Field Notes · Practice writing
From the practice
Practical notes on operational resilience, supplier risk, NIS2, and business continuity. Written from direct experience of SME reviews.
The supplier dependency map most SMEs don't have
Most organisations can name their top suppliers. Fewer can answer: what happens if that supplier fails on a Tuesday afternoon, and your IT lead is on leave? The dependency map is the document that answers that question.
What NIS2 actually requires of your suppliers
NIS2 is not just a regulation for large enterprises. If you supply to an entity in scope, you are likely in scope too. Here is what that means in practice — and what your enterprise clients are starting to ask for.
Why tabletop exercises fail (and how to run one that doesn't)
Most SMEs treat tabletop exercises as IT drills. That is why they fail. A useful exercise tests the business decisions your leadership team must make under pressure — not just the technical responses your IT team already knows.
Board liability under NIS2: ignorance is no longer a defence
Under Article 20 of NIS2, executives can be held personally liable for cybersecurity failures. Ignorance is not a defence. Here is what board members must do to demonstrate governance — and protect themselves.
The Supplier Squeeze: Why your largest customer is about to audit your resilience
NIS2 does not only affect the large enterprises it names directly. If you supply services to an entity in scope, their compliance obligations flow downstream — arriving on your desk as a supplier-readiness audit. Here is what the Article 21 cascade means in practice, and three concrete steps to take tonight.
Further reading
Primary sources and reference documents referenced across our Field Notes.
Get new notes by email
New Field Notes are published monthly. No marketing. Unsubscribe at any time.
We do not share your address. GDPR compliant.