Strategy on paper — but does it actually work in practice?

In February 2026, Dutch telecom provider Odido fell victim to a cyberattack by a hacker group. Through social engineering, customer service employees were deceived, after which the attackers had undetected access to the Salesforce database for 48 hours. The result: personal data of 6.2 million customers exposed — names, addresses, bank details, passport numbers and driving licences. Odido refused to pay the one-million-euro ransom, after which the complete dataset was published on the dark web.

Odido undoubtedly had security policies, incident response procedures and a crisis plan. But were employees sufficiently trained and practised to recognise a social engineering attack? The plan existed — the question is whether the organisation was actually prepared.

This pattern is all too familiar. From data breaches at telecom providers to ransomware attacks on Dutch municipalities and healthcare institutions — time and again the same thing becomes clear: the plan existed, but things still went wrong.

The persistent misconception

Many organisations invest time, money, and energy in creating plans. Business Impact Analyses, crisis plans, continuity plans, and communication plans are neatly stored in SharePoint or filed away on a shelf.

And yet things go wrong when it matters most. Not because the plan is bad, but because of a persistent misconception:

Having a plan is not the same as being prepared.

A plan is a document. Being prepared is a skill. It is not about the plan itself, but about the process:

Thinking together about what could go wrong

Clarifying who takes which role

Agreeing on how to communicate when things get tense

Practising, experiencing friction, and making mistakes in a safe environment

A plan that has never been exercised is almost never effective in a crisis.

NIS2 forces organisations to look beyond the document

The NIS2 Directive, which has been in effect across the EU since October 2024 and is being transposed in the Netherlands through the Cybersecurity Act, explicitly sets requirements for business continuity and crisis management. Article 21 obliges organisations not only to have plans, but also to test and evaluate them.

This means that "the plan is on the shelf" is no longer sufficient. Regulators expect organisations to demonstrate that:

Continuity plans are regularly exercised

Incident response procedures have been tested

Employees are trained in their crisis roles

Lessons from exercises are demonstrably incorporated

For many organisations, this represents a fundamental shift: from compliance on paper to compliance in practice.

Real preparation happens before the crisis

Organisations that demonstrably navigate crises with resilience have embedded several key elements:

Team dynamics

Knowing how you respond together under pressure. Who takes the lead? Who escalates? Who communicates externally? You don't discover this during a crisis — you learn it by practising beforehand.

Decisiveness

Daring to act with 60% of the information. In a crisis, you rarely have the complete picture. Organisations that wait for full certainty lose precious time.

Communication strength

Maintaining clear communication as noise increases. Internal panic directly translates into external chaos when communication lines are unclear.

Adaptive capacity

Being able to adjust course without panic. No crisis follows the script. The question is not whether you will need to deviate from the plan, but how quickly you can.

From document to lived practice

Moving from a plan on paper to an organisation that is truly prepared requires a structural approach:

1.Map your current situation — What plans exist? When were they last tested? Who knows the contents?

2.Schedule periodic exercises — Don't just tick off an annual tabletop exercise; regularly run scenarios with rotating teams.

3.Document and improve — Record findings, formulate improvement actions, and follow through. Make it an ongoing process.

4.Link to your management system — Ensure BCM measures are not isolated from your ISMS or compliance framework but are an integral part.

How uComply helps

With uComply, you work proactively on compliance and crisis preparedness. The platform helps you to:

Link measures to standard requirements — See directly which BCM requirements stem from NIS2, ISO 27001, or other frameworks and which measures you have implemented.

Monitor the status of your measures — No more plans that silently become outdated. uComply alerts you when reviews, exercises, or updates are needed.

Collect evidence — Record exercise results, evaluations, and improvement actions as demonstrable evidence for audits and regulators.

Manage multiple standards simultaneously — Working with both ISO 27001 and NIS2? uComply shows where standards overlap, so your BCM efforts deliver double value.

This shifts compliance from an annual paper exercise to an ongoing, living process.

Conclusion

Certainty does not come from a document. Certainty comes from people who know what to do, who trust each other, and who have practised in the unknown. The question is not whether your organisation has a plan, but whether that plan works when it truly matters.

NIS2 and recent incidents make one thing clear: the era of paper compliance is over. Organisations that invest now in truly living their plans will stand stronger — not only before regulators, but especially when facing the next crisis.

Curious about where your organisation stands? Book a demo and discover how uComply helps you move from plan to practice.

Strategy on paper — but does it actually work in practice?