The NIS2 transposition deadline passed on 17 October 2024. National laws are being enacted across Member States. And yet, the gap between having a law on the books and having regulated entities operationally ready to demonstrate compliance is vast. This gap is not a Member State problem. It is an entity-level problem. An organization can operate in a country with a fully transposed NIS2 national law and still be nowhere near able to prove that its cybersecurity risk management measures meet the standard that NIS2 Article 21 requires. The "proof gap" is the distance between knowing what the law requires and being able to demonstrate, with evidence, that the organization actually does it. Closing that gap is the central operational challenge for essential and important entities in late 2025 and 2026.
The Three Layers of NIS2 Readiness
Understanding the proof gap requires distinguishing three layers of readiness that organizations often conflate.
Layer 1: Legal awareness. The organization knows that NIS2 applies to it, has identified the relevant national transposition law, and understands the scope of its obligations. This is table stakes. It is also where many organizations stalled during 2024, waiting for national transposition clarity before taking operational action.
Layer 2: Program establishment. The organization has mapped NIS2 Article 21(2) measures to its existing control framework, identified gaps, assigned ownership, and created a remediation plan. Policies have been drafted or updated. Governance structures have been defined. The compliance program exists on paper and has executive sponsorship.
Layer 3: Operational proof. The organization can demonstrate, through evidence, that its Article 21 measures are implemented, functioning, tested, and supervised by management bodies as Article 20 requires. Evidence is current, not stale. Controls are monitored, not just documented. Incident response has been tested, not just planned. Supply chain risk is assessed, not just acknowledged.
The proof gap exists between Layer 2 and Layer 3. Most organizations that have engaged with NIS2 have reached Layer 2. Far fewer have achieved Layer 3. The gap is where supervisory reviews will focus, because NCAs are not interested in plans. They are interested in proof.
Why Legal Transposition Does Not Equal Entity Compliance
The transposition process itself created confusion that widened the proof gap. When the October 2024 deadline passed with many Member States still in the process of transposing NIS2, a reasonable interpretation circulated in compliance circles: "If our Member State hasn't transposed yet, we don't have binding obligations yet." This interpretation was legally debatable (the directive's provisions have direct effect in certain circumstances) and operationally dangerous.
Organizations that paused their NIS2 programs pending transposition clarity lost 12 to 18 months of operational readiness building. The controls that NIS2 Article 21 requires are not the kind that can be implemented in a quarter. Incident handling capability, supply chain security oversight, business continuity management, and access control governance are operational capabilities that take months to build and longer to mature. An organization that waited until its national law was enacted in mid-2025 to begin building these capabilities entered 2026 with immature controls and thin evidence.
Even in Member States where transposition completed on or near the October 2024 deadline, entity compliance lagged for structural reasons. National transposition laws define obligations. They do not implement controls. The gap between a legal requirement for "measures for vulnerability handling and disclosure" (NIS2 Article 21(2)(e)) and an operational vulnerability management program with defined SLAs, automated scanning, risk-based prioritization, and evidence of remediation effectiveness requires organizational effort that legal text cannot provide.
The proof gap is widest in three areas where most organizations under-invested during the transposition period.
Gap Area 1: Evidence Operations
Evidence operations is the discipline of generating, maintaining, and producing compliance evidence on a continuous basis. It is the single largest proof gap area for NIS2-regulated entities because most organizations never built an evidence operations function. They built audit readiness processes instead.
The distinction matters operationally. Audit readiness processes activate before an audit: teams collect evidence, fill gaps, clean up documentation, and present a polished view at the moment of examination. Between audits, evidence generation is minimal. The result is point-in-time evidence that proves the control existed during the audit period but says nothing about its state between audits.
NIS2's enforcement model does not follow an annual audit cycle. Under Article 32, NCAs can request evidence at any time: during proactive supervision, during random checks, during incident investigation, or during ad hoc audits triggered by external events. An organization that generates evidence only before scheduled audits cannot respond to ad hoc evidence requests without scrambling.
Building evidence operations requires three structural changes.
Continuous evidence generation. Controls should produce evidence as a byproduct of their normal operation. An access review that generates timestamped decision records, a vulnerability scan that logs findings and remediation actions, an incident response exercise that produces a documented after-action report: these are controls that generate evidence automatically. If producing evidence requires a separate manual collection effort, the process does not scale to NIS2's continuous supervision model.
Evidence freshness management. Every evidence artifact has a useful lifespan. A vulnerability scan from six months ago does not demonstrate current vulnerability posture. An access review from last year does not demonstrate current access governance. Evidence freshness management assigns an expiry to each evidence type and ensures that evidence is refreshed before it becomes stale. Continuous control monitoring platforms automate this by tracking evidence freshness as a first-class metric.
Evidence retrieval capability. The evidence exists. Can the organization produce it within the timeline an NCA request demands? If evidence is scattered across SharePoint folders, email archives, ticketing systems, and individual team members' local drives, retrieval is a research project rather than a query. Centralizing evidence in a single repository with structured metadata and search capability transforms retrieval from days to minutes.
Gap Area 2: Control Effectiveness Demonstration
The second proof gap area is demonstrating that controls are effective, not merely present. NIS2 Article 21(1) requires measures that are "appropriate and proportionate." Appropriateness is an effectiveness judgment. A control that exists but does not reduce risk is not appropriate.
Most organizations can demonstrate control existence: "We have an incident response plan." "We conduct access reviews." "We assess vendor risk." Fewer can demonstrate control effectiveness: "Our incident response plan was tested in Q3 and we identified a 45-minute gap in our notification workflow that has since been remediated." "Our access reviews identified and revoked 280 excess entitlements in the last cycle, reducing our over-privileged account population by 12%." "Our vendor risk assessment process identified two critical suppliers with deteriorating security posture, and we have initiated enhanced oversight and contractual remediation."
Effectiveness demonstration requires outcome metrics, not activity metrics. Activity metrics (number of reviews completed, number of policies updated, number of training sessions delivered) prove that work was done. Outcome metrics (risk reduction achieved, gaps identified and closed, response time improvement, drift remediation rate) prove that the work produced results.
The shift from activity to outcome reporting is uncomfortable for compliance teams because outcome metrics can show failure. A control that was executed but did not reduce risk is, by the outcome metric, an ineffective control. Acknowledging ineffectiveness is essential for improvement but feels risky in a compliance context where the goal is to demonstrate adequacy.
The NIS2-mature response is to demonstrate a cycle: measure effectiveness, identify weaknesses, remediate, re-measure. NCAs are not looking for perfect controls. They are looking for organizations that know where their controls are weak and are actively improving them. An organization that acknowledges control weaknesses and demonstrates remediation progress is in a stronger supervisory position than an organization that claims all controls are effective but cannot support the claim with data.
Gap Area 3: Management Body Engagement
The third proof gap area is management body engagement under Article 20. This gap is particularly dangerous because it creates personal liability exposure for board members and executive leadership.
Article 20(1) requires management bodies to "approve the cybersecurity risk-management measures taken" and to "oversee its implementation." Article 20(2) requires management body members to "follow specific training." The implementing regulation and ENISA guidance clarify that this is not a delegation obligation. The management body cannot delegate its supervisory responsibility to the CISO. The management body must itself understand the cybersecurity risk landscape well enough to approve specific measures and oversee their implementation.
The proof gap in management body engagement is often total. Many organizations cannot produce any evidence that the board discussed cybersecurity risk management in the context of NIS2 obligations, that the board approved specific security measures (as opposed to approving a budget), that individual board members received NIS2-specific training, or that the board receives regular reporting on cybersecurity risk posture with enough detail to constitute "oversight."
Closing this gap requires creating a board-level cybersecurity governance cadence. Quarterly cybersecurity risk briefings with documented minutes. Annual board-level cybersecurity training with attendance records and content documentation. Formal board approval of the cybersecurity risk-management program with resolution records. Standing board access to cybersecurity risk metrics that provide genuine oversight visibility, not quarterly summary slides.
The 90-Day Operational Readiness Sprint
Organizations that have completed Layer 2 (program establishment) but have not achieved Layer 3 (operational proof) can close the proof gap through a focused 90-day sprint structured around five workstreams.
Workstream 1: Core control baseline lock. Stop debating national transposition nuances and lock the core control baseline using NIS2 Article 21(2) as the authoritative reference. The ten measures listed in Article 21(2)(a) through (j) are the baseline. National transposition may add specifics, but it cannot remove these measures. Define the organization's operational implementation of each measure and assign a named owner. Do not wait for perfect national guidance. Build the baseline and adapt when specifics emerge.
Workstream 2: Evidence inventory and freshness audit. For each Article 21(2) measure, inventory the evidence that currently exists. Assess its freshness (when was it last generated?), its completeness (does it cover the full scope of the measure?), and its accessibility (can it be produced within 48 hours?). Flag evidence that is stale, incomplete, or inaccessible. This inventory becomes the remediation backlog for evidence operations.
Workstream 3: Control effectiveness measurement. For each core control, define one outcome metric that demonstrates effectiveness. For incident handling, it might be mean-time-to-detect and mean-time-to-respond from the last exercise. For access control, it might be the percentage of entitlements revoked in the last review cycle. For vulnerability handling, it might be the percentage of critical vulnerabilities remediated within SLA. Establish baseline measurements and set improvement targets.
Workstream 4: Management body engagement setup. Schedule the first NIS2-specific board briefing. Prepare training content that addresses Article 20 requirements. Draft a board resolution approving the cybersecurity risk-management program. Create a standing board reporting package for cybersecurity risk metrics. Execute the first cycle within the 90-day window and document everything.
Workstream 5: National overlay mapping. For each jurisdiction where the organization operates, identify the specific national requirements that go beyond the directive baseline. Map these to the core control baseline and identify incremental obligations. Define national-specific evidence requirements and assign responsibility for producing them. Do not build separate compliance programs per jurisdiction. Build one core program with documented national overlays.
Separating Stable Obligations from Jurisdictional Deltas
One of the most common strategic errors in NIS2 compliance programs is treating each national transposition as a separate compliance requirement and building parallel compliance tracks for each jurisdiction. This approach is expensive, inconsistent, and unnecessary.
NIS2 Article 21(2) defines ten specific measures that all essential and important entities must implement regardless of jurisdiction. These are the stable obligations. They do not change between Member States. An incident handling capability that satisfies Article 21(2)(b) in Germany also satisfies Article 21(2)(b) in France. The operational implementation is the same.
What varies between jurisdictions are specific requirements that national transposition laws add: sector-specific obligations, reporting channel specifications, entity classification thresholds, and procedural requirements for NCA interaction. These are jurisdictional deltas: incremental requirements that layer on top of the stable baseline.
The operationally efficient approach is to build one core compliance program that implements all Article 21(2) measures, then add jurisdictional overlays for each Member State where the organization operates. The overlays document what the national law adds beyond the directive baseline and define the incremental evidence or process adjustments required. This approach reduces duplication, improves consistency, and makes it significantly easier to demonstrate compliance to NCAs in multiple jurisdictions.
Stress Testing Evidence Retrieval
The operational test that most clearly reveals the proof gap is a stress test on evidence retrieval. The test is simple: simulate an NCA evidence request and measure the organization's ability to respond.
Define ten evidence requests that an NCA might plausibly make based on Article 32 supervisory powers and Article 21(2) measures. Examples: "Provide your incident response plan and evidence of its last test." "Provide access review records for the past 12 months for systems supporting critical business functions." "Provide your supply chain risk assessment for your five most critical ICT suppliers." "Provide evidence that your management body approved the current cybersecurity risk-management measures."
Set a 48-hour response window. Assign the requests to the relevant teams. Measure three things: whether the evidence exists, whether it can be located within the window, and whether it is current and complete.
The results of this test are typically sobering. Organizations that consider themselves NIS2-ready often discover that evidence exists for six or seven of the ten requests, is locatable within 48 hours for four or five, and is current and complete for three or four. The gap between "we have a program" and "we can prove our program works on demand" is the proof gap, and this stress test quantifies it precisely.
Why Inertia Costs Compound
Organizations that delayed NIS2 operational readiness pending transposition clarity are now experiencing the compounding cost of inertia.
The cost compounds in three dimensions. Resource compression: controls that could have been built incrementally over 18 months must now be built in parallel within a compressed timeline, requiring more resources and creating more risk of implementation shortcuts. Evidence thinness: organizations that started operational controls recently have thin evidence histories, making it difficult to demonstrate control maturity or improvement trends to NCAs. Leadership confidence deficit: boards that were not engaged early lack the familiarity with NIS2 obligations that Article 20 requires, and the compressed timeline for building board engagement creates pressure to treat governance as a checkbox rather than a genuine oversight mechanism.
The compounding cost of inertia is not recoverable through spending. An organization cannot buy an 18-month evidence history. It can only start building one now and accept that the first 12 to 18 months of supervisory exposure will require managing the gap between obligation and demonstrated capability.
How FortisEU Closes the Proof Gap
FortisEU is designed specifically to close the gap between program establishment and operational proof. The platform implements evidence operations as a core architectural function: controls generate evidence automatically as they execute, evidence freshness is tracked and enforced, and the complete evidence library is retrievable within minutes rather than days.
For multi-jurisdiction entities, FortisEU maintains a single core NIS2 control baseline with configurable national overlays, eliminating the need for parallel compliance programs. Control effectiveness is measured through outcome metrics integrated into the executive risk view, enabling the board reporting that Article 20 management body engagement requires.
The platform's continuous compliance monitoring ensures that evidence is never stale. When an NCA requests evidence under Article 32, the organization can produce a current, complete, structured evidence package from the platform immediately, demonstrating the operational readiness that separates entities that have a compliance program from entities that can prove their compliance program works.
Key Takeaways
- The proof gap is the distance between having a NIS2 compliance program (Layer 2) and being able to demonstrate, through current evidence, that the program is operationally effective (Layer 3). Most organizations have reached Layer 2. Few have achieved Layer 3.
- The three largest proof gap areas are evidence operations (generating, maintaining, and retrieving evidence continuously), control effectiveness demonstration (outcome metrics rather than activity metrics), and management body engagement (Article 20 accountability with documented evidence).
- Build one core compliance program based on Article 21(2) stable obligations, then layer jurisdictional overlays for national-specific requirements. Do not build parallel programs per Member State.
- Stress test evidence retrieval with a simulated NCA request against 10 specific Article 21(2) evidence items within a 48-hour window. The gap between what exists and what can be produced on demand is the quantified proof gap.
- Inertia costs compound through resource compression, evidence thinness, and leadership confidence deficits. Organizations cannot buy an evidence history. They can only start building one now and manage the gap during early supervisory exposure.