Episode Details

Most organizations ask one question:
 “Are we compliant?”

The question that actually matters is:
 “Will we still be operating when things go wrong?”

In this Threat Talks episode, Lieuwe Jan Koning speaks with Jasper Nagtegaal about what NIS2 is really trying to change - and why cyber resilience fails when organizations treat it as a policy exercise instead of a business risk.

This isn’t about regulators.
It’s about how digital risk is explained, understood, and acted on - from technical teams to the boardroom - and why organizations that meet NIS2 in practice think very differently from those that end up explaining them.

• (00:15) - Fine or resilience: the question that changes everything
• (02:20:26) - Why cyber incidents are business failures, not IT failures
• (05:30:35) - NIS2 in plain terms: resilience over compliance
• (06:35:31) - Building resilience before incidents — not after fines
• (13:31:12) - Risk-based focus: you can’t protect everything
• (16:12:37) - Why consequences still matter - and when they appear
• (18:37:18) - What cybersecurity can learn from aviation, energy & healthcare
• (18:18) - Why digital risk is still treated as a compliance burden
• (05:18:14) - Why cyber regulation works differently across countries
• (09:14:13) - What to do tomorrow: risk, boards, and real accountability
• (21:13:28) - Wrap: resilience first, compliance follows

Speakers
Lieuwe Jan Koning - Security Operations Center, ON2IT
Jasper Nagtegaal - Director of Digital Resilience, Dutch Authority for Digital Infrastructure (RDI)

Click here to view the episode transcript.