Can You Survive NIS 2 If Your Most Critical IT Can’t Support MFA or Logging?
Legacy IT is the elephant everyone sees, but few want to own. Whether you’re bringing water to cities, powering factories, or running clinical equipment, your organisation almost certainly depends on endpoints or servers that haven’t seen a security patch in years. The uncomfortable truth: NIS 2 thrusts these “unmigratable” assets from operational background into the spotlight, assigning personal risk to every unmanaged lifecycle and control gap (ENISA, 2023). It is no longer enough to explain these away with business continuity or legacy supplier constraints. The regulation demands active governance, enforceable controls-even when security basics like multi-factor authentication (MFA) or usable event logs aren’t technically possible.
You’ve seen the impact already: renewals stalled, insurance queries intensified, boardrooms anxious, and customers pressing for evidence. Suddenly, the spreadsheet tallying “ancient servers” feels less like technical debt and more like tomorrow’s audit penalty. The central paradox is clear: How do you secure and prove control over the assets you most struggle to change?
Every legacy risk is an open question demanding a documented answer, not a passive excuse.
The stakes are not theoretical. Failure to demonstrate risk governance over legacy systems doesn’t just invite regulatory fines; it can become a boardroom reputational event, kill deals in due diligence, or invalidate insurance after an incident. And as ownership for these risks elevates from the IT team to the board, old comfort zones vanish. NIS 2 pokes at every device, every system, and every shadow spreadsheet that seemed safe in obscurity-requiring a playbook where “unfixable” becomes not a blind spot, but a call for leadership, decisiveness, and credible forward motion.
Why Traditional Exceptions No Longer Buy You Time or Trust
If you’ve managed compliance frameworks for more than a year, you’re probably familiar with the dance: expose the legacy gap, note it in a register, propose a notional future upgrade, and hope regulators, insurers, or customers accept necessity’s excuse. NIS 2 transforms this dance into a choreography of accountability. Article 21(2) is explicit: Each risk, including those due to legacy or obsolete systems, must be assigned to an owner, formally reviewed at the board level, and evidenced as being either actively mitigated or resourced for closure (EUR-Lex). If you can’t show this thread-exception raised, owner named, controls mapped, plan logged, reviewed by the board-your compliance posture is objectively unfit.
The new lens: Exceptions are no longer “permission to stand still”-they are burning fuses. Insurers have noticed; so have procurement teams and examiners. If you present a high-risk legacy asset with no next milestone or board-attested review, expect higher premiums, coverage clauses, or outright loss of business. The reason is simple: Without structure, legacy risk is assumed to be unmanaged, and unmanaged risk is uninsurable (AGCS).
The regulator sees the exception log as a living promise, not a cemetery of inaction.
Real-world audit failures increasingly hinge on missing clarity-who owns the risk, what the interim control is, and how momentum is forced toward closure. Consider this risk inventory snapshot:
| Legacy Asset | Owner | Risk Score | Remediation/Migration Plan | Board Review/Signed |
|---|---|---|---|---|
| Windows 2008 Server | IT Ops | High | “Decommission Q2 2025” | Yes (minuted) |
| End-of-life PLC | Plant Dir | Med–High | Network segment + monitor | Yes (2024) |
| Unpatched X-ray PC | Clinical | High | Dual sign-off, replace ‘26 | Flagged |
Any line missing a named owner, a viable plan, or signoff is now an immediate trigger for an audit deficiency. No amount of technical justification compensates for a vacuum in governance ownership.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
What Counts-and What Fails-When Controls Like MFA or Logging Aren’t Possible
Modern regulation isn’t naïve to the constraints of operational technology (OT), healthcare, utilities, and manufacturing. The expectation is not that every legacy asset magically supports MFA, full SIEM integration, or instant retirement. However, NIS 2 and ENISA guidance make clear: If you can’t deploy a standard control (like MFA or logging), you are required to document a temporary, layered compensating control and set an expiration date-proving active governance instead of technical surrender (ENISA).
Common audit traps:
- Manual access logs with no reviewer: “Shift supervisors sign a paper sheet.” Passes only short-term if there’s evidence it is being checked, signed, and will be phased out.
- Network isolation without oversight: “We moved it to a VLAN.” Only works if documented, regularly validated, and mapped to risk register entries.
- Unreviewed exception registers: “We keep a spreadsheet.” Fails without clear review cycles, owner assignment, and closure milestones.
Essential compensating controls when “modern” won’t fit:
- *Network segmentation with regular audit and access review.*
- *Dual-control (two-person sign-off) for all changes or privileged access.*
- *Video monitoring of access zones, especially in OT settings.*
- *Manual logbooks, reviewed and signed by management at prescribed intervals.*
- *Layered controls-never rely on a single stopgap.*
| Asset | MFA? | Logging? | Compensating Control | Review Date | Closure Plan |
|---|---|---|---|---|---|
| Legacy billing app | No | No | Shift logbook + dual sign-off | Q2 2024 | Replace Q1 2025 |
| Industrial PLC | No | Partial | Segmented, supervisor access logs | Monthly | Firmware update in ‘25 |
Remember: Manual or alternative controls are always “temporary and subject to compulsory review.” ENISA’s stance is blunt: workarounds buy time, not compliance absolution. The older or more vulnerable the asset, the stricter the review and the more urgent the closure plan.
A stopgap is a countdown, not a safety net. Its signal is management ambition, not operational inertia.
How to Structure Compensating Controls: Mapping to ISO 27001 and NIS 2
It’s tempting to cut corners and declare an exception “accepted” when IT can’t implement MFA or logging. But in practise, regulatory and insurance scrutiny is all about structure. ISMS.online and ISO 27001:2022 give you a blueprint: every control gap must map to:
- A risk register entry (explicitly describing the asset, gap, and likely impact).
- A Statement of Applicability (SoA) entry (identifying the affected control and why it’s unmet).
- Compensating control(s) applied, documented, and layered (more than one line of defence).
- Named asset owner and auditor or manager reviewer.
- Evidence of regular review, progress, and ultimate remediation or risk acceptance at board level.
Example ISO 27001 bridge:
| Expectation | Operationalisation | ISO 27001 / Annex A Ref |
|---|---|---|
| Board accountability | Named approval, risk scoring | 5.3, A.5.4, A.5.36 |
| Asset-specific risk tracking | system status + explicit owner in register | 6.1, A.5.9, A.8.10 |
| Compensating controls | Documented, layered, temporary | 6.1.3, A.8.15, A.8.34 |
| Review & closure cycle | Register milestone, board-reviewed evidence | A.5.35, A.8.34 |
| Evidence trail | Approval logs, SoA update, closure record | A.5.19–A.5.21 |
Traceability mini-table:
| Trigger | Risk Update | Control/SoA Link | Evidence Logged |
|---|---|---|---|
| NIS 2 article, audit | Exception opened | A.5.19, A.8.15 | Exception, sign-off |
| Staff moves, system up | Owner changed | Risk register, SoA | Board minutes, plan |
| Asset upgraded | Exception closed | SoA update | Migration plan, sign |
Strong control is less about technical perfection and more about documented, reviewed progression toward risk closure, with evidence at every link for auditors, insurers, and boards.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Practical Audit Survival: From Exception to Evidence Trail
No story of legacy IT compliance ends with a tidy declaration of intent. Audit preparedness is the sum of a living evidence trail that proves every exception is owned, reviewed, resourced, and forced toward closure at a defined cadence (BSI). ISMS.online builds this cycle directly into platform workspaces and dashboards:
1. Identification and Ownership
- Every legacy asset is entered into a trackable register, tagged by technical owner and board reviewer.
- Compensating controls, however manual, are explicitly assigned and layered.
2. Documentation and Temporal Controls
- All controls are listed as “temporary” with expiry, review, and escalation dates coded into the platform.
- SoA is linked for every exception, with references to asset, risk, and evidence.
3. Active Review and Signature
- Management sign-off is required, not only during risk update but on every review cycle-no “silent” logs.
- Every exception must have a closure plan; default indefinite exceptions are flagged, not hidden.
4. Closure or Risk Acceptance
- Asset migration or decommission is logged with proof.
- Where migration is impossible, risk acceptance must carry board or executive-level approval, logged to both SoA and risk register for audit traceability.
Checklist for Surviving Audit or Insurance Review:
- Is every gap in the risk register, SoA, and approval log-and do dates, signatures, and milestones match?
- Are manual logs or workarounds reviewed, signed, and bounded by planned expiry?
- Can you instantly export this evidence to auditors, insurers, or customers?
The strongest compliance story is told from the evidence up, not the intention down.
Managing the Shelf Life of Manual Logs and Compensations
Manual logs, spreadsheets, and badge sheets are not compliance plans-they’re countdown timers. Their shelf life is determined by visibility, review, and closure force.
Audit-inspected acceptability for manual evidence:
| Manual Evidence Type | Audit Shelf Life | Condition for Acceptance |
|---|---|---|
| Signed logbook | ≤ 12 months (max) | Linked to risk control, reviewed, closing plan |
| Badge/access sheets | ≤ 6 months | Dual check, regular review, closure scheduled |
| Spreadsheet checklist | 1 audit cycle | Updated, signed, actioned at each review |
| Unreviewed logs/files | None | Immediate red flag/failure |
Every time an exception cycles for review and is not closed-or at least progressed toward closure-it decays in evidentiary value. A compensating control unreviewed turns from asset to liability in as little as a quarter. The “proof” is always how close you are to closure-not how well you justify inaction.
When in doubt, ask: If our insurance claim or customer deal relied on this log, would an external reviewer see the journey to closure?
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Sector and National Overlays: When NIS 2 Is Only The Baseline
The reality is simple: sector and national rules often eclipse baseline EU mandates. For energy, healthcare, critical manufacturing, and certain national providers (Germany, Spain, UK), the bar is significantly higher. Your exception log must mirror both the most stringent local template and NIS 2 core.
National overlay examples:
| Sector | National Rule | Exception Review Frequency | Owner | Template Source |
|---|---|---|---|---|
| NHS (UK) | NCSC NHS Digital | Annual min, Board signoff | CIO | nhsdigital.nhs.uk |
| German Energy | BSI IT-SiG3 | Annual + monthly check | CISO | bsi.bund.de |
| Spanish Utilities | Royal Decree 43/2021 | Monthly, regulatory lead | Regulatory | mincotur.gob.es |
Your ISMS must import, augment, or adapt to these structures on top of core European requirements. Assume that audits and insurers will apply the strictest locally relevant overlay-not just NIS 2 default.
Building a Defensible Legacy IT Roadmap: Replace, Isolate, or Documented Mitigate
A modern legacy risk plan is a living system, not an end-of-year spreadsheet. The operational discipline required:
- Catalogue all assets: By owner, risk, compensating control, review schedule, and closure plan.
- Map to controls: Link every asset and exception to ISO 27001 or NIS 2 Article 21(2) references.
- Force review cadence: Verification, resourcing, or migration must be forced at board-level timeline using system-driven reminders.
- Automate evidence logging: Every owner sign-off, reviewer mark, or plan update visible in a digital audit log-not buried in email or scattered files.
- Template updates: National overlay plans and sector-specific reporting must link to your ISMS, not exist as shadow processes.
When board or regulator reviews come, your roadmap must unfurl as a series of live, owner-assigned, closure-driven exceptions-proving momentum and accountability. Unowned legacy is now a contract, financial, and strategic liability.
Making the Risk Loop Board-Visible and Resilient: The ISMS.online Advantage
There is an operational difference between “compliant on paper” and “audit-ready in action.” ISMS.online provides more than a risk register: it automates cross-walks between assets, owners, mitigation steps, approval logs, SoA entries, and closure evidence-locking in accountability and making exceptions a centre-piece of the compliance loop rather than a blind spot.
Benefits in daily practise:
- Dashboards surface every asset’s state-migrated, mitigated, or pending acceptance.
- Board or regulator can trace every exception by owner, risk, controls in place, and review cycle, with all signatures and milestones time-stamped and instantly available.
- Crosswalking sector overlays and NIS 2 is managed through linked registers, evidence banks, and template-driven notifications.
- Audit and insurance reviews change from panic to showcase-a map of resilience, not an apology for exceptions.
Final CTA:
Your legacy IT is not just tolerated but integral to your business name and reputation. Own the exception loop. Make every risk accountable, visible, and closing-not stuck in maintenance forever. Prove to every auditor, customer, and board member that your exception management is live, structured, and forcing risk down each cycle. Modern compliance is not measured by technical utopia, but by your auditable journey from gap to closure-make that journey real, measurable, and board-visible with ISMS.online.
When legacy goes unowned, risk owns the business. When you own the exception loop, risk becomes your proof of control.
Frequently Asked Questions
Who is accountable for legacy IT compliance gaps under NIS 2-and what shifts for boards and management?
NIS 2 assigns direct accountability for legacy IT risks to the board and executive management-not just IT leadership-making every unresolved gap a boardroom concern. Article 21(2) of the directive mandates that each “unfixable” legacy asset (unsupported servers, outdated PLCs, legacy network equipment) must have a named owner, a review cadence, and either a mitigation or risk acceptance plan formally logged at management level. This is more than procedural: if ownership or progress is vague, regulators and auditors now expect to probe management, not IT, about persistent risks.
Leadership is no longer measured by signatures on a policy, but by transparent progress on every open gap.
Legacy risk management has become a test of visible leadership. Spreadsheets or unsigned logbooks are insufficient-each exception must trace back to specific executive accountability, with action plans regularly documented and reviewed. Boards are now expected to move from passive sign-off of exceptions to pro-active review, with exception closure and mitigation progress forming part of ongoing compliance performance.
Legacy Asset Ownership Table
| Legacy Asset | Owner | Next Review | Mitigation Plan |
|---|---|---|---|
| 2010 Payment Server | CTO | 2024-10-01 | Segregation; no MFA possible |
| Factory PLC (Line 2) | Head of Ops | 2024-07-15 | Planned retirement Q1 2025 |
| Legacy Router | Network Lead | 2024-09-01 | Badge-only access, network isolation |
The takeaway? Boards must maintain trackable, reviewable ownership and action plans for every exception, or risk direct exposure during audits or incident reviews.
Which compensating controls are considered strong enough for legacy systems-and what are the limits?
Genuine compensating controls are accepted for legacy assets only if they’re treated as time-limited bridges, not permanent loopholes. Both auditors and regulators now expect a layered, defensible approach, including (but not limited to):
- Strict physical access controls (badges, biometrics, locked rooms),
- Hardened network segmentation (isolated VLANs with firewall restrictions),
- Two-person (dual) approval for critical admin actions,
- Manual logbooks with scheduled management review and sign-off,
- Enforced periodic password changes,
- Scheduled board-level reviews and minuted updates on each exception.
However, these controls are only accepted if evidence shows:
- Each exception is formally justified, not just IT-administrated,
- Controls are reviewed and either advanced or retired at planned intervals,
- Closure or migration plans are in place and tracked,
- Management oversight is auditable, not implied.
Auditors trust what they can trace: compensating controls without time limits become compliance weaknesses.
Compensating Control Snapshot
| Asset | Control Applied | Audit Evidence Location | Next Review |
|---|---|---|---|
| Payroll Server (Legacy) | Locked server room | Badge log, sign-off | 2024-11-01 |
| Outdated Switch | Segmented VLAN | Network config docs | 2024-09-15 |
| PLC (Line 2) | Manual logbook | Shift record, signed | 2024-07-15 |
Boards should expect compensating controls to be questioned-and must demonstrate regular movement toward risk closure or asset migration.
How should exceptions for legacy tech be documented for NIS 2 audits and cyber insurance reviews?
Exception management under NIS 2 is now a test of traceability and defensibility. Rather than static approval logs or blanket exceptions, the expectation is a living record:
- Each legacy system must be listed in your risk register,
- Technical gap and business rationale must be clear,
- Specific compensating controls are documented and tested,
- Named ownership is assigned (ideally with board/management visibility),
- Review dates and progress milestones are scheduled and evidenced (signatures, meeting minutes, exported logs),
- Closure or migration targets are explicit-not just “roadmap” language.
All of this ties back to your Statement of Applicability (SoA), linking exceptions to controls such as ISO 27001:2022 Annex A.8.8 or analogous clauses (ISO/IEC 27001:2022). Integrated platforms like ISMS.online can automate this by connecting asset data, risk logs, compensating control records, approvals, and supporting evidence in one place, making exceptions instantly audit-ready.
Mature compliance is measured by the number of exceptions closed, not excuses logged.
Exception Traceability Table
| Trigger | Risk Log Ref | SoA Link | Control Applied | Evidence |
|---|---|---|---|---|
| Asset End-of-life | A.8.8 gap | Asset_x123 | VLAN, manual logs | Board min, audit pack Q2 |
Lack of active, reviewed exception records is now a flag for both auditors and cyber insurers. Every exception should point to a scheduled closure or migration date.
How do national or industry rules change NIS 2 legacy system compliance?
Compliance doesn’t stop at EU borders-most countries and regulated sectors now add overlays or stricter rules on top of NIS 2. Some critical examples:
- UK NHS Digital: Demands annual board-level sign-off, decommissioning plans, and full asset/progress documentation for healthcare systems.
- Germany’s BSI: Requires monthly board-reviewed evidence and unique owner assignment for energy/infrastructure sectors.
- Spain’s Royal Decree 43/2021: Imposes monthly exception review and regulatory evidence for utilities/providers.
One country’s “pass” can fail elsewhere, especially if sector reviews demand higher frequency, extra documentation, or special reporting templates. Maintain version-controlled packs to satisfy both EU and sector/national audits, and regularly check for upcoming regulatory changes.
National overlays are not compliance nice-to-haves-they are now core risk territory.
Overlay Comparison Table
| Asset | Country | Sector | Review Cycle | Regulatory Template |
|---|---|---|---|---|
| MRI Scanner | UK | Healthcare | Annual | NHS Digital Compliance |
| SCADA Mainframe | Germany | Energy | Monthly | BSI KritisV |
| Utility Server | Spain | Utilities | Monthly | Royal Decree 43/2021 |
For multi-nation organisations, integration of overlays should be part of your SoA and internal review cycle.
Are manual logs or spreadsheets still accepted as evidence for legacy control-and what’s the audit threshold?
Manual logs and spreadsheets are accepted under NIS 2 only as short-term, transition evidence-never as permanent compliance measures. Auditors require:
- Direct linkage to the risk register and SoA,
- Management (not just IT) sign-off and review at every defined interval (quarterly at minimum),
- A set closure plan with a concrete deadline for migrating to automated, secure solutions,
- Logs and evidence that are regularly reviewed and update-tracked (BSI Group, 2024).
Unreviewed, perpetual spreadsheets are now a compliance liability, not a workaround. The usual “shelf life” is one audit cycle or 6–12 months. Sheet expiry, review, and progression to a more robust solution must be documented and evidence made board-visible.
Spreadsheets that become permanent inherit the liability of every missed log and unsigned approval.
Manual Evidence Table
| Evidence Type | Review Interval | Planned Closure Trigger |
|---|---|---|
| Badge log sheet | 3–6 months | Scheduled migration |
| Excel risk sheet | Audit cycle | Automated logs deployed |
| Signed Logbook | <12 months | Asset decommissioned |
For each, tie expiry to a migration or asset change-never leave as an open-ended measure.
What is the board-level process for closing legacy IT risks-and how does ISMS.online operationalise NIS 2/ISO 27001 action?
A defensible board roadmap for legacy IT risk combines:
- Full asset catalogue with a gap/criticality score,
- Clear assignment of technical and executive owner to each legacy system,
- Exception mapping to specific ISO 27001 / Annex A and NIS 2 Article 21(2) controls,
- Evidence workflow-review milestones, action logs, closure tracking, and audit/insurer-ready exports,
- Automation-with platforms like ISMS.online providing dashboards for active exception closure, scheduled reminders, and exportable proof of progress ((https://www.isms.online/solutions/legacy-systems-and-isms/)).
Board-led compliance means each at-risk asset has a name, a review date, an action, and a closure log that moves every audit forward.
Compliance Milestone Table
| Step | Output |
|---|---|
| Asset inventory | Registered assets, critical gaps |
| Owner assignment | Live matrix with reviews scheduled |
| Exception mapping | SoA/risk linkage to each exception |
| Evidence tracking | Review logs, audit-ready exports |
| Closure progress | Status + dates, signed by management |
ISMS.online makes each step trackable, paperless, and ready for board or audit review-no more missed exceptions in the noise.
How do ISO 27001:2022 and NIS 2 turn exception management into an actionable, audit-ready process?
Both ISO 27001:2022 and NIS 2 require traceability, role-based accountability, and evidence for every tech gap and exception. Start by mapping live exceptions and asset records to their Annex A and NIS 2 control points, assign owners, set automated review cycles, and tie each action to sign-off/export logs. The goal is to create a chain of evidence that can move instantly from asset to exception to closure date, ready for documentary scrutiny at any audit, board, or insurer meeting (ISO/IEC 27001:2022;.
Your next step: deploy (or update) an exception register mapped to all relevant controls, integrate it with evidence workflows and board review schedules, and automate reminders so that exception status can never grow stale. ISMS.online provides out-of-the-box tools to connect every gap, sign-off, and action to a single, board-visible trail.
Every closed exception turns legacy risk into compliance leadership-each action is a proof-point.
Bring your exception process into the open, tie it to board schedules, and demonstrate continuous closure-driven progress. That’s the new currency for audits and insurer confidence under NIS 2 and ISO 27001:2022.
