetings and in reports to the board.

Such proactive communication shows that you take the money entrusted to you seriously and that the program is producing tangible results. It builds trust and facilitates conversations about budgeting for the next phases of the project. It also shows management that their investment is realistically reducing risk and builds documented evidence of due diligence.

Is NIS2 the end of the world or the beginning of a new era for cyber security in your organization?

The initial trepidation and frustration over the enormity of the work NIS2 imposes is understandable. But upon deeper analysis, the directive appears as an unprecedented opportunity. It’s a powerful, external impetus that can help you finally realize the projects and changes you know are necessary, but for which, until now, the arguments and political will have been lacking.

NIS2 gives you the legitimacy to talk to management at the highest, strategic level. It gives you arguments to fight for a budget that no one can ignore. It gives you an excuse to build bridges and break down barriers that have stymied progress for years.

Ultimately, it’s up to you how you use this opportunity. You can treat NIS2 as a bureaucratic necessary evil and try to achieve compliance at minimal cost, putting out fires and remaining in reactive mode. Or you can treat it as the beginning of a new era - as a mandate to make a fundamental transformation and build a mature, proactive and integrated digital risk management culture in your company.

How can nFlo help you build a strategy and business case for your NIS2 compliance program?

At nFlo, we understand full well that the road to NIS2 compliance is not just a technical challenge, but more importantly a strategic and organizational one. We know how difficult it can be to translate the language of the directive into a concrete action plan and to convince the board of directors. That’s why our role as an advisor goes beyond technology implementation - we help build effective strategies and solid business cases.

Our consultants work with your team to conduct a risk analysis and business impact analysis (BIA), the results of which will become the foundation of your argument. We help you develop a multi-year, realistic roadmap to compliance that clearly outlines milestones, required investments and expected results.

Most importantly, we support you in the process of communicating with management. We help you prepare professional presentations, executive dashboards and business cases that speak a language that your CFO and board of directors can understand. Our goal is to equip you with the tools and arguments that will allow you to effectively use NIS2 as leverage for real and positive change in your organization.

Learn key terms related to this article in our cybersecurity glossary:

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Tags:

Compliance Cybersecurity SOC Network Vulnerabilities

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Product Manager
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist