How well does governance hold up when requirements tighten? With NIS2, information security is moving higher up the leadership agenda. For many organisations, this becomes a stress test of how well risk, control and accountability fit together. According to Christopher Läns, GRC expert at Stratsys, the answer lies in a governance model built to last.
Many organisations across both industry and the public sector are feeling the growing pressure from new regulations. NIS2 and DORA introduce new requirements around incident management, supplier oversight, continuity and reporting. At the same time, accountability is shifting upward — and that shift is felt most acutely by executive teams and boards.
For leadership and the board, the question quickly becomes bigger than information security. Ultimately, it's about the organisation's ability to set clear requirements, follow up on them, and ensure that governance actually works in practice.
Regulations that expose the cracks
Christopher Läns works with GRC and information security at Stratsys. He often meets organisations in the middle of this transition — and there's a recurring pattern in how new regulations are received.
- The natural impulse is often to launch a separate initiative. To set up a working group, establish new processes and review the supporting tools. That's understandable, but it also risks reinforcing a structural problem that was already there, says Christopher.
The risks introduced by regulations like NIS2 are rarely new in themselves. The fact is that many organisations are already working on incident management, supplier risk, access control and continuity planning. What the regulations really do is make visible how these issues are being handled — and whether governance is genuinely joined up.
Christopher Läns, GRC Lead, Stratsys
Parallel tracks in risk management
So how should, say, a Swedish industrial company respond when a new regulation lands? The natural move can be to set up dedicated working groups and establish new reporting lines. It signals decisiveness and shows the matter is being taken seriously.
- When the organisation responds to an external requirement with yet another workflow, you're effectively reinforcing fragmentation that already exists. The consequence of that overlap can be that the same risk gets handled multiple times, says Christopher.
The result is that risk ends up being managed several times over - for example, when the same supplier risks are already being followed up by procurement and IT. Or when incidents are already being managed within information security. Continuity risks may already sit within the organisation's existing risk work.
When NIS2 is layered on top of all this, another tier of processes, reporting and accountability is added. The concrete consequences quickly become visible:
- The same risk is followed up across multiple processes.
- Different functions request the same information.
- Reporting inputs vary.
- Accountability becomes blurred between functions.
- Decision-making inputs become fragmented.
The cost of this approach rarely shows up immediately. It surfaces over time as growing complexity, more administration, and difficulty prioritising when the next requirement arrives. Regulations like NIS2 become a clear mirror of the organisation's existing governance model.
When governance holds together
Meeting regulatory requirements is not the same as building a governance model that lasts. That becomes especially clear when the next requirement comes into force, when a major customer asks new questions about cyber security, or when the board wants to understand the organisation's resilience.
The key is to find ways to strengthen the underlying structure. Otherwise, the same challenge will resurface when the next regulation needs to be addressed or the next audit requirement enters the organisation.
Christopher's observation is that the organisations furthest along rarely organise themselves around each individual regulation — they start from the underlying risks.
- Only when the same control is linked to multiple regulations, business risks or reporting requirements does the structure start to create real value, says Christopher.
This is also where the value of a shared structure and integrated system support becomes clear. When risk, control and accountability stay connected over time, new requirements can be folded into the same model — instead of generating new processes and more administrative work.
The value of the right structure
A shared structure isn't about simplifying reality — it's about organising it so that risk, control and accountability can be held together over time. When risks like supplier dependency, incident readiness, access and identity, continuity and data protection are followed up separately, complexity rises quickly. That doesn't just mean more administration; it also means a weaker overall picture.
The reverse is equally true. When the same control is defined once and used across multiple regulations, the organisation gains a more coherent way of working that frees up resources. The same data can be used in several contexts, accountability becomes clearer, and follow-up is built on comparable inputs. This makes it possible to:
- Build a unified picture of the risk landscape.
- Prioritise actions based on the whole.
- Reduce duplication across the business.
- Clarify accountability and escalation.
- Make decisions based on comparable inputs.
The structure becomes concrete decision support for both leadership and the wider business — covering everything from investment prioritisation to incident readiness and supplier risk.
The regulation as catalyst
The difference becomes especially clear when you consider how this plays out. Christopher describes how new legal requirements can lead to projects being launched and investments made to handle follow-up and documentation. Three months later, however, it can turn out that the same supplier risk is already being followed up by IT, the risk function and internal audit. Meanwhile, the business has a separate process for continuity risk.
Suddenly, the organisation is running four parallel tracks to manage what is essentially the same underlying risk.
- In the light of new legal requirements, it becomes clear that you need a structure that holds across multiple regulations. That's how regulations like NIS2 can act as a catalyst for the organisation. They reveal how fragmented governance already was, says Christopher.
A strategic question, not a resourcing one
What sets more mature organisations apart is rarely the volume of resources, but how the work fits together. A shared model for risk and control creates a structure that holds up against future regulations too. It strengthens both operational capability and leadership decision-making — and that's how you build governance that lasts.
The question, then, isn't first and foremost whether you comply with NIS2. The real question is what the requirements reveal about how robust your organisation's governance actually is.
Want to know more about how the Stratsys GRC platform can help your organization with NIS2? Get in touch with us.
