In This Guide
- A NIS2 readiness assessment follows a structured path: applicability check, scoping, gap analysis, risk-ranked remediation, implementation, and evidence compilation.
- The gap analysis must cover all 10 Article 21 cybersecurity risk management measures, incident reporting under Article 23, supply chain obligations, and management accountability.
- Organisations with ISO 27001 certification can map existing ISMS controls to NIS2, covering an estimated 70-80% of requirements and accelerating readiness.
- Evidence must be demonstrably implemented—not merely documented. Regulators and auditors expect current, version-controlled artefacts with implementation proof.
- An independent third-party assessment provides a credible validation of readiness before regulatory inspection.
What is a NIS2 Readiness Assessment?
A NIS2 readiness assessment is a systematic evaluation of your organisation's cybersecurity posture against the requirements of the EU NIS2 Directive (Directive 2022/2555). It identifies where your current controls meet, partially meet, or fall short of NIS2 obligations—and produces an actionable remediation plan to close those gaps.
The assessment typically covers three pillars:
- Gap analysis: Mapping current controls against every NIS2 requirement to identify compliance gaps
- Remediation planning: Prioritising gaps by risk and building a time-bound implementation plan
- Evidence preparation: Compiling the documentation and artefacts needed to demonstrate compliance to regulators
Why a Structured Readiness Assessment Matters
NIS2 is not a self-certification regime. National competent authorities have the power to conduct inspections, demand evidence, and impose significant penalties. For Essential entities, this means proactive supervision—authorities do not need to wait for an incident to audit you.
Essential entities face proactive, ex-ante supervision: on-site inspections, security audits, and evidence requests at any time. Important entities face reactive, ex-post supervision triggered by incidents or complaints. Both face fines up to EUR 10 million or 2% of global turnover (Essential) and EUR 7 million or 1.4% of global turnover (Important).
Phase 1: Applicability and Scoping
Step 1 — Confirm You Are In Scope
Before investing in a full gap analysis, confirm your organisation falls within NIS2 scope. The Directive applies to organisations that:
- Operate in one of the 18 sectors listed in Annexes I (Essential) and II (Important)
- Meet the size thresholds: generally medium-sized (50+ employees or EUR 10M+ turnover) and above
- Are specifically designated by a Member State regardless of size
For a detailed applicability walkthrough, see our NIS2 Applicability and Entity Classification Guide.
Step 2 — Define the Assessment Scope
Once applicability is confirmed, scope the assessment to include:
- Network and information systems used to deliver services in the NIS2-covered sector
- Supply chain dependencies critical to the delivery of those services
- Physical and logical boundaries of the environment
- Organisational units responsible for cybersecurity governance and operations
Phase 2: Gap Analysis
The gap analysis is the core of the readiness assessment. It evaluates your current controls against each NIS2 obligation and assigns a maturity rating.
What to Assess
| NIS2 Requirement Area | Key Questions |
|---|---|
| Article 21(2)(a) — Risk analysis and information system security policies | Do you have a formal cybersecurity risk assessment process? Are policies documented, approved, and reviewed? |
| Article 21(2)(b) — Incident handling | Is there a documented incident response plan? Are roles defined? Has it been tested? |
| Article 21(2)(c) — Business continuity and crisis management | Do you have BCPs covering cyber scenarios? Are backup and recovery procedures tested? |
| Article 21(2)(d) — Supply chain security | Are suppliers assessed for cybersecurity risk? Are contractual requirements in place? |
| Article 21(2)(e) — Security in network and information system acquisition, development, and maintenance | Is security integrated into the SDLC? Are vulnerability management processes active? |
| Article 21(2)(f) — Policies and procedures for assessing the effectiveness of cybersecurity risk management measures | Are controls tested? Is there a regular audit or assessment programme? |
| Article 21(2)(g) — Basic cyber hygiene practices and cybersecurity training | Are employees trained? Is there a security awareness programme? Are fundamentals (patching, passwords) covered? |
| Article 21(2)(h) — Policies on the use of cryptography and encryption | Are encryption policies defined? Is data at rest and in transit encrypted where appropriate? |
| Article 21(2)(i) — Human resources security, access control, and asset management | Are background checks performed? Is access role-based? Is an asset inventory maintained? |
| Article 21(2)(j) — Multi-factor authentication or continuous authentication solutions | Is MFA enforced for critical systems? Are secure communication channels in place? |
| Article 23 — Incident reporting | Can you detect, classify, and report incidents within the 24h/72h/1-month timeline? |
| Article 20 — Governance | Has the management body approved cybersecurity measures? Have they received training? |
Maturity Rating Scale
For each requirement, assign a maturity level:
| Rating | Definition |
|---|---|
| Compliant | Requirement fully met with documented evidence |
| Partially Compliant | Controls exist but are incomplete, untested, or lack documentation |
| Non-Compliant | No control in place or fundamental deficiency |
| Not Applicable | Requirement does not apply to the scoped environment (must be justified) |
Phase 3: Risk-Ranked Remediation Plan
Not all gaps carry equal risk. Prioritise remediation using a structured approach:
Prioritisation Framework
| Priority | Criteria | Timeline |
|---|---|---|
| Critical | Non-compliant in areas that could lead to significant incidents or immediate regulatory action (e.g., no incident reporting capability, no risk assessment) | 0-3 months |
| High | Partially compliant in core Article 21 measures (e.g., incident response plan exists but never tested, supply chain security only partially addressed) | 3-6 months |
| Medium | Controls exist but documentation or evidence is insufficient (e.g., training happens but isn't recorded, policies exist but aren't version-controlled) | 6-9 months |
| Low | Minor enhancements to already-compliant areas (e.g., improve encryption key rotation frequency, enhance monitoring coverage) | 9-12 months |
Remediation Plan Structure
For each gap, document:
- Gap description: What is missing or deficient
- NIS2 reference: Specific Article and sub-paragraph
- Remediation action: What needs to be done
- Owner: Named individual accountable
- Target date: Realistic completion date
- Resources required: Budget, tools, external support
- Evidence expected: What artefact will demonstrate completion
Phase 4: Implementation
Execute the remediation plan systematically. Key principles for implementation:
- Quick wins first: Policy approvals, training sessions, and registration with competent authorities can often be completed rapidly
- Integrate with existing frameworks: If you have ISO 27001 or similar, extend existing controls rather than creating parallel structures
- Test as you go: Don't wait until the end to test incident response plans or BCPs—test during implementation to surface issues early
- Document continuously: Capture evidence as controls are implemented, not retrospectively
Phase 5: Evidence Compilation
Attestation-ready evidence must demonstrate that controls are not just documented but actively implemented and operating effectively. For each NIS2 requirement, you need:
- Policy or procedure: The documented rule or process
- Implementation evidence: Proof the policy is being followed (e.g., configuration screenshots, access review records, training completion certificates)
- Effectiveness evidence: Results of testing, audits, or reviews (e.g., penetration test reports, incident response drill results, audit findings and remediation)
Article 21 Evidence Matrix
| Article 21 Measure | Example Evidence |
|---|---|
| (a) Risk analysis and IS security policies | Risk assessment report, information security policy, risk treatment plan, risk register |
| (b) Incident handling | Incident response plan, IR drill reports, incident log, lessons learned records |
| (c) Business continuity and crisis management | BCP, disaster recovery plan, BIA, backup test records, BC exercise reports |
| (d) Supply chain security | Supplier risk assessments, contractual security clauses, vendor audit reports, SLA reviews |
| (e) Security in acquisition, development, maintenance | Secure SDLC policy, vulnerability scan reports, patch management records, change control logs |
| (f) Effectiveness assessment | Internal audit reports, penetration test reports, security metrics dashboard, management review minutes |
| (g) Cyber hygiene and training | Training records, awareness campaign materials, phishing simulation results, onboarding checklist |
| (h) Cryptography and encryption | Encryption policy, key management procedure, TLS configuration records, encrypted storage evidence |
| (i) HR security, access control, asset management | Background check records, RBAC matrix, access review logs, asset inventory, joiners/movers/leavers process |
| (j) MFA and secure communications | MFA configuration evidence, MFA coverage report, secure communication channel documentation |
Leveraging ISO 27001 for NIS2 Readiness
Organisations with an existing ISO 27001 Information Security Management System have a significant advantage. An estimated 70-80% of NIS2 Article 21 requirements overlap with ISO 27001:2022 controls. Key areas where additional work is typically needed:
- Incident reporting timelines: ISO 27001 requires incident management but does not prescribe the NIS2 24h/72h/1-month reporting chain
- Supply chain specifics: NIS2 requires deeper supply chain risk assessment than ISO 27001 Annex A 5.19-5.22 typically cover
- Management body accountability: NIS2 places explicit personal liability on management—this goes beyond ISO 27001's leadership commitment requirements
- Regulatory registration: Not an ISO 27001 requirement
For a detailed control mapping, see our ISO 27001 to NIS2 Mapping Guide.
Common Readiness Pitfalls
| Pitfall | Impact | Prevention |
|---|---|---|
| Paper-only compliance | Policies exist but controls are not implemented; regulators will identify this immediately | Test and evidence every control, not just document it |
| Ignoring supply chain | Third-party incidents are a leading cause of breaches; regulators explicitly check this | Include all critical suppliers in scope from the start |
| No management engagement | NIS2 holds management personally accountable; lack of board involvement is a compliance failure | Brief the board, secure formal approval of cybersecurity measures, and document training |
| Treating NIS2 as "NIS1 update" | NIS2 scope, penalties, and requirements are fundamentally different; legacy programmes will have significant gaps | Conduct a fresh gap analysis against NIS2 specifically |
| National transposition blind spot | Each Member State may add requirements or vary timelines in national law | Monitor the transposition in every Member State where you operate |
Glocert International conducts independent NIS2 readiness assessments that cover the full scope of the Directive—Article 21 controls, incident reporting, supply chain security, and governance. Our assessment produces a detailed gap analysis, risk-ranked remediation plan, and evidence pack review. Learn more about our NIS2 assessment service.
Frequently Asked Questions
What does a NIS2 gap analysis cover?
A NIS2 gap analysis evaluates your organisation's current cybersecurity posture against all 10 Article 21 risk management measures, incident reporting obligations under Article 23, supply chain security requirements, governance and accountability expectations, and registration requirements. The analysis maps existing controls to NIS2 requirements and identifies gaps that need remediation.
How long does NIS2 readiness take?
Typical NIS2 readiness timelines range from 3-12 months depending on organisational maturity. Organisations with an existing ISO 27001-certified ISMS can often achieve readiness in 3-6 months by mapping existing controls to NIS2 requirements and closing gaps. Organisations starting from scratch typically need 6-12 months.
Is NIS2 compliance the same as ISO 27001 certification?
No. While there is significant overlap, NIS2 includes obligations not covered by ISO 27001 alone, such as specific incident reporting timelines, supply chain security requirements, management body accountability, and registration with national competent authorities. However, ISO 27001 provides an excellent foundation for NIS2 readiness.
What evidence do NIS2 regulators expect?
Regulators expect documented evidence of cybersecurity risk assessments, implemented Article 21 measures with supporting policies and procedures, incident response plans and testing records, supply chain security assessments, management body training records and approval of cybersecurity measures, and business continuity plans. Evidence must be current and demonstrably implemented.