Blog

Airworthiness for the digital society

NIS2 is not a competition for the most binders. It is about airworthiness for our digital public services. In this article, I explain why the directive should be understood as a functional requirement: Can we fly safely every day, land through turbulence, and quickly take off again? I share what triggered me and clarify what NIS2 truly demands and why we risk going astray if we treat it as a checklist. Focus: leadership responsibility, supply chain, and time as a capability (24/72/30), measured with simple yet strict outcome targets.

In short: Stop measuring manuals. Start proving airworthiness.

Robert Willborg

Co-founder and Chief Security Officer at OneMore Secure.

NIS2 wants us to fly safely, not just fill in paperwork.

The idea behind this article developed gradually but took shape when I mentored a law student and lectured computer science students at Lund University, where something began to nag at me. I saw NIS2 often interpreted as if it had an answer key: find the paragraphs, tick the boxes, "get it done". At the same time, questions from leadership focused more on how to avoid sanctions than how to ensure operational capability when things really get tough. My concern grew into a cloud of worry: if we read a purpose-driven law as a checklist, are we truly building capability or just producing paperwork? This is the question driving this text.

The big picture and why the metaphor matters

The flight attendant demonstrates emergency instructions. The captain welcomes everyone aboard. Everyone knows the routine. But deep down, no one cares how neatly the manual is wrapped; passengers want to know if the plane is airworthy: the right crew, a maintained aircraft, functioning procedures, tested emergency protocols. NIS2 is exactly this for our critical digital services. It's not a contest to have the most binders; it's proof of capability. Can you fly safely day to day, land safely through turbulence, and quickly get airborne again when something breaks? That's the core. (European Union, 2022).

What NIS2 really is (and isn't)

NIS2 was not introduced to redraw the map of technical components. This is crucial. It was introduced to address three simultaneous failures in Europe. These can be simply described as cross-border dependencies facing uneven security capabilities, a threat landscape shifting to state-sponsored and more systemic attacks, and finally a plethora of voluntary recommendations that backfired in boardrooms. The result of the latter was that boards did not prioritise security but clear accountability; security was seen as a cost, not an investment. That is why NIS2 shifts focus upwards in governance and outwards towards the whole. It regulates capabilities, processes, and responsibilities, not specific tools. (European Union, 2022).

This is reflected in the language and structure: open norms like "appropriate security level", "suitable and proportionate measures" and "without undue delay" (arts. 20–23). This is not negligence; it's a teleological construction. In EU law, purpose carries weight: oversight will in practice ask whether you achieved the law's objective, not just if you ticked every box to the letter (European Union, 2022; Tridimas, 1997).

Translated to aviation:NIS2 seeks to see airworthiness, that people, processes, technology and suppliers work together in reality, under stress, over time.

Why NIS2 risks going wrong right now

This is where my concern and the trigger for writing this article come from. Legal interpretations of NIS2 are alarming in most cases. Not because of lack of competence or training. No, because they analyse and approach this law dogmatically rather than through document analysis. These different approaches risk misplacing the law and boards and leadership entirely missing the point, thinking it's just another law, another cost, rather than genuine security and a real investment. The risks are:

1) Paper airworthiness.We optimise documents instead of performance. But NIS2 fundamentally cares about outcomes: detecting, limiting, recovering and reporting on time (24 h / 72 h / 30 days). (European Union, 2022).

2) Law without systems thinking.Swedish legal education has a strong doctrinal tradition which excels when norms are precise. But NIS2 is deliberately open and purpose-driven. The law allocates responsibility and enables oversight; capability is created through interplay between criticality, dependencies, culture and decision-making under uncertainty (Karlstad University, 2025; Tridimas, 1997).

3) Individual focus instead of organisational responsibility.The individual performs, but it is the organisation that is accountable. On a plane, passengers should stay alert, but the company ensures maintenance, procedures, simulator training and mandates. That's why the window blinds on a plane must be open during takeoff and landing. The same logic actually applies in NIS2 and cybersecurity law: individual behaviour is part of capability, never a substitute for it. The individual is also a sensor and a vital part of the organisation. And it's quite clear why we need to rethink.

Reality as a stress test: data and cases

The chains:ENISA shows how attacks via supply chains have become more common and sophisticated — a structural problem, not an anomaly (ENISA, 2021). The MOVEit chain became a textbook case: a vulnerable component caused massive spill-over and demonstrated that managing external "workshops" (contracts, patch regimes, logging, permissions) is as critical as your own firewall (Emsisoft, 2024).
Humans:DBIR 2024 estimates that around 68% of breaches involve a human element (phishing, misconfiguration, mistakes), and third-party influence is a growing vector (Verizon, 2024). The conclusion is not "scold more" but build the right default setting and train.
System capability beats manuals:The 2015 attack on Ukraine's power grid was a lesson in how what saves the day is the combination of technology, process and people, including the ability to operate manually and recover quickly (E-ISAC & SANS, 2016).

How NIS2 should be translated in the boardroom (airworthiness language)

Art. 20 (leadership):The captain and company own the trade-offs and outcomes. Responsibility cannot be outsourced. (European Union, 2022).
Art. 21 (risk measures):Show that your particular combination of technical and organisational measures ensures safe flying in your environment, including workshops outside the hangar (suppliers). (European Union, 2022; European Commission, 2024).
Art. 23 (24/72/30):Make time into muscle memory, reporting channels, roles and evidence chains must be solid. (European Union, 2022).

(Light humour with reflection: No captain has ever saved a plane with a perfectly completed manual. It was training and discipline that did.)

Why things go wrong in practice (and how to fix it)

Design flaw 1: Compiling policies.

Measuring binders. NIS2 measures capability. Switch to outcome metrics that the board reviews quarterly: recovery time for critical services, patch latency, MFA coverage, log coverage and 24/72/30 discipline. (Verizon, 2024).

Design flaw 2: Blind supply chain.

Contracts without rights to audit logs, without time-limited permissions, without vulnerability SLAs or a "kill switch" are like letting an unknown workshop work on the plane. Build supply chain airworthiness: require, verify, and test. (ENISA, 2021).

Design flaw 3: Law as an answer key.

Legal dogmatics work when norms are static. Here they are open and forward-looking and purpose-driven. Oversight will ask if you achieved the purpose with reasonable, proportionate choices (Tridimas, 1997; European Union, 2022).

Design flaw 4: Oversight as formality hunting.

Hunting early remarks instead of raising the baseline creates wrong incentives. Start by establishing an approved airworthiness baseline and raise requirements through practice. (European Union, 2022; European Commission, 2024).

"Living framework" and 2024/2690: why NIS2 becomes clearer over time

But I think I need to keep convincing some readers about what I am trying to convey.

The Commission's Implementing Regulation (EU) 2024/2690 clarifies risk methodology and thresholds, especially for designated digital infrastructure services, confirming the NIS2 logic: the law sets the goal, secondary legislation and oversight fill the toolbox over time (European Commission, 2024). So we don't need to "say everything" on day one; we need to show we can carry the weight and improve quarter by quarter.

Closing remarks

This began as a worry in my gut when I saw NIS2 reduced to paper checks and how organisations, through their lawyers, often started at the wrong end. At worst, it was sticking their heads in the sand and thinking "this doesn't concern us". I'm sure many have changed their minds but many still need to be brought on board. NIS2 is not designed for us to win the binder competition. It's designed for us to fly safely: day to day, through turbulence, and back up when something fails. The literal reader finds requirements; the purpose reader builds capability. That's why standards, norms and frameworks are a good foundation but far from the solution. Security is not something you have, it's something you do.

References

Primary sources

European Commission. (2024).Commission Implementing Regulation (EU) 2024/2690.EUR-Lex.

European Union. (2022).Directive (EU) 2022/2555 (NIS2).Official Journal L 333.

Analyses & reports

E-ISAC & SANS. (2016).Analysis of the Cyber Attack on the Ukrainian Power Grid.

ENISA. (2021).Threat Landscape for Supply Chain Attacks.

Emsisoft. (2024).Unpacking the MOVEit breach: statistics and analysis.

Verizon. (2024).Data Breach Investigations Report (DBIR 2024).

Methodology/teleology

Karlstad University. (2025, 21 Feb).Legal dogmatics remain strong, new study shows.

Tridimas, T. (1997).The Court of Justice and judicial activism.In P. Craig & G. de Búrca (Eds.), The Evolution of EU Law. Oxford University Press.(Example of teleological interpretative culture in EU law.)