NIS2 Directive: A Battle of the Ego that Can Cost Your Company Dearly

NIS2 is not regulatory news, but a business reality. For many companies, how they approach compliance will determine whether it becomes a strategic advantage or a costly bureaucratic exercise. However, a dangerous schism is already clearly visible in the market, which threatens the very core of this process.

There is a silent conflict in the market that is already shaping the success or failure of compliance with the NIS2 Directive and national cybersecurity laws. On the one hand, there are experts deeply immersed in technology, convinced that only their technical approach is valid. Their expertise is unquestionable, but the perspective often remains closed within technical frameworks, and in their vision, technology is both the beginning and the end of alignment.

On the other hand, there are security veterans, skilled in performing and building authority, but often tied to the patterns of past decades. Their authority and knowledge of the regulatory framework are also unquestionable, but excessive dependence on "proven patterns" often keeps them in their comfort zone and distances them from adapting to new business realities.

Both camps believe that they are the key to the solution. Meanwhile, the process of alignment with NIS2 is increasingly turning into a battle of egos, instead of a strategic project that leads the administration in the right direction.

Instead of the two groups joining forces, there is animosity between them that is gradually undermining the very foundations of the reconciliation process.

These two worlds rarely find a common language. Instead of cooperation, we are witnessing a silent struggle for the supremacy of access, losing what should be at the heart of the law: real, measurable security and business resilience. In such a situation, it is the management that must take the leading role.

The question is where your company will end up in that story, because such conflicts are not benign.

NIS2 is not primarily a technical issue. This is a business-organizational-technical challenge. If these two camps are not combined into a single strategy, the responsibility and consequences will remain with those who run the company. A good compliance process does not occur when the IT department writes a technical specification, nor when the security department recycles existing procedures. It occurs when management takes ownership of a process and ensures that technology and processes work together to support business goals.

Compliance with NIS2 is neither a checkbox obligation nor a one-time project. It's a way of working transition that incorporates technology as a tool, processes as a framework, a culture of safety as part of day-to-day operations, and risk management as the foundation of decision-making. Success does not come from choosing "the best technology" or "the most experienced consultant", but from the ability to connect all these components into a coherent whole that works in a real business environment.

How this can be reflected in a medium-sized manufacturing company where the technical team insists on introducing a new incident management platform, while experienced security professionals claim that the existing system is good enough, "because that's how it has been working for the last 15 years". They will spend three months arguing instead of implementing. The deadline for the regulatory report will be missed, and the management will only find out when the first official warnings arrive.

In a large logistics firm, traditionalists will convince management that "this is not the time" for a serious change in systems access policies because it would provoke resistance from employees. In parallel, the technical team will initiate changes in the password system on its own initiative. The result will be that half of the company will not be able to access critical applications for three days, and suppliers will be left without up-to-date data on deliveries. Clients will not see the technical context, only delays and uncertainty.

Such conflicts result in the postponement of key decisions, fragmented plans, and the depletion of resources. Projects stretch out months longer than planned, and management faces contradictory advice. Some claim that it is going "too slowly and conservatively", others that it is going "too fast and without proven procedures". Instead of a single strategy, the company gets a set of unrelated initiatives that do not create real security, but create a false sense that the job has been done.

The consequences are not only regulatory. Partners and customers quickly recognize uncertainty in processes. They are beginning to question the reliability of services, the quality of products, and the company's ability to react in a crisis. Internal tensions further consume energy and budgets that should be focused on real threats and business opportunities.

Ultimately, NIS2 turns into a testing ground for proving who is "right", instead of an instrument for building resilience and competitive advantage. Companies that let the battle of egos dictate the rhythm of compliance run the risk of finding themselves completely unprepared when the first serious incident knocks on the door. And then the story is no longer reduced to technicians or traditionalists, but to the question of leadership and who allowed internal conflicts to prevail over common sense.

Those who will come out of this situation stronger are not necessarily those with the most sophisticated technology or the longest list of security procedures, but those who will have the courage to break the ego battle and direct all stakeholders towards a single goal. Because NIS2 is not a technical document. It is a litmus test of the maturity of your organization and your ability to recognize that security is not built from either trench, but from a common headquarters.