Europe has suddenly declared that hundreds of thousands of companies must meet demanding NIS2 cybersecurity standards, yet the pool of qualified auditors is tiny in comparison. Critics note there’s a shortage of qualified auditors to perform the required assessments, the compensation for auditors is too low, and the audit methodology is unnecessarily strict. Even if every capable professional devoted themselves full-time to this task, the sheer scale makes meaningful oversight impossible. In Hungary alone,
the current end-of-year deadline was deemed unrealistically tight, requiring a six-month extension. The result is predictable: compliance becomes a matter of boxes ticked on paper, with real security lagging far behind.

The system folds back on itself in an endless (supply) chain. Companies audit themselves, auditors audit the companies, and regulators audit the auditors. In Hungary, service providers in high-risk sectors are required to sign an agreement with an external auditor company certified by authorities within 120 days of registration, with the auditor checking entities’ information systems every second year. A noble aspiration that rather assumes there are sufficient certified auditors to go round. Each layer multiplies complexity, producing a hierarchy of symbolic gestures rather than tangible results.

Small IT teams in mid-sized firms are thrust into essential roles they are ill-equipped for, improvising with whatever documentation and tools they can muster. One sentiment expressed by organisations is telling: organisations do not know what the auditors will be looking for, describing it as preparing for an exam without seeing the syllabus. Checklists are completed with zeal, policies are lifted from the internet, and incident response plans are reduced to sticky notes scrawled with panic. Systems may be secure, but if documentation is disorganised or incomplete, it counts against you. Metrics, signatures, and forms convey the illusion of control, yet actual cyber risk continues unchecked. The system optimises for appearance, not reality, creating an ecosystem of superficial compliance that masks underlying vulnerabilities.

Yet it needn’t be quite so Kafkaesque. NIS2 compliance, like crossing a river, requires respecting the current. You cannot simply route around mandatory incident reporting timelines and specific obligations. But with systematic preparation and realistic planning, it is navigable. The difference between theatre and substance lies in understanding what actually matters versus what merely creates paperwork. Practical guides exist that cut through the regulatory fog, offering frameworks for cross-functional coordination and genuine risk management rather than checkbox exercises: Resources that help small IT teams build real incident response capabilities.

The arithmetic remains rather damning. Estimates suggest NIS2 will impact over 100,000 organisations directly across the EU, with some sources citing 160,000 companies in member states, or even 400,000 directly subject companies. When indirect supply chain impacts are considered, approximately 1.8 million businesses face NIS2-related requirements. By mid-February 2025, only nine countries had transposed the Directive into national legislation, having missed the 17 October 2024 deadline. The European Commission launched infringement procedures against 23 Member States for failing to fully transpose NIS2, including Germany, France, and Spain. At the time of writing, end-November 2025, 15 out of 27 EU Member States have transposed the NIS2 Directive into national law.

Meanwhile, organisations face the dual challenge of implementing comprehensive risk management, incident response, and reporting procedures whilst typical NIS2 compliance processes, including security assessments, auditing, consulting, and tool implementation, take approximately 12 months. One might charitably call this “ambitious.” One might less charitably call it “utterly barking.”

The choice put before organisations is stark: pursue compliance as performance art, or build genuine resilience that happens to satisfy regulatory requirements. The former produces mountains of documentation that crumble under scrutiny. The latter requires understanding the river’s current and navigating it deliberately, with proper preparation and realistic planning.

Ultimately, this is a classic mismatch between ambition and capacity. Without enough auditors, skilled staff, and tooling to match the mandate, NIS2 risks producing paperwork rather than resilience. The Kafkaesque turtle lumbers forward, burdened with a mountain of forms and checklists, slowly grinding toward a goal that remains largely out of reach whilst the real threats carry on beneath the surface.

One suspects our chelonian friend is in training for an A’Tuin role, destined to carry an entire world on its back, though in this case, a world built entirely of compliance documentation and well-intentioned regulatory architecture. At least A’Tuin had four elephants to help with the load.

Terry Pratchett would have had a field day with this one: Our NIS2 turtle has only a handful of overworked auditors, a prayer that the spreadsheets hold together long enough to reach the next review cycle, and, for those wise enough to look, a practical guide to actually crossing the river rather than simply drowning in it, trying to keep afloat on excellent documentation.