NIS2 is a standing obligation
Supervisory authorities can require essential and important entities to produce evidence that their security measures are effective and current. That obligation is not tied to a programme cycle. An inspection, a targeted audit or a significant incident can trigger it at any point.
Without an operating model in place, the compliance position starts to degrade from the point the programme closes. Risk assessments become stale. Controls approved at programme close are not monitored for effectiveness. The incident notification capability drifts as staff change and systems evolve. A supervisory review conducted a year after programme close will reflect a year of drift.
What the operating model must include
At least seven areas must be owned and operating before the programme team disperses.
- Risk assessment
- The programme risk assessment is a point in time view. The operating model should define when it is refreshed, who owns it, and how changes feed into the gap register.
- Gap register
- The gap register does not close when the programme does. Items carried at close remain tracked, and new findings from reviews, incidents or regulatory change are added on the same basis.
- Control effectiveness
- Approved controls degrade without monitoring. The operating model should define who assesses them, at what frequency, and what triggers an out-of-cycle review.
- Incident readiness
- Article 23 requires notification within tight timeframes. The capability to detect, classify, escalate and notify must be tested annually, as staff change, systems evolve and contact details update.
- Supply chain
- Article 21 covers security in supplier relationships. The operating model should define how supplier risk is reassessed periodically and how certification currency is monitored.
- Regulatory change
- National transpositions continue to evolve. The operating model should assign responsibility for tracking regulatory developments and feeding new obligations into the gap register.
- Board reporting
- Article 20 requires ongoing management body oversight. The reporting cycle, content and accountability should be defined before programme close and maintained as a standing governance function.
Scoping for sustained compliance
The operating model should be a programme deliverable, scoped from the outset and built in parallel with the remediation workstreams. An organisation that defers this design to programme close will lack the governance attention and programme structure to produce an adequate result.
Each function that will operate after programme close needs to specify three things: who is accountable and on what reporting line, how performance is evidenced, and what triggers a review. The programme should answer these questions for each function before it closes.
What the management body approves at programme close should include the operating model alongside the remediation measures. Both require formal approval. Both will require ongoing oversight.