(6 min read) 

NIS2 doesn't care. 

It is 4:46pm on a Friday when someone forwards a spreadsheet called NIS2 Gap Analysis FINAL v7 REALLY FINAL. We do what every sensible adult does: skim it, nod gravely, and promise ourselves we will "properly look at it" next week.

That is the exact moment a compliance programme turns from a regulation into a psychology problem.

Because the messy bit is not the spreadsheet. It is Monday morning. It is Sharon in Finance approving an invoice while her Teams pings. It is your ops lead trying to ship a client deliverable while someone asks, again, "Can you just reset my password to Summer2026? I am in a rush."

Compliance is a behaviour change project disguised as a documentation project.

If that sentence annoys you, good. Annoyed is awake. And awake is the right state to be in if you want to avoid the most common compliance trap of all: treating people like a policy distribution problem.

Compliance starts in the kitchen, not the board pack

When organisations feel regulatory pressure, they often respond the same way most of us respond to a messy garage. We buy storage boxes.

That is how we end up with policies nobody reads, training slides nobody remembers, and a "process" that exists mainly as a folder called New Process (final).

To be clear: this is not an argument against policy. It is an argument against fantasy.

A document can clarify expectations. It can protect you legally. It can prove you tried. But it does not make the right action the easy action. And when it comes to compliance, "easy" tends to win. Not because people are careless, but because they are busy. They are trying to do a decent job, quickly, with the tools and time they actually have.

This is where "culture" stops being a fluffy phrase and becomes very concrete. Culture is not posters and slogans. Culture is what people do when they are tired, when they are interrupted, when nobody is watching at all.

If you want compliance that survives a stressful Monday, design for that stressful day. Not for the annual audit meeting where everyone suddenly remembers what the policy says.

Why one-day training and tick boxes keep failing

Most organisations do not set out to build checkbox compliance. It happens because time pressure makes us reach for the fastest evidence we can generate.

So we do the sensible-looking things: distribute policies, run annual training, add a quiz, record attendance. Those actions create artefacts, and artefacts feel like progress. They look great in a folder.

But artefacts are not outcomes. A signed policy is not the same as a changed habit. A completed module is not the same as a safer decision under pressure.

A useful test: when the risky moment arrives, do people do the right thing by default, or do they need to remember a PDF exists?

If the answer is "they need to remember", you have not built a compliance programme. You have built a library.

COM-B in one minute

One of the most useful frameworks for understanding why behaviour change succeeds or fails is COM-B, developed by Michie et al. (2011). It says behaviour happens when people have three things working together:

Most compliance sprints focus almost entirely on Capability. They throw information at people, run a mandatory module, email a policy. The quiz gets added because a quiz looks like evidence.

But compliance success depends just as much on Opportunity and Motivation.

Take any policy-driven behaviour: reporting incidents, escalating a concern, challenging a supplier, rejecting a risky request from a senior person. For that behaviour to happen reliably, people need:

• a clear, simple route to do the right thing (Opportunity)
• enough time and the right tools to do it (Opportunity)
• social permission to do it, even when it is awkward (Motivation)
• feedback that proves it was worth doing (Motivation)
• enough context to recognise the moment that matters (Capability)

If any one of those is missing, the behaviour fails. Not theoretically. In practice, on the day it matters.

That is why "we trained them" is not the same as "they do it". And it is why a compliance team should get twitchy when they hear: "We will sort the culture bit after we finalise the policy suite." The policy suite is not the thing that prevents failures. The habits are.

NIS2 as a perfect example of the bigger compliance problem

NIS2 is a useful case study, not because it is unique, but because it makes the pattern obvious. It is easy to treat it as a project with a start date and an end date, a checklist to complete and a folder to fill.

The organisations that do well with NIS2 will not be the ones with the prettiest documentation. They will be the ones where risk management behaviours actually happen when nobody is watching.

The same is true for most modern compliance regimes. The written standard is the visible part. The lived behaviour is the protective part.

And if you are based in the UK, do not assume this passes you by. If you supply services to EU-regulated organisations, or sit in their supply chain, those customers may require NIS2-level assurances from you regardless of where you are based. Scope is not just a question of geography.

One practical note on scope: NIS2 is an EU directive, and directives get transposed into national law. The details vary by country, and "are we in scope" is not a question to settle based on a LinkedIn post. Check the guidance from your national authority. Ireland's National Cyber Security Centre publishes a plain-language NIS2 FAQ, and the European Commission hosts background on the directive. One page will not answer everything for every organisation, but both make one point unavoidable: this is not a paperwork exercise. Authorities care about risk management, accountability, and whether organisations can respond when something actually goes wrong.

Which brings us back, again, to behaviour.

If your organisation "has a process" but nobody knows what to do when something feels off, escalating feels risky or embarrassing, and everyone assumes someone else will catch it, the process is decorative. And if the plan is to fix that later, you have just described last-minute compliance.

For SMEs and big organisations alike: make the right behaviour the easy behaviour

A lot of compliance advice splits the world into small and big organisations, as if human behaviour changes based on headcount. It does not. People stay stubbornly human at every size.

Smaller organisations usually struggle with capacity. There is no compliance army. There is Sharon, an ops lead, and someone who "knows computers". The win is not doing everything. The win is doing a few behaviours consistently, with as little drama as possible.

Bigger organisations often struggle with handoffs. The controls exist, but the gaps live between teams, suppliers, and "just this once" exceptions. The win is not another policy. The win is removing friction from the safe path and removing rewards from the unsafe one.

Either way, the lever is the same: make the right behaviour the path of least resistance.

If the secure route is harder, slower, or socially riskier than the workaround, people will route around it. Not because they are malicious, but because they are human. If you want compliance to survive contact with reality, focus less on telling people what to do, and more on removing the reasons they do not do it.

If the "we are too small to matter" myth is doing the rounds in your organisation, this Psybersafe post is worth a read: The SME myth.

A simple 30-60-90 day plan for any compliance or policy change

You cannot cram a culture. You can, however, build it in small, sensible steps. Here is a plan that respects the fact that you still have a business to run. (If you want a plain-English refresher on NIS2 specifically before diving in, start there.)