Yannick H.,
Too Long; Didn't Read
NIS2, FINMA, KRITIS-G – many see regulation as bureaucracy. Smart companies use these requirements as a structure for what they need anyway. We show you how to map regulatory requirements onto your resilience framework and turn compliance into a competitive advantage instead of a burden.
"Yet another new regulation. As if we had nothing better to do."
That is the most common reaction we hear when NIS2 or FINMA requirements land on the table. Understandably so. More paperwork, more audits, more costs.
But here’s the thing...
The requirements these regulations impose? You need them anyway. Identify critical processes. Prepare incident response. Manage supply chain risks. These are not compliance exercises — they are the fundamentals of operational resilience.
Regulation simply gives you the structure. And an external deadline.
The shift in perspective
Old perspective: Compliance = costs. Effort. Bureaucracy. Satisfy the auditor. Tick the box. Forget it.
New perspective: Compliance = a checklist for operational capabilities you need anyway. With the added bonus of legal certainty and competitive advantage.
The difference is not in the activities — those are often the same. The difference is in the mindset.
If you approach NIS2 as an "annoying obligation," you get minimal compliance and no operational benefit. If you approach NIS2 as a "structure for resilience," you get both.
What NIS2 and FINMA really require
Let’s walk through the key requirements — and see what they mean for operational resilience.
NIS2: The most important requirements
NIS2 requirement | What does that mean? | Resilience dimension |
|---|---|---|
Identification of critical services | List of all business-critical services and their dependencies | Dimension 1: Business Impact |
Risk management | Systematic assessment of cyber risks and treatment plans | Dimension 3: Technical Architecture |
Incident response | Documented processes for detection, response, and recovery | Dimension 2: Process Resilience |
Business continuity | Plans for continued operations during disruptions | Dimension 2: Process Resilience |
Supply chain security | Assessment and management of third-party risks | Dimension 1: Dependencies |
Reporting obligations | Timely reporting to authorities | Dimension 4: Organizational |
FINMA: Operational resilience for the financial sector
FINMA requirement | What does that mean? | Resilience dimension |
|---|---|---|
Critical functions | Identification of functions that would have systemic impact if disrupted | Dimension 1: Business Impact |
Tolerance thresholds | Define maximum tolerable downtimes | Dimension 1: RTO Definition |
Scenario testing | Regular testing of BC/DR plans | Dimension 2: Testing |
Outsourcing governance | Control over outsourced functions | Dimension 3: Dependencies |
Escalation & reporting | Clear escalation paths, timely reporting | Dimension 4: Organizational |
Swiss KRITIS-G (from October 2025)
KRITIS-G requirement | What does that mean? | Consequence of violation |
|---|---|---|
Reporting obligation | Report cyberattacks to the NCSC within 24h | Up to CHF 100,000 per day |
Critical infrastructure | Determine whether the company falls under KRITIS | Higher requirements |
Incident documentation | Complete documentation of incidents | Evidence during audits |
How to turn compliance into resilience
Here is the practical part: How do you map regulatory requirements to your resilience framework?
Step 1: Create a compliance mapping
For each regulatory requirement, ask:
Which resilience dimension does this address?
Have we already covered this?
If yes: Where is the evidence?
If no: What do we need to do?
Example compliance mapping matrix:
Regulatory requirement | Resilience dimension | Status | Evidence / Gap |
|---|---|---|---|
NIS2: Identify critical services | Dimension 1: BIA | ✅ Fulfilled | BIA report with criticality assessment |
NIS2: Incident response process | Dimension 4: Organizational | ✅ Fulfilled | RACI matrix, incident playbooks |
FINMA: Degraded operations | Dimension 2: Process Resilience | ✅ Fulfilled | MVO documentation for critical processes |
NIS2: Supply chain management | Dimension 1: Dependencies | ⚠️ In progress | Dependency mapping being implemented |
FINMA: Regular testing | Dimension 2: Testing | ⚠️ Planned | Test scenarios defined, first test Q1/26 |
Step 2: Leverage synergies
The beauty of this approach: Many requirements overlap.
Example:
NIS2 requires "identification of critical services"
FINMA requires "identify critical functions"
ISO 27001 requires "asset management with protection needs assessment"
That is the same exercise three times. With a solid Business Impact Analysis, you cover all three.
Instead of creating separate documentation for each regulator, you create an integrated resilience framework — and map it to the different requirements.
Step 3: Build an evidence structure
Regulation also means: You must be able to prove what you do.
What you should document:
Requirement | Evidence document | Review frequency |
|---|---|---|
Critical processes | BIA report | Annually |
Risk assessment | Risk register | Annually + after incidents |
Incident response | Playbooks + RACI matrix | Semi-annually |
Business continuity | BC plans + test logs | Quarterly tests |
Supply chain risks | Vendor risk assessments | Annually by criticality |
Tip: Keep documentation up to date. An outdated BC plan is worse in an audit than having none — because it shows you are not taking the topic seriously.
The competitive advantage
Compliance as a competitive advantage? Yes, really.
1. Customer trust
If you can show an enterprise customer that you are NIS2-compliant and run regular BC tests, you are more credible than a competitor who cannot.
Especially in enterprise tenders, resilience evidence is being requested more and more frequently.
2. Insurance terms
Cyber insurance is becoming more expensive and more restrictive. But: Insurers offer better terms to companies with demonstrable resilience measures.
We have seen cases where premium savings exceed the cost of resilience implementation in the first year.
3. Supply chain qualification
Large companies are increasingly evaluating the cyber resilience of their suppliers. If you can prove your risks are under control, you qualify for contracts that remain out of reach for others.
4. M&A due diligence
In company sales or acquisitions, IT resilience is assessed. Companies with solid compliance documentation achieve better valuations — because the risk for the buyer is lower.
The trap: Compliance for compliance’s sake
Here is the warning: There is also a wrong approach.
The wrong approach:
Create minimal documentation just to pass the audit
Tick checklists without operational implementation
Separate "compliance documents" alongside real processes
Create once, then forget
The result:
Compliance costs without operational benefit
In a real incident: The documents do not help
In the next audit: Everything starts from scratch again
The right approach:
Build resilience capabilities that work
Generate compliance evidence as a byproduct of these capabilities
Integrated documentation that reflects the real process
Regular testing and continuous improvement
The short version
Shift in perspective: Compliance is not bureaucracy — it is a checklist for what you need
Leverage synergies: NIS2, FINMA, ISO 27001 often require the same things
One framework, multiple proofs: Integrated resilience framework instead of separate compliance documents
Competitive advantage: Customer trust, insurance terms, supply chain qualification, M&A valuation
Avoid the trap: No compliance for compliance’s sake — but operational capabilities with compliance evidence
What next?
Ask yourself these questions:
Which regulations apply to your company? (NIS2? FINMA? KRITIS-G? GDPR?)
Do you have a current Business Impact Analysis?
Could you prove tomorrow in an audit what you do for business continuity?
If you are unsure about question 2 or 3, you have found your starting point.
(And if you need support to integrate compliance and resilience in a meaningful way — that is exactly what we are here for.)
Further reading
NIS2 Directive for Swiss companies — The ultimate implementation guide
The 5 dimensions of operational resilience — The complete framework
Business Impact Analysis — Identifying critical business processes
