Beyond NIS2 Compliance
Find Threat Talks on
Beyond NIS2 Compliance
Cyber resilience is supposed to protect organizations from disruption.
Instead, it’s often reduced to policies, controls, and NIS2-driven compliance checklists.
Documented. Audited. Approved.
As digital systems become central to how organizations operate, cyber risk stops being abstract.
Cyber incidents no longer affect data alone – they disrupt availability, decision-making, and business continuity.
Patching individual systems won’t solve this.
The deeper issue remains: compliance-first thinking, unclear ownership, and poor translation of digital risk into business impact create fragile organizations.
Host, Lieuwe Jan Koning (Co-Founder & CTO, ON2IT), talks with Jasper Nagtegaal (Director of Digital Resilience, Dutch Authority for Digital Infrastructure) about what NIS2 is really trying to change – and why cyber resilience fails when organizations treat it as a policy exercise instead of a business risk.
This episode isn’t about regulations or frameworks.
It’s about understanding what happens when the intent behind NIS2 collides with real-world operations – and why resilience depends on decisions made long before things break.
What you’ll learn
- Why NIS2 reframes cyber incidents as business failures, not IT failures
Downtime, disruption, and loss of control matter more than controls on paper. - How compliance-led NIS2 implementations undermine cyber resilience
Why “being NIS2 compliant” doesn’t mean being ready. - What other critical industries get right about resilience
Designing for failure, recovery, and accountability under pressure. - How to reframe cyber risk around continuity and impact
Speaking the language decision-makers actually respond to. - What to focus on tomorrow to improve cyber resilience
Risk ownership, scenario thinking, and board-level accountability.
Your cybersecurity experts
Lieuwe Jan Koning
Co-Founder and CTO
ON2IT
Jasper Nagtegaal
Director of Digital Resilience
Dutch Authority for Digital Infrastructure
Episode details
It starts with a familiar conversation.
The organization asks:
Are we NIS2 compliant?
The real question comes later:
Can we still operate when systems fail, data is unavailable, or decisions must be made under pressure?
Cyber resilience breaks down when it lives in policy documents.
It works only when it’s anchored in how the business actually functions.
Many organizations still explain digital risk in regulatory or technical NIS2 terms. Boards and executives think in continuity, impact, and responsibility.
That translation gap is where resilience fails.
Cyber incidents don’t become crises because controls were missing.
They become crises because NIS2 was treated as a compliance goal instead of a continuity obligation.
Industries like aviation, energy, and healthcare approach resilience differently.
They assume failure is inevitable – and design for recovery, decision-making, and responsibility under stress.
Cybersecurity often doesn’t.
Treating digital risk as a compliance burden under NIS2 delays the conversation until after something breaks.
By then, fines, investigations, and explanations follow – but the real damage is already done.
This episode explores why NIS2 should be treated as a catalyst for business resilience, not a regulatory outcome.
Host, Lieuwe Jan Koning (Co-Founder & CTO, ON2IT), speaks with Jasper Nagtegaal (Director of Digital Resilience, Dutch Authority for Digital Infrastructure) about what NIS2 is trying to fix, why organizations struggle to communicate digital risk, how resilience fails in the boardroom, and what changes when continuity becomes the starting point.
This episode isn’t about regulation. It’s about how organizations interpret NIS2, think, decide, and act before – not after – things break.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
