Reading time: ~6 min
The NIS2 directive significantly expands the scope of organisations subject to cybersecurity requirements across Europe. For SMEs and mid-sized companies that haven’t yet structured their approach, the question is no longer “should we act?” but “where do we start without wasting 6 months in scoping meetings?”
Here is the roadmap I use to manage a NIS2 project end to end — pragmatic, sequenced, and adapted to the realities of organisations without a dedicated security team.
Before you start: clarify your scope
NIS2 doesn’t apply to all organisations in the same way. The distinction between essential entity and important entity determines obligations, incident notification timelines, and potential sanctions. This point must be established before anything else — it sets the ambition and pace of the entire project.
Covered sectors are broad: energy, transport, healthcare, water, digital infrastructure, managed IT services, public administrations, and many more. If you’re unsure whether you fall within scope, that’s the first thing to resolve.
The 4 project phases
Phase 1 · Weeks 1–2 Scoping and gap analysis
Objective: know exactly where you stand before deciding what to do.
We start by confirming the regulatory scope, then conduct a gap analysis against the technical and organisational measures required by NIS2. I work with a control framework aligned to the directive’s 10 domains: governance, risk management, supply chain security, incident management, business continuity, network security, cryptography, access control, incident response, and HR security policies.
Deliverable: gap analysis report with domain-level scoring and regulatory risk mapping.
Phase 2 · Weeks 3–4 Risk treatment plan
Objective: turn the diagnosis into a realistic action plan.
Based on the gap analysis, we prioritise actions along two dimensions: regulatory risk level (what could trigger a sanction) and internal feasibility (what the existing teams can absorb). We separate quick wins — measures deployable within 30 days using current resources — from medium-term workstreams that require budget or external support.
Deliverable: prioritised remediation plan with owners, deadlines, and tracking indicators.
Phase 3 · Months 2–4 Implementing priority measures
Objective: concretely reduce regulatory exposure.
This is the execution phase. Priority goes to governance measures (designating a NIS2 owner, formalising the security policy, setting up an incident notification procedure) and high-impact technical measures (access management, MFA, tested backup and recovery, monitoring of critical systems). I lead or co-lead implementation depending on available internal resources.
Deliverable: documentation of implemented measures, compliance tracking dashboard.
Phase 4 · Month 4+ Embedding and continuous improvement
Objective: protect the gains and keep improving.
NIS2 compliance is not a fixed-date project — it’s an ongoing process. This phase focuses on integrating practices into day-to-day operations: periodic reviews, business continuity tests, documentation updates, and monitoring of regulatory developments. We also plan the next internal audit cycles.
Deliverable: NIS2 internal audit programme, maturity indicators, review calendar.
Mistakes to avoid
After several NIS2 engagements, here are the most common pitfalls I see:
- Treating NIS2 as an IT project only — it’s a governance issue. Senior leadership must be involved from day one.
- Starting with documentation before assessing actual risks. You end up producing policies that don’t reflect operational reality.
- Overlooking the supply chain — NIS2 explicitly requires you to demonstrate control over risks coming from your vendors.
- Never testing the incident notification procedure — in the event of a real incident, timelines are extremely tight (24 hours for initial notification to the national authority).
Want to launch your NIS2 project without losing time on endless scoping?
I help SMEs and mid-sized companies structure and drive their NIS2 compliance in a practical, operational way. Get in touch for a 30-minute call on your situation — no commitment.