Last Friday, Portugal approved the legal framework transposing Directive (EU) 2022/2555 (NIS2). An important step, no doubt. But the real question is: what happens now?

My opinion is clear: most organizations are not prepared. And it is not a matter of being unaware of the Directive or of the standards to which they are subject. The problem runs deeper – compliance is being confused with resilience.

The financial sector, subject to the Digital Operational Resilience Act (DORA), already shows a higher level of maturity. In the other critical sectors, the gap is evident. Many public and private organizations have never tested a single real crisis scenario. They do not know their maximum acceptable downtime. They lack documented recovery plans, and, above all, they lack a culture of Information Security and Cybersecurity.

NIS2 is not fulfilled merely through policies or audit reports. It requires practical response capability. It does not matter to state that a plan exists; what matters is to demonstrate that it works. And such proof only exists when an organization simulates an attack, measures recovery time, and has its teams execute a Business Continuity plan under real failure conditions.

There is another common mistake: believing that tools are enough. The truth is that, at the critical moment, they may fail. And when they do, only processes and people ensure that operations come back online. That is why Business Continuity is not only reactive but also proactive. It prepares the organization both to prevent incidents and, inevitably, to face them when they occur.

At Balwurk, we believe this is the time to integrate three dimensions that are rarely addressed together: Governance and Compliance, Application Security, and Business Continuity. Without this transversal vision, NIS2 risks becoming nothing more than an administrative exercise, with no real impact on business operations.

Experience shows that the most effective cycle is simple and straightforward. It starts with a Business Impact Analysis to identify truly critical processes and assets. It evolves into Continuity Plans that translate those priorities into concrete scenarios. It involves regular testing that puts teams to the test and validates recovery times. And it gains consistency when it is embedded into organizational culture, through continuous training and awareness of all employees.

Application security cannot be overlooked. Software vulnerabilities are open doors that no continuity plan can fix. Integrating practices such as Threat Modeling, Penetration Testing, and Vulnerability Management is essential to ensure that the development cycle is not the weakest link in compliance.

The same applies to the supply chain. No organization is more resilient than its critical partners. NIS2 is explicit in requiring visibility, contractual clauses, and oversight of third-party security. Here too, signing contracts is not enough; auditing, testing, and validation are required.

Finally, culture. Perhaps the most decisive factor of all. An organization may invest in cutting-edge technology and sophisticated processes, but if its employees are not aware of the risks, if they do not know how to act in the moment of crisis, the entire system collapses. The cultural shift required by NIS2 is not cosmetic — it is structural.

Portugal has now taken the long-awaited legislative step. But the transposition of the directive alone does not solve the security challenges. The real test begins the day an organization is called upon, either by regulators or by a real attack, to prove that it is ready. And only those that have integrated practices, processes, people, and culture will succeed.

NIS2 is an opportunity to raise the level of resilience of the national economy. But only for those who accept that compliance is not enough: it must be demonstrated, tested, and lived every day. The rest will be left behind.