De Watergroep’s main public service, drinking water, adheres to the highest cybersecurity possible, reflected also the inclusion of De Watergroup both in the scope of NIS1 and NIS2. This talk explains the strategies and tactics involved to get a scope with its relevant risk assessment, prioritization, risk response and implementation with a focus on access management. The reasons, drivers and decisions and insights gained during the elaboration and implementation will be addressed and can serve as clues and discussion starters for other industrial players. The end goal of the security program is to have a well-designed and functioning management system, implying bolstered preventive and responsive operational capabilities as well as proven compliance.