NIS2 requires enterprises to implement structured cybersecurity risk management and governance; identifying the scope of application is the first step.