I’m not gonna lie, I was scared when I first started to read the ENISA guidelines and tips to meet the NIS 2 Directive requirements. The flood of webinars, consultants, and alarming headlines didn’t help. The complexity of the directive, the feeling that “everyone else has it figured out” (they don’t) neither. Nevertheless Panic is counterproductive: it leads to rushed decisions, wasted budgets, and overlooking what actually matters.
Start here – Part 1: Let’s BREATHE – Reality Check
First thing to do obviously is to determine if you’re actually In scope:
- Essential vs. important entities
- Sector classification (don’t self-inflict compliance)
- Size thresholds and exemptions
Ok, you just found out you are in scope. Read further:
You Probably Have More Time Than You Think
- Clarify actual deadlines vs. perceived urgency
- Most organizations aren’t starting from zero – you likely have foundational security measures already
It’s Not As Mysterious As It Seems
- NIS2 is fundamentally about good cybersecurity hygiene, something that you probably know about (I hope).
- Strip away the basic jargon: risk management, incident response, supply chain awareness, basic security measures
- Many requirements overlap with what responsible businesses should already be doing
Part 2: STRUCTURE
Step 1: Assess Where You Stand Today
- Gap analysis against the 10 minimum security measures
- What do you already have in place?
- Honest inventory of current practices (no judgment, just facts)
Step 2: Prioritize Based on Risk, Not Fear
- Not everything needs to be done at once
- Focus on high-impact, high-risk areas first
- Quick wins vs. long-term projects
Step 3: Build Your Roadmap
- Quarterly milestones, not a giant launch date
- Assign clear ownership (governance matters)
- Budget realistically – avoid panic-buying expensive solutions
Step 4: Document and Communicate
- Governance is half the battle
- Board-level awareness and responsibility
- Incident reporting procedures
- Document everything
FOCUS: What is a Gap Analysis and why it’s important
A NIS2 gap analysis is a health check for your organization’s cybersecurity measures It helps you identify the differences between what you’re currently doing and what the NIS2 Directive requires.
The Core of NIS2 Gap Analysis:
- Mapping Current Security Controls Against NIS2 Requirements
Time to roll up your sleeves and take stock of your current security measures:
- Start by documenting what you already have in place and create a complete inventory of all network and information systems within scope. Be structured.
- Go through all your existing documentation – security policies, incident response plans, risk assessments, the works. Look at certifications you already have, like ISO 27001 as they might already satisfy some NIS2 requirements, saving you time and effort.
- Don’t overlook previous security assessments and audit findings either. There’s often valuable information buried in those reports that can inform your current analysis.
- Evaluating Management Body Responsibilities
NIS2 puts specific responsibilities on the shoulders of management. First, have your executives formally approve your cybersecurity risk management measures as required by Article 20. Ask yourself, do we have mechanisms in place for management to oversee implementation? Check whether your management team has received cybersecurity training. NIS2 requires this, along with similar training for employees.
In addition, do you have documentation showing management’s involvement in cybersecurity decisions and governance? Are there regular reporting processes keeping them informed?
Make sure your leadership team understands they could be personally liable for compliance failures. The auditor will.
- Assessing Risk Management Frameworks
Risk management is central to management system, and it shall also here. Take a critical look at your risk analysis policies and procedures. Do they match what NIS2 requires?
Areas specifically addressed by NIS2:
- Information system security policies should be comprehensive and actually working in practice, not just existing on paper.
- Effectiveness of your cybersecurity measures. Is there a formal process, or is it more ad hoc?
- Basic cyber hygiene practices are consistently applied throughout your organization – these fundamentals are often the backbone of good security. Refer to ENISA and local authorities guides for basic cyber hygiene practices.
- Multi-factor authentication or continuous authentication solutions are used where appropriate.
- Access control policies are reviewed
- Security in HR processes
- Asset management practices.
- Reviewing Incident Response Capabilities
When it comes to incident response, NIS2 has clear expectations:
- Evaluate your incident handling procedures against these requirements.
Do you have a clearly documented process for responding to and reporting cybersecurity incidents?
- Check your notification procedures for alerting Computer Security Incident Response Teams (CSIRTs) or authorities when something goes wrong.
Do you have a process for notifying service recipients if an incident might affect them?
Look at your documentation for early warnings, incident notifications, status updates, and final reports.
- NIS2 requires final incident reports within one month – does your timeline align with this?
- Don’t forget to assess your emergency communication systems. If an incident occurs, can people within your organization communicate securely?
- Analyzing Supply Chain Security Measures
Supply chain vulnerabilities have become a major attack vector, and NIS2 recognizes this reality:
- How do you manage security in your relationships with suppliers and service providers? Do you assess their cybersecurity practices before signing contracts?
- Look at your security measures for acquiring, developing, and maintaining systems.
- Do you consider each supplier’s specific vulnerabilities?
- Review how you evaluate their secure development procedures and overall cybersecurity practices.
- Check whether your contracts include security requirements and how you monitor suppliers’ compliance with these requirements.
A chain is only as strong as its weakest link, and in cybersecurity, that weak link is often in the supply chain.
Part 3: RELAX – This Is Manageable
You’re Not Alone
- Entire industries are figuring this out together
- Frameworks and guidance are there
Focus on Resilience, Not Just Compliance
- The real goal: being able to prevent, detect, and respond to incidents
- Compliance follows naturally from good security
- This makes your business stronger, not just compliant
Avoid Common Traps
- Don’t start by throwing money at expensive tools and fancy dashboard with traffic lights without strategy
- Don’t copy-paste someone else’s compliance program
- Don’t neglect the human element (training, culture)
Closing: The Path Forward
End with empowerment:
- NIS2 is an opportunity to mature your security posture
- Start small, build momentum
- The organizations that approach this calmly and systematically will emerge stronger
- One step at a time beats paralysis