Compliance for the Sake of compliance never works

Compliance for the sake of compliance does not create resilience, and minimum checklists do not protect critical infrastructure on it’s own.

Following the lowest possible standard only guarantees that the organisation will be out of date the moment a new threat, a new guideline or a new regulatory update is released. This is the paradox facing many operators of essential services today.

Regulations expand, threats evolve and digital environments change faster than traditional compliance programs can follow.

Across Europe, NIS2 has raised the bar for cybersecurity governance in critical infrastructure. However, the directive does not work if organisations treat it as a checklist. NIS2 was never designed to be a minimum set of technical controls. It was designed as a risk based governance framework that forces organisations to adopt a continuous improvement philosophy. This is made explicit in Article 21, which states that cybersecurity measures must be state of the art, risk based and continuously evaluated.

In other words, ticking the lowest possible requirement does not meet the requirement. NIS2 demands a living security program rather than a compliance binder.

Why minimum compliance always fails:

Minimum compliance creates a false sense of security. When organisations aim for the smallest possible change, three predictable problems occur.

First, they become reactive instead of proactive. New threats or vulnerabilities instantly make their controls obsolete because no ongoing maturity development is in place.

Second, they depend entirely on regulatory bodies to tell them what to do. This approach breaks down in sectors where regulators deliberately avoid prescribing specific technologies because the operational environments are too diverse.

Third, the organisation ends up adjusting itself continuously because new versions of the same rules force updates again and again. The cost becomes higher, not lower, because the organisation rebuilds its posture in small increments rather than investing in stable long term capabilities.

The Danish Energy Agency has repeatedly stated that compliance must result in real effect, not paper documentation. This is also why the energy sector uses a highly concrete executive order known as BEK 260. The intention is to create clear operational controls that provide measurable security outcomes rather than theoretical requirements. The water sector, which currently falls under the general NIS2 Act, faces a structural challenge.

Without a sector specific executive order similar to BEK 260, many operators focus only on the abstract requirements rather than the operational reality. When compliance is treated as a paperwork exercise, operators never strengthen the real security of their OT environment.

NIS2 cannot be implemented as a minimum checklist:

NIS2 introduces a set of obligations that are continuous by design. These include risk assessment, supply chain security, incident response, business continuity, zero trust principles, remote access management and logging. None of these concepts can be reduced to a static checklist because each depends on the specific risk landscape of the operator.

ENISA has made this very clear in its guidance on NIS2 implementation. Each operator must interpret the directive in relation to its own operational context. One size does not fit all. Organisations that copy another organisation’s checklist will not meet their own obligations because they will not have addressed their own risk profile.

NIST reaches the same conclusion in its cybersecurity framework. Minimum implementations are never enough to reduce actual risk. The framework is designed for continuous maturity improvement, and organisations are expected to revisit controls regularly.

Minimum compliance is operationally dangerous for OT:

OT environments cannot rely on generic compliance checklists because the risk environment is dynamic and highly specialised. OT systems often depend on vendor specific technology, legacy equipment, strict uptime requirements and safety processes. By definition, OT security must be tailored to these constraints.

A minimum compliance approach ignores the realities of
authentication during isolation segmentation across vendor networks remote access during system failure manual operation during a cyber event logging in systems without central IT dependencies detection when IT sensors are down.

These areas are repeatedly highlighted in CISA incident summaries as reasons for escalation. When compliance is shallow, organisations do not prepare for the kind of failures that actually occur in OT systems.

Why regulators encourage a continuous improvement mindset:

Regulators across Europe are shifting away from prescriptive controls toward outcome focused frameworks. NIS2 is one example. The European Commission has explained that organisations must demonstrate that they understand their own risk exposure and have implemented measures appropriate for that exposure. This means that two organisations with similar technologies can legitimately choose different controls, but neither can choose minimum controls if the risk level demands more.

This philosophy is reinforced by ENISA, which has published multiple analyses showing that risk based programs outperform compliance based programs. Organisations with mature risk based approaches experience fewer successful attacks, faster recovery times and better supplier oversight.

The compliance trap for operators of essential services:

The compliance trap occurs when organisations focus on what they must do to pass an audit instead of what they must do to protect operational continuity. When this happens, teams prioritise the easiest tasks to document rather than the tasks that materially reduce risk.

Examples include:

• Writing policies rather than implementing controls
• Adopting identity solutions that work only during normal operation
• Ignoring cross team coordination between IT and OT
• Documenting backup plans without testing them.

CISA reports repeatedly show that untested systems and misunderstandings across IT and OT are among the most common root causes of operational downtime during cyber events.

The solution is capability building, not just checklist building:

Real cybersecurity maturity comes from building capabilities. These include tested incident response,
validated remote access, segmentation that works during isolation, supply chain oversight, tested backup and recovery procedures, identity systems that function under failure conditions.

These capabilities are not mandated as a minimum checklist because regulators know that each organisation must shape them based on its specific architecture. What matters is that these capabilities exist in practice. Paper compliance does not create capability.

So…

Compliance for the sake of compliance undermines resilience. Critical infrastructure requires a continuous improvement mindset, realistic exercises, risk based governance and operational capability. Regulators expect organisations to move beyond minimum requirements. The threat landscape evolves too quickly for any static checklist to provide real protection. Organisations that pursue minimum compliance will forever chase new requirements instead of reaching a stable and robust security posture. Real security comes from maturity, not from minimum obligations.

Author: Emilie Lerche Fenger

Date: November 18, 2025

📎 Resources:

• NIS2 Directive full legal text
  https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32022L2555

• European Commission NIS2 policy page
  https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

• ENISA NIS2 Technical Implementation Guide
  https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance

• ENISA Cybersecurity Roles and Skills for NIS2 Entities
  https://www.enisa.europa.eu/publications/cybersecurity-roles-and-skills-for-nis2-essential-and-important-entities

• NIST Cybersecurity Framework main page
  https://www.nist.gov/cyberframework

• CISA Industrial Control Systems portal
  https://www.cisa.gov/topics/industrial-control-systems

• DLA Piper legal summary of ENISA NIS2 guidance
  https://privacymatters.dlapiper.com/2025/08/eu-enisa-guidelines-on-compliance-with-nis-2-directive-published/