A NIS2 Programme Should Leave an Operating Model Behind

Organisations typically run their NIS2 work as a bounded initiative: a gap assessment, remediation workstreams and a steering committee that closes when the workstreams are complete. That structure is well suited to the remediation phase. Sustaining the compliance position it achieves requires governance, ownership and review cycles that persist after the initiative ends.

Supervisory authorities under NIS2 may require evidence that measures are effective and current, particularly during inspections, supervisory reviews or following an incident. The question is the organisation's present compliance posture. An organisation that closed a programme but built no mechanism for maintaining the position it achieved will find it difficult to demonstrate adequacy.

At least seven areas must be owned and operating before the programme team disperses.

Risk assessment

The programme risk assessment is a point in time view. The operating model should define when it is refreshed, who owns it, and how changes feed into the gap register.

Gap register

The gap register does not close when the programme does. Items carried at close remain tracked, and new findings from reviews, incidents or regulatory change are added on the same basis.

Control effectiveness

Approved controls degrade without monitoring. The operating model should define who assesses them, at what frequency, and what triggers an out-of-cycle review.

Incident readiness

Article 23 requires notification within tight timeframes. The capability to detect, classify, escalate and notify must be tested annually, as staff change, systems evolve and contact details update.

Supply chain

Article 21 covers security in supplier relationships. The operating model should define how supplier risk is reassessed periodically and how certification currency is monitored.

Regulatory change

National transpositions continue to evolve. The operating model should assign responsibility for tracking regulatory developments and feeding new obligations into the gap register.

Board reporting

Article 20 requires ongoing management body oversight. The reporting cycle, content and accountability should be defined before programme close and maintained as a standing governance function.

The operating model should be a programme deliverable, scoped from the outset and built in parallel with the remediation workstreams. An organisation that defers this design to programme close will not have the governance attention or the programme structure to do it properly.

Each function that will operate after programme close needs to specify three things: who is accountable and on what reporting line, how performance is evidenced, and what triggers a review. The programme should answer these questions for each function before it closes.

What the management body approves at programme close should include the operating model alongside the remediation measures. Both require formal approval. Both will require ongoing oversight.