NIS2 Compliance and the DVMS Institute NIST Cybersecurity Framework Digital Value Management System®
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
The Digital Value Management System™ (DVMS) offers a pragmatic and comprehensive model that can help European companies operationalize the capabilities mandated by the NIS2 Directive. As NIS2 raises the bar for cybersecurity governance, risk management, and resilience across essential entities, organizations must go beyond basic compliance and adopt a systems-based, capability-driven approach to meet these requirements sustainably and adaptively. The DVMS aligns naturally with the NIS2 framework by embedding cybersecurity into the core of digital business operations, treating it as a strategic imperative rather than an isolated technical concern. It enables organizations of any size or sector to create, protect, and deliver digital business value in a way that is fully consistent with the intent and obligations of NIS2.
At the heart of NIS2 is a shift in regulatory focus—from a checklist of technical controls toward a holistic governance and risk management model that demands demonstrable cybersecurity capability at both the strategic and operational levels. NIS2 emphasizes leadership accountability, supply chain risk management, incident response preparedness, and ongoing cyber hygiene. These expectations mirror the DVMS model, particularly its foundational concept of “strategy-risk,” which unifies organizational strategy and cybersecurity risk into a single operational entity. This concept is essential for NIS2 compliance, which requires that cybersecurity risks are managed as part of the broader governance and decision-making framework, not as a downstream or isolated function.
The DVMS overlay system supports this governance model through its structured, layered design. The top layer of the DVMS overlay integrates with what organizations already do—existing frameworks, practices, and tools—minimizing disruption while improving coherence and alignment. The middle layer, represented by the Z-X Model, defines seven minimal viable capabilities that every organization must possess: govern, assure, plan, design, change, execute, and innovate. These capabilities provide the foundational elements for building the competence, consistency, and adaptability required by NIS2. For example, the “govern” capability aligns directly with NIS2 requirements around executive-level oversight and governance structures for cybersecurity. It ensures that accountability for cybersecurity is embedded in board-level decision-making, a core pillar of the directive.
The “assure” and “plan” capabilities address another key theme of NIS2: the need for evidence-based risk management and preparedness planning. NIS2 mandates that organizations conduct risk analyses, implement appropriate technical and organizational controls, and maintain incident response capabilities. The DVMS equips organizations to meet these demands by fostering a culture of inquiry, continuous learning, and proactive system review. Through mechanisms like the Goal-Question-Metric (GQM) and the adapted QO-QM (Question Outcome–Question Metric) overlay system, organizations are guided to ask better questions, define measurable outcomes, and align operations with strategic cybersecurity objectives. These tools help operationalize the NIS2 focus on performance-based assurance, enabling organizations to demonstrate not only that controls are in place, but that they are effective, continuously evaluated, and adapted to changing threats and requirements.
Incident detection, response, and recovery are also key areas of focus in NIS2, particularly the directive’s strict reporting obligations and expectations for business continuity. The DVMS addresses these through its CPD Model (Create, Protect, Deliver), which treats cyber resilience as an emergent property of effective digital value management. This model emphasizes the integration of protection and delivery functions, ensuring that resilience is designed into the fabric of operations. For example, rather than maintaining separate incident response plans, the DVMS advocates for embedding response and recovery into business-as-usual processes. This helps ensure organizations can detect and respond to incidents in ways that are swift, coherent, and aligned with both regulatory expectations and business needs.
Supply chain risk management—another core requirement of NIS2—is also inherently supported by the DVMS approach. The directive calls for organizations to manage risks associated with third-party providers, especially those that are critical to digital service delivery. DVMS addresses this by promoting systems thinking and interdependence awareness, particularly through its 3D Knowledge Model, which frames organizational behavior across three dimensions: team knowledge (x-axis), collaboration (y-axis), and strategic alignment (z-axis). These axes help organizations map the dependencies and dynamics of internal and external relationships, providing a practical lens for assessing third-party risks, ensuring alignment with contractual obligations, and supporting transparency across the supply chain ecosystem.
A compelling aspect of the DVMS in the European context is its alignment with cultural and structural diversity across member states. NIS2 applies a harmonized set of obligations, but its implementation varies across jurisdictions, and organizations must adapt their cybersecurity posture accordingly. The DVMS is designed to be context-aware and adaptable, making it an ideal tool for organizations that operate in multiple countries or must conform to sector-specific regulatory interpretations. It uses overlays to accommodate existing frameworks like ISO/IEC 27001, ITIL, COBIT, or sector-specific schemes without forcing a rip-and-replace approach. This flexibility ensures organizations can achieve NIS2 objectives while respecting local requirements and legacy investments.
Furthermore, the DVMS promotes a questioning culture vital for compliance with NIS2’s emphasis on continuous improvement. The directive is not static—it anticipates that organizations will evolve their capabilities in response to new threats, technological changes, and lessons learned from incidents. The DVMS encourages this evolution through its FastTrack model, which guides organizations through progressive phases of capability development: Initiate, Stabilize, Expand, and Innovate. This model ensures that organizations do not stall at initial compliance but instead build a resilient posture that grows stronger and more responsive over time. The Innovate phase addresses NIS2’s expectation for adaptive cybersecurity practices by embedding innovation and agility into the core of digital operations.
The DVMS also makes a significant contribution in supporting NIS2’s focus on leadership accountability and organizational culture. One of the most profound shifts in the directive is the requirement that senior management be held responsible for cybersecurity outcomes. DVMS responds to this through its strategic governance structures and its insistence that cybersecurity be viewed not just as a technical or operational matter but as a boardroom concern. The Z-X capability of “govern” integrates with top-level decision-making, while “assure” ensures that governance is backed by evidence and continuous validation. Meanwhile, “innovate” encourages the forward-looking, resilient thinking that leaders need to embed throughout the organization. Leadership engagement is further enhanced through tools like QO-QM, which help senior stakeholders tie business objectives to risk-informed outcomes and performance metrics.
Finally, the DVMS reinforces the values of stakeholder trust, transparency, and performance assurance that are implicit throughout the NIS2 Directive. In a regulatory environment where non-compliance can result in significant penalties, reputational harm, and stakeholder distrust, DVMS offers a pathway to meet regulatory obligations and go beyond them. It helps organizations create a culture where cybersecurity is embedded in every function, aligned with every objective, and understood as a shared responsibility. By adopting the DVMS, European companies can move from reactive compliance toward a proactive, resilient, and strategic approach to cybersecurity—one that fully operationalizes the spirit and letter of NIS2.
The Digital Value Management System provides a highly effective, adaptable, and scalable solution for European organizations working to meet the demands of the NIS2 Directive. Through its emphasis on capabilities over compliance, its integration with existing practices, and its deep alignment with strategic governance, cultural transformation, and continuous improvement, the DVMS equips organizations to build true cyber resilience. It ensures regulatory alignment and empowers companies to deliver secure, sustainable digital value in an increasingly complex and regulated digital world.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Performance Driven Overlay System for Cyber Resilience capable of anticipating and mitigating the systemic risk digital businesses face today.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
