NIS2Cyber Governance6-minute read·Marcin Pajdzik·June 2026

A NIS2 Programme Should Leave an Operating Model Behind

When a NIS2 programme closes, the steering committee stands down and the programme team disperses. The regulatory obligations continue: controls require ongoing evidencing, risk assessments require refreshing, the incident notification capability requires testing, and the management body requires compliance reporting. These functions must be designed, owned and handed over before the programme closes.

For senior leaders in NIS2 in-scope organisations, the question to ask of a running programme is whether it will deliver an operating model alongside the remediation measures. A programme scoped only to close gaps will leave the compliance position degrading from the point it closes.

NIS2 is a standing obligation

Supervisory authorities can require essential and important entities to produce evidence that their security measures are effective and current. That obligation is not tied to a programme cycle. An inspection, a targeted audit or a significant incident can trigger it at any point.

Without an operating model in place, the compliance position starts to degrade from the point the programme closes. Risk assessments become stale. Controls approved at programme close are not monitored for effectiveness. The incident notification capability drifts as staff change and systems evolve. A supervisory review conducted a year after programme close will reflect a year of drift.

What the operating model must include

At least seven areas must be owned and operating before the programme team disperses.

Risk assessment
The programme risk assessment is a point in time view. The operating model should define when it is refreshed, who owns it, and how changes feed into the gap register.
Gap register
The gap register does not close when the programme does. Items carried at close remain tracked, and new findings from reviews, incidents or regulatory change are added on the same basis.
Control effectiveness
Approved controls degrade without monitoring. The operating model should define who assesses them, at what frequency, and what triggers an out-of-cycle review.
Incident readiness
Article 23 requires notification within tight timeframes. The capability to detect, classify, escalate and notify must be tested annually, as staff change, systems evolve and contact details update.
Supply chain
Article 21 covers security in supplier relationships. The operating model should define how supplier risk is reassessed periodically and how certification currency is monitored.
Regulatory change
National transpositions continue to evolve. The operating model should assign responsibility for tracking regulatory developments and feeding new obligations into the gap register.
Board reporting
Article 20 requires ongoing management body oversight. The reporting cycle, content and accountability should be defined before programme close and maintained as a standing governance function.

Scoping for sustained compliance

The operating model should be a programme deliverable, scoped from the outset and built in parallel with the remediation workstreams. An organisation that defers this design to programme close will lack the governance attention and programme structure to produce an adequate result.

Each function that will operate after programme close needs to specify three things: who is accountable and on what reporting line, how performance is evidenced, and what triggers a review. The programme should answer these questions for each function before it closes.

What the management body approves at programme close should include the operating model alongside the remediation measures. Both require formal approval. Both will require ongoing oversight.

How this affects your organisation

For C-level executives in NIS2 in-scope organisations, a programme that closes the identified gaps but delivers no operating model has produced an incomplete result. The compliance position will begin to degrade from the point at which no-one is responsible for maintaining it.

The management body's accountability under Article 20 does not stand down when the programme does. Ongoing oversight of cybersecurity risk management is a formal obligation. A management body that approved a programme plan without the operating model in scope has approved an incomplete response to that obligation.

Running a NIS2 programme and thinking about what sustained compliance looks like after it closes?

Receive new briefings by email

Published every few weeks. Confirm by email before your first briefing arrives.

NIS2 Frameworks

If this briefing is relevant to your organisation, these frameworks set out how to act on it, with a structured starting point and a programme approach designed to deliver sustained compliance.

NIS2 Diagnostic FrameworkHow to Run a NIS2 Programme