Summary:
If you’re a Security Officer or Compliance Lead and don’t know where to start with NIS2, begin with three things: determine whether your company is an Essential or Important entity, perform a NIS2 gap assessment, and establish a clear compliance roadmap for your management team. This guide walks you through the exact steps you should take in the first 60–90 days to build confidence and momentum toward NIS2 readiness.
Introduction
NIS2 isn’t just another technical regulation, it’s a full organizational shift in how companies must handle cybersecurity, governance, and incident response.
As a Security Officer, you’re expected to lead the charge.
But with dozens of requirements, overlapping frameworks, and expanding responsibilities, it’s completely normal to feel overwhelmed and ask:
“Where do I even start with NIS2?”
This guide breaks the process into clear, manageable steps so you can take control and navigate the early stages with confidence.
1. Start with the Basics: Does NIS2 Even Apply to You?
Your very first task is determining your entity classification, because all NIS2 obligations flow from this.
Essential Entities (EE)
- Larger organizations in critical sectors (energy, healthcare, transport, finance, digital infrastructure, etc.)
- Higher fines, stricter oversight, and more intense reporting obligations
Important Entities (IE)
- Mid-sized organizations in key sectors
- Still obligated, but with lighter supervisory mechanisms
Why this matters
Your classification determines:
- the level of scrutiny you’ll face
- reporting deadlines
- audit intensity
- internal resource requirements
Tip: Create a one-page summary for management showing which classification applies and why.
2. Conduct a NIS2 Gap Assessment (Your Most Important First Step)
A NIS2 gap assessment tells you where you stand today versus where you need to be.
This is the foundation of your compliance journey.
Your gap assessment should cover:
- Governance & management accountability
- Risk management and policies
- Incident detection and reporting
- Access control and identity management
- Business continuity and disaster recovery
- Supply chain security
- Training and awareness
- Technical measures (patching, monitoring, encryption, etc.)
Outcome you want:
A document that clearly shows:
- what you already comply with
- what must be improved
- what is missing
- priority levels
- estimated time and cost
This becomes your main tool for securing internal buy-in.
3. Map What You Already Have (ISO 27001, SOC 2, GDPR, CIS Controls)
Most organizations are not starting from zero.
Show your management that NIS2 is not “additional work” — it’s an extension of existing practices.
If you already have:
- ISO 27001 → you’re already covering large parts of the NIS2 risk and controls requirements
- GDPR → you have established data protection principles relevant to NIS2 governance
- SOC 2 → you have documentation, monitoring, and internal controls
- CIS Controls → you have technical security measures aligned with NIS2 expectations
This reframing helps reduce resistance and makes the journey feel manageable.
4. Build Your Internal NIS2 Roadmap
Now that you know your gaps, you need to turn them into a structured plan.
Your roadmap should include:
- Short-term actions (0–3 months)
- Confirm entity type
- Gap assessment
- Critical governance updates
- Establish incident reporting workflow
- Begin staff awareness program
- Mid-term actions (3–6 months)
- Update cybersecurity policies
- Strengthen monitoring and detection
- Improve access control, MFA, and identity governance
- Evaluate supply chain security
- Long-term actions (6–12 months)
- Finalize documentation
- Internal audits and tabletop exercises
- Board-level reporting routines
- Prepare for supervisory authority requests
Present this as a simple, visual plan. Executives love clarity.
5. Prioritize Governance and Management Accountability
One of the biggest changes with NIS2 is that management can be held responsible for poor cybersecurity decisions.
You need to communicate this early.
Actions to take:
- Educate the board about their obligations
- Establish documented oversight processes
- Ensure cybersecurity is regularly discussed in management meetings
- Assign clear roles and responsibilities
This turns NIS2 from an “IT problem” into a leadership priority.
6. Develop Your Incident Reporting Framework
NIS2 introduces strict reporting timelines.
You must be able to:
- detect incidents early
- classify their severity
- report within 24 hours (early warning)
- follow up within 72 hours (update report)
- provide a final report within one month
Prepare templates, workflows, and an internal communication protocol.
7. Address Supply Chain Security Early
Even if your organization is secure, you’re still exposed through vendors.
Start by:
- identifying critical suppliers
- requesting security declarations
- reviewing their incident response capabilities
- including NIS2 clauses in contracts
This step significantly reduces hidden risk.
8. Train Your Teams and Raise Awareness
Even the best technical controls fail without trained people.
Develop a program that includes:
- general cybersecurity awareness
- NIS2-specific training for key staff
- incident response basics
- phishing simulations
- third-party risk management guidance
Training is one of the fastest wins you can implement early.
9. Document Everything
Documentation is your shield during audits.
Focus on:
- policies
- procedures
- risk assessments
- evidence of controls
- decision logs
- incident records
Good documentation = smooth audits + protected management.
Conclusion
Starting your NIS2 journey can feel overwhelming, but the key is to approach it in structured, manageable steps:
- understand if the directive applies
- assess where you stand
- build a roadmap
- secure management support
- implement improvements over time
NIS2 is not solved in a single project — it’s a continuous improvement cycle.
But the earlier you start, the easier the journey becomes.
