Most NIS2 delays are operational: missing evidence, unclear ownership, weak process integration, and late governance decisions. ACN guidance provides enough structure to prevent these issues if organizations implement controls and documentation in parallel.
Key takeaways
- Compliance fails more often on execution quality than on framework understanding.
- Risk-based clauses require documented rationale, not informal interpretation.
- Notification timing depends on evidence checkpoints and role readiness.
- Governance approvals and evidence governance must be planned early.
Frequent mistakes and corrective actions
| Common mistake | Typical impact | Practical correction |
|---|---|---|
| Late evidence collection | Missing proof at audit checkpoints | Build evidence-by-design from project start |
| Undefined role ownership | Escalation delays and execution ambiguity | Assign named owners and substitutes per process |
| Weak risk rationale documentation | Non-defensible control scope decisions | Formalize risk justification and approval records |
| Delayed policy/governance approvals | Process rollout blocked | Calendar governance approvals in program baseline |
| Notification workflow untested | 24h/72h deadlines at risk | Run simulation drills and fix bottlenecks |
| No improvement loop | Recurring operational failures | Enforce post-incident reviews and tracked remediation |
90-day anti-error checklist
- Build a control-to-evidence matrix and assign document owners.
- Confirm governance approvals for required plans and policies.
- Test notification and escalation pathways under realistic timing constraints.
- Add mandatory rationale fields for risk-based deviations.
- Track corrective actions from lessons learned through closure.
Timing controls that are often missed
| Requirement timing | Typical mistake | Control check |
|---|---|---|
| 24 hours from evidence | Pre-notification process not ready | Validate duty coverage and trigger criteria |
| 72 hours from evidence | Incomplete notification package | Test minimum evidence package before incident |
| January 2026 (first-application 9-month milestone) | Teams still treating notification as a future task | Operate a live 24h/72h notification control model now |
| October 2026 (first-application 18-month milestone) | Baseline measures rollout starts too late | Use monthly baseline-measure milestone tracking through October |
| At least every 2 years for incident-management-plan review | Plan left stale after changes | Add cyclical review task with accountable owner |
| 3 significant-incident types (important) and 4 (essential) in first application | Misclassification of reportable events | Keep classification matrix in runbooks |
Conclusion and next steps
Most avoidable NIS2 failures come from weak execution discipline, not from missing legal text. With incident notification already live and baseline measures due in October 2026, teams should treat timing controls as active governance KPIs, not as future planning notes.
FAQ
Is documentation quality really a top compliance risk?
Yes. Guidance repeatedly links conformity to documentary evidence and traceability.
Can operational drills be postponed until just before deadlines?
This materially increases deadline risk. Drills should occur early enough to remediate process defects.
What is the fastest way to reduce avoidable errors?
Establish clear ownership, auditable evidence governance, and recurring management reviews.
Related reading
- NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations
- NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now
- NIS2 KPIs and continuous improvement: operational metrics for resilient compliance
- Aegister NIS2 Compliance Service
- Free NIS2 Assessment