In Effect Since Oct 18, 2024 - Compliance Required Now

Your 8-Step Path to NIS2 Compliance

Complete implementation roadmap for achieving NIS2 compliance. From sector assessment to incident response, this guide walks you through every requirement with practical timelines and expert guidance.

Start with Gap Analysis Check Your Sector Coverage

NIS2 Implementation Timeline

NIS2 is already in effect, but most organizations need 6-12 months to achieve full compliance. Start with the fundamentals and build systematically.

1-2

Weeks 1-2

Assessment & Scoping

3-8

Weeks 3-8

Governance & Risk Assessment

9-20

Weeks 9-20

Security Implementation

21+

Week 21+

Training & Documentation

Proven Standards Framework for NIS2 Compliance

Choose your compliance path based on your organization's needs. Whether you want formal certification or practical implementation, these established frameworks provide a structured approach to NIS2 compliance.

Formal Certification Path

Best for organizations seeking third-party validation and systematic governance

1

ISO/IEC 27001 - Governance Backbone

Information Security Management System (ISMS) provides the governance foundation and systematic approach to cybersecurity

2

ISO/IEC 22301 - Business Continuity

Business Continuity Management System (BCMS) for resilience obligations and service continuity during incidents

3

ISO/IEC 27035 - Incident Management

Structured incident handling process aligned with NIS2's 24-hour reporting requirements

Best for: Large organizations, critical infrastructure, entities seeking formal validation and systematic governance approach

Practical Implementation Path

Best for technical teams needing actionable guidance and rapid implementation

1

NIST Cybersecurity Framework 2.0

Practical framework with clear functions: Govern, Identify, Protect, Detect, Respond, Recover

2

CIS Controls v8

Prioritized set of 18 security controls that demonstrate "state of the art" security measures

3

Technical Implementation Guides

Step-by-step technical implementation guides for security controls and monitoring

Best for: Technical teams, medium-sized organizations, entities needing rapid deployment of security controls

ENISA Guidance: Your EU Interpretation Layer

Regardless of which framework you choose, always reference ENISA publications for EU-specific interpretation of NIS2 requirements. ENISA guidance will be treated as the authoritative interpretation for compliance audits and enforcement.

Key ENISA Resources:

  • • Supply chain security guidelines
  • • Incident reporting templates
  • • Sector-specific implementation guidance

Recommended Approach:

  • • ISO 27001 for governance + NIST/CIS for implementation
  • • Always cross-reference with ENISA guidance
  • • Maintain documentation showing compliance mapping
Certification?
Choose ISO Path
Practical?
Choose NIST/CIS Path
Both?
ISO + NIST/CIS + ENISA

Complete NIS2 Implementation Roadmap

Follow these 8 proven steps to achieve full NIS2 compliance. Each step builds on the previous one, ensuring you create a comprehensive cybersecurity program that protects your organization and meets regulatory requirements.

Step 1 Beginner

1. Check If NIS2 Applies to You

Determine if your organization qualifies as an essential or important entity under NIS2

Key Actions

  • Check if you're in a covered sector (energy, transport, banking, health, digital, etc.)
  • Count your employees and annual turnover
  • Determine if you're "essential" or "important" entity
  • Identify which member state(s) you operate in

Available Tools

Sector Checker Tool Entity Classification Guide Member State Requirements

Real Examples

Hospital with 300 employees = essential Cloud provider with €15M revenue = important Small local utility = may be exempt
Timeline: 1-2 weeks
Learn More
Step 2 Intermediate

2. Implement ISO 27001 ISMS Backbone

Establish ISO/IEC 27001 Information Security Management System as your governance foundation

Key Actions

  • Implement ISO 27001 ISMS with management commitment
  • Establish security governance per ISO 27001 requirements
  • Define roles and responsibilities using ISO 27001 framework
  • Set up continuous improvement processes

Available Tools

ISO 27001 ISMS Template PDCA Cycle Guide Management Review Framework

Real Examples

CISO appointment Monthly security dashboards Quarterly board reviews
Timeline: 2-4 weeks
Learn More
Step 3 Advanced

3. Perform Risk Assessment

Identify and evaluate cybersecurity risks to your networks and information systems

Key Actions

  • Map all critical systems and data flows
  • Identify potential threats and vulnerabilities
  • Assess impact and likelihood of incidents
  • Prioritize risks and create treatment plans

Available Tools

Risk Assessment Template Threat Catalog Risk Matrix Calculator

Real Examples

Ransomware risk = high Supply chain attack = medium Insider threat = low
Timeline: 4-6 weeks
Learn More
Step 4 Advanced

4. Implement Security Measures

Put in place technical and organizational measures to manage identified risks

Key Actions

  • Deploy security controls (firewalls, antivirus, encryption)
  • Set up access controls and authentication
  • Implement network segmentation
  • Establish backup and recovery procedures

Available Tools

Security Controls Checklist Implementation Roadmap Best Practices Guide

Real Examples

Multi-factor authentication Zero-trust architecture 3-2-1 backup strategy
Timeline: 8-12 weeks
Learn More
Step 5 Intermediate

5. Implement ISO 27035 Incident Management

Deploy ISO/IEC 27035 incident management processes for NIS2 compliance

Key Actions

  • Implement ISO 27035 incident management framework
  • Create structured incident response procedures
  • Set up 24-hour NIS2 incident reporting to authorities
  • Establish ISO 22301 business continuity integration

Available Tools

ISO 27035 Response Framework NIS2 Reporting Templates ISO 22301 BC Integration

Real Examples

Data breach playbook Ransomware response plan DDoS mitigation procedures
Timeline: 3-4 weeks
Learn More
Step 6 Intermediate

6. Secure Your Supply Chain

Manage cybersecurity risks from suppliers and service providers

Key Actions

  • List all critical suppliers and dependencies
  • Assess supplier security practices
  • Add security requirements to contracts
  • Monitor third-party risks continuously

Available Tools

Supplier Assessment Form Contract Clauses Library Vendor Risk Matrix

Real Examples

Cloud provider audit Software vendor assessment Contractor security requirements
Timeline: 4-6 weeks
Learn More
Step 7 Beginner

7. Train Your Staff

Ensure all employees understand cybersecurity risks and their responsibilities

Key Actions

  • Create cybersecurity awareness program
  • Train staff on phishing and social engineering
  • Conduct regular security exercises
  • Test employee readiness with simulations

Available Tools

Training Materials Library Phishing Simulator Awareness Posters

Real Examples

Monthly security tips Annual security training Phishing tests
Timeline: 2-3 weeks
Learn More
Step 8 Intermediate

8. Demonstrate Compliance

Document and prove your compliance with NIS2 requirements to authorities

Key Actions

  • Document all security policies and procedures
  • Keep evidence of security measures implementation
  • Prepare for potential audits or inspections
  • Register with national authorities if required

Available Tools

Compliance Checklist Audit Preparation Guide Registration Forms

Real Examples

Security policy manual Audit trail logs Compliance certificate
Timeline: 2-4 weeks
Learn More

NIS2 Quick Reference

Key deadlines, requirements, and penalties at a glance

Critical Deadlines

  • 24 hours: Early warning to authorities
  • 72 hours: Detailed incident report
  • 1 month: Final incident report
  • Ongoing: Continuous compliance required

Core Requirements

  • • Risk management and policies
  • • Incident handling and reporting
  • • Business continuity planning
  • • Supply chain security
  • • Management liability compliance

Maximum Penalties

  • Essential: €10M or 2% revenue
  • Important: €7M or 1.4% revenue
  • • Personal management liability
  • • Temporary management bans

Supporting Tools and Resources

Everything you need to implement and maintain NIS2 compliance

ISO 27001 Compliance Mapper

Map your existing ISMS to NIS2 requirements

Access tool

Standards-Based Gap Analysis

Assess compliance using ISO/NIST/ENISA frameworks

Access tool

Compliance Checklist

Track all requirements in one place

Access tool

ISO 27035 Incident Framework

ISO 27035 incident management with NIS2 reporting

Access tool

Risk Assessment Guide

Identify and evaluate your cyber risks

Access tool

Sector Checker

Check if your industry is covered

Access tool

NIST CSF 2.0 / CIS Implementation

Practical implementation guides for technical teams

Access tool

ENISA Guidance Toolkit

EU interpretation layer for compliance

Access tool
Article Article 21 ·
View on EUR-Lex

🆘 NIS2 Compliance Getting Complex?

Network security requirements can be tricky to implement correctly. Our free resources cover the basics, but for critical infrastructure or complex setups, expert guidance can save you months of work.

Talk to an expert → or Browse all our free resources →