How organizations actually ship NIS2
Three phases. Six months for the first usable version. Every organization we work with ends up with a real security function, not a stack of paper.
Here is the approach. It is boring and it works.
Phase 1. Scope and gap analysis
Figure out what you are on the hook for and where the gaps are.
Scope
Confirm which entities are in scope and under which annex
Gap assessment
Map current controls against Article 21 and list what is missing
Impact mapping
Identify the systems and suppliers whose disruption would trigger reporting
Budget and timeline
Realistic plan with checkpoints, not a wishlist
Phase 2. Build and deploy
Stand up the policies, controls, incident response, and training. Make the evidence audit-ready.
ISMS foundation
Policies, risk register, asset and access management tied to Article 21
Incident response
Playbooks aligned to the Article 23 24h/72h/one-month timelines
Board training
Article 20 training for directors, documented and signed off
Supply chain
Vendor due diligence, contract clauses, ongoing review per Article 21(2)(d)
Phase 3. Run and improve
Keep the program healthy. Handle incidents. Pass audits without a scramble.
Monitoring
Continuous visibility into controls, gaps, and open risks
Quarterly reviews
Risk reassessment, control effectiveness, and evidence refresh
Regulatory updates
Track delegated acts and national transposition changes that affect you
Commercial use
Hand your procurement, sales, and due diligence teams the evidence they need
The key insight
Organizations that treat NIS2 as a program come out with a real security function. Organizations that treat it as a checklist end up redoing the work when the regulator asks for evidence.
Two ways to approach NIS2
Wait and scramble
- Wait for the national regulator to start enforcing
- Aim for the minimum to check the box
- Book it as a regulatory burden
- Implement under pressure, with rushed vendors
- Budget as pure cost, get pure cost
Start early
- Start before the regulator makes you
- Integrate with the existing security and risk program
- Use the evidence pack in sales and procurement
- Work the plan with time to fix what breaks
- Budget as investment, get real capability
Both paths get you compliant on paper.
Only one of them leaves you with a security function that keeps working after the audit is done.
What the 3 phases produce, and when
A realistic view of deliverables and durations. Exact timing depends on your starting maturity, but these are the checkpoints to expect.
| Phase | Duration | Key deliverable |
|---|---|---|
| 1. Strategic Assessment | Weeks 1–4 | Scope memo, entity classification, Article 21 gap report, prioritized action list |
| 2. Systematic Implementation | Weeks 5–20 | ISMS foundation, Article 21 policies, Article 23 incident reporting playbook, board training, supply chain due diligence process |
| 3. Operational Excellence | Ongoing | Quarterly risk reviews, regulator-ready evidence pack, monthly health check, incident response on call |
Already ISO 27001 certified? The assessment phase typically compresses to 1–2 weeks and full compliance lands in 60–90 days. See the ISO 27001 comparison.
Ready to implement NIS2 strategically?
Start with the scope check to confirm you are in scope, or book a call to talk through your situation.
Or grab the free checklist to do your own first pass.