For many organisations preparing for NIS2, the instinctive response is to focus on policies: risk registers, governance structures, incident procedures, and security guidelines. While these are important, they represent only half of the NIS2 picture. The deeper challenge is something far more operational — and far more difficult to fake.