NIS2 puts risk analysis back in the spotlight. But what does it really mean?
Risk analysis is not a document to be produced to satisfy a regulatory obligation. It is a practical tool for understanding your digital exposure, making informed choices, and strengthening your organization’s resilience. Axel Legay explains.
Risk analysis is often perceived as a technical, complex exercise, almost exclusively reserved for specialists. In reality, it starts with a very simple question: what is truly critical to my business, and what could prevent it from functioning normally? “It’s not about predicting everything or aiming for zero risk, but about understanding what really matters and anticipating what could have a significant impact,” comments Axel Legay, an expert in AI and cybersecurity.
With NIS2, this approach is not being reinvented. It is being put back at the center of the game. The directive reminds us that cybersecurity cannot be limited to tools or formal obligations, but must be based on a clear understanding of the risks, their causes, and their consequences.
What NIS2 expects, without unnecessary complexity
Under NIS2, risk analysis forms the basis of cybersecurity management. The organizations concerned must identify the risks associated with their networks and information systems and put appropriate measures in place. The directive does not impose a standard method or a single model. It is based on an obligation of means, not an obligation of results.
“This means that an organization can accept certain risks, provided it can explain why. The goal is not to eliminate all exposure, but to demonstrate that choices have been made in a conscious, proportionate manner that is aligned with the reality of the business.”
How to get started: identifying what really matters
In practice, it all starts with a step that is often underestimated: identifying assets. An asset is not just a server or software. It is everything that the business really depends on, explains Axel Legay. “For an SME, this often involves a few key elements: a billing tool, a customer database, a production system, a cloud provider, or sometimes even a single person with critical skills.”
This first step is essential because it allows us to move away from an abstract view of cybersecurity. Once these assets have been identified, the question becomes very concrete: “What happens if this element is no longer available, even temporarily?” In many cases, organizations discover that their dependence is greater than they imagined.
Identify vulnerabilities without seeking perfection
The second step is to identify vulnerabilities in the broadest sense. Again, this is not just about technical flaws. A lack of tested backups, dependence on a single supplier, poorly controlled access, or a procedure known to too few people are all real vulnerabilities.
“For an SME, this exercise is often reassuring rather than worrying. It allows you to distinguish between what constitutes a major risk and what is an acceptable inconvenience. A vulnerability is not necessarily a problem that needs to be corrected immediately; it becomes an issue to be addressed when it concerns a critical asset and exposes the organization to a significant impact.”
Choosing which risks to address… and which to accept
Not all risks are equal, and not all warrant the same level of effort. Take the example of a small industrial company. Temporary unavailability of the corporate website is rarely critical. On the other hand, a breakdown in the production or order management system can have an immediate impact on revenue and customer relations. The first risk can be accepted, while the second must be addressed as a priority.
The same logic applies to a service SME using a cloud solution for billing or customer relations. An interruption of a few hours may be tolerated if temporary solutions exist. On the other hand, the loss or alteration of customer data is generally unacceptable. “Risk analysis allows these trade-offs to be formalized and made explicit, which is fully in line with the spirit of NIS2.”
The natural link with continuity and resilience
Risk analysis does not stop at identifying problems, Axel Legay adds; it directly feeds into continuity and resilience plans. “By identifying critical assets and acceptable impacts, the organization can define realistic scenarios: how long can an activity be interrupted, which functions must be restarted as a priority, and which backup solutions are truly operational.”
For an SME, these considerations are often much more useful than complex technical devices. A regularly tested backup, a clear procedure in case of unavailability, or minimal access organization may be enough to transform a serious incident into a manageable situation.
A governance approach, not just a technical one
NIS2 emphasizes a fundamental point: risk analysis is not just a technical matter. It concerns governance. Managers are called upon to understand the major risks, validate priorities, and accept certain residual risks in a responsible manner. It is not a question of mastering the technical details, but of understanding the possible consequences and the choices made.
Risk analysis is not a document to be produced to satisfy a regulatory obligation. It is a practical tool, says Axel Legay. “Risk analysis allows you to understand your digital exposure, make informed choices, and strengthen the resilience of your organization. NIS2 does not require companies to be perfect; it requires them to be clear-headed, consistent, and able to explain their decisions.“
Getting started is often easier than it seems: identify what is essential, recognize your dependencies, accept certain vulnerabilities, and decide what really deserves to be protected. For an SME, this approach allows you to take control of digital technology, rather than being at its mercy.
