Sample — Reading NIS2 readiness as a budget, not a checklist
Sample blog post — clearly marked. Demonstrates the /blog pipeline shared with /research (same card + article layout, minus CVE/severity).
This is a sample post shipped with the Phase 5 build so the blog pipeline can be inspected alongside the research pipeline. Replace the folder with real CISO/GRC writing when the section launches.
Treat NIS2 as a budget
The most common mistake on NIS2 engagements is reading the directive as a checklist of controls. It isn’t. It’s a budget — the regulator sets the upper bound on the risk you’re allowed to accept, and the controls are how you spend that budget down.
A budget framing changes three things:
- // Scoping becomes a one-time conversation, not a quarterly fight
- // Investment goes to the highest-leverage controls first
- // Audit prep falls out of normal operations instead of being a project
The three numbers an auditor will ask for
Every NIS2 audit you’ll see comes back to the same three numbers. Have them ready before the engagement starts.
incidents:
- count_24h: integer # incidents detected within 24h of occurrence
- count_72h_reported: integer # of those, reported to ANSPDCP within 72h
- mttr_minutes: integer # median time to remediationIf those three numbers aren’t instrumented, the rest of your evidence folder is decoration.
What to skip
- // Long policy documents nobody reads — a five-page incident playbook beats a fifty-page policy
- // Vendor questionnaires sent in bulk — three real conversations beat thirty PDFs
- // Tabletop exercises without a recorded outcome — if it didn’t ship a remediation, it didn’t happen
The directive itself is short. The hard part is staying short alongside it.