NIS2 Compliance: A Simple Guide to Get It Done Right

In our previous article, we explained what the NIS2 Directive is. We talked about who’s affected and why it matters. If you haven’t read that yet, it’s worth starting there.

But if you’re already aware of the directive or you’re in one of the countries that have already adopted NIS2 into their local legislation, you found your guide.

This guide is for those ready to move from awareness to action. We’ll walk you through how to get compliant without overengineering the process. We’ll also point out a few critical things that may fly under the radar for most of the companies.

Let’s get into it.

How to get compliant without overcomplicating it

Getting started with NIS2 compliance doesn’t mean rebuilding everything. With the little nudge from experts, you can build on what you already have.If your company already follows ISO 27001 and ISO 9001, you’re in a strong starting position for NIS2 compliance. But for many organizations, especially smaller ones that haven’t adopted these standards, meeting NIS2 requirements could mean a significant amount of work ahead.

1. Start with internal awareness and accountability

NIS2 makes cybersecurity a board-level issue. Your leadership needs to understand the risks, approve the strategy, and oversee how well it’s being implemented.

According to Article 20, the management body — typically your CEO, board, or executive team — must approve cybersecurity risk-management measures, oversee their execution, and can be held personally liable for non-compliance. That’s a significant shift from past norms where cyber risk was considered a technical silo.

Start by raising internal awareness. Your executive team should know:

• That NIS2 may apply to your organization
• What their responsibilities are under the directive
• That oversight is not optional — it’s enforceable

Then, appoint someone to own the process internally. This doesn’t have to be a new hire. In many companies, it’s a joint effort between IT/security, legal/compliance, and operations. The key is that someone is accountable for keeping the work moving.

2. Perform a NIS2 applicability and scope check

Before you start writing policies or tightening controls, you need to know if and how NIS2 applies to you. This step is often skipped, but it’s crucial. This rings true especially for companies operating in multiple sectors or across borders.

The directive applies to two types of entities:

• Essential entities: typically in sectors like energy, health, transport, finance, and digital infrastructure
• Important entities: broader industries such as food, manufacturing, chemicals, and postal services

Whether you’re classified as essential or important depends on what services you provide and the size of your company. The general rule is that all medium and large companies in listed sectors fall under the directive. The old NIS model, where Member States selected which companies were critical, no longer applies — NIS2 uses a size-cap rule.

If you’re unsure, you can:

• Review Annexes I and II of the directive to check your sector
• Check national guidance (if your Member State has already transposed the directive)
• Consult your legal or compliance team. This is also a good moment to involve them early

Once you’ve determined your status, document it. This will help with internal planning, risk assessments, and any future questions from regulators or partners.

3. Conduct a cybersecurity gap analysis

Once you know NIS2 applies to your business, the next step is figuring out where you stand and where you fall short. That’s where a gap analysis comes in.

NIS2 outlines requirements under Article 21(2). These are structured expectations for how your organization should manage cyber risk. Here’s what you need to evaluate:

• Do you have a documented risk analysis and security policy for your IT systems?
• Is there a clear process for incident handling and escalation?
• Can you maintain business continuity through backups, disaster recovery, and crisis response?
• Have you assessed your supply chain risks, especially for key third-party vendors?
• Are you managing system security across development, maintenance, and vulnerability disclosure?
• Are your security controls reviewed regularly to check if they actually work?
• Do you have basic cyber hygiene measures in place, including employee training?
• Are you using encryption, multi-factor authentication, and access controls where needed?

If your company already follows frameworks like ISO/IEC 27001, NIST CSF, or CIS Controls, many of these boxes are already ticked. They are at least partially covered. But for companies that haven’t adopted any standard, this can feel like a steep climb.

To make this manageable:

• Map your current controls to the NIS2 requirements
• Identify gaps, rank them by risk, and build a simple action plan
• Start with the basics — firewalls, access control, backups, training — and grow from there

💡 Tip: ENISA.eu has published a detailed implementation guide that helps translate each requirement into practical actions. Use it to bridge the legal text with operational steps.

4. Build or refine your incident response process

NIS2 introduces stricter rules around how you respond to and report cybersecurity incidents. According to Article 23, if your organization experiences a significant incident, you must:

• Report it to your national authority within 24 hours of becoming aware
• Provide an intermediate report within 72 hours
• Submit a final report no later than 1 month after the initial notification

This means you need a structured, tested incident response process. Not just for internal containment, but also for regulatory reporting.

Start by clarifying:

• What qualifies as a significant incident for your business (hint: anything that impacts essential services, affects large numbers of users, or spills into other sectors)
• Who is responsible for triggering the report and communicating with authorities
• How you’ll gather the required information quickly (scope, impact, response steps, and ongoing risks)

If, for example, you rely on a third-party data center and they suffer a breach, your services may go down. You’re still responsible for reporting — even if the root cause wasn’t under your direct control.

This one may be one of the most time-sensitive parts of NIS2. If you don’t have clarity here, start building it now before you’re under pressure to act.

5. Secure your supply chain

One of the overlooked, and potentially high-risk, areas of NIS2 compliance is your supply chain. According to Article 21(2)(d), you’re required to address security-related aspects concerning relationships with your direct suppliers or service providers.

This means you’re not just responsible for your internal systems. You’re also expected to evaluate and manage the cybersecurity risks introduced by the vendors, platforms, and partners your operations depend on.

Start by identifying which suppliers are critical to service continuity. Think cloud hosting providers, software vendors, managed service providers, and even AI vendors. If a breach in one of their systems could affect your ability to deliver, they’re in scope for your supply chain risk management.

Here’s what you should do:

• Review existing contracts and SLAs to check if they include cybersecurity and incident reporting clauses
• Request security certifications or documentation from critical vendors (e.g., ISO 27001, SOC 2 reports)
• Introduce cybersecurity due diligence into your procurement process
• Establish notification timelines for your vendors. If they’re breached, you need to know fast enough to meet your own reporting obligations

6. Implement “appropriate and proportionate” security controls

NIS2 avoids prescribing a single framework or checklist. Instead, it requires that your security measures be appropriate to the risks you face. This is known as the “risk-based approach”. Put simply, it gives you flexibility while still holding you accountable.

Under Article 21(1), the directive asks organizations to consider:

• The state of the art (i.e., current best practices and technologies)
• The cost of implementation
• The size and risk exposure of the organization
• The likelihood and potential impact of incidents

In simple terms, you don’t need to implement every possible control. You do, however, need to make informed, justified decisions about what you put in place and why.

If you already follow frameworks like:

• ISO/IEC 27001 (information security)
• ISO 9001 (quality management)
• NIST Cybersecurity Framework
• Or are regulated under sector-specific laws like DORA

…then you’re probably already aligned with many NIS2 expectations. But if you’re not using a formal security standard, this is the time to start organizing your efforts.

A few practical controls to prioritize:

• Strong access controls and multi-factor authentication
• Regular vulnerability scanning and patch management
• Backup and restore procedures
• Endpoint protection
• Secure software development practices
• Clear, enforced IT policies

7. Establish internal monitoring and review

Your national authorities will expect you to demonstrate that your cybersecurity risk management is ongoing.

This means regular reviews of your controls, procedures, and risk landscape. Here’s how to make that part of your workflow without turning it into a bureaucratic headache:

• Set a review cadence. Quarterly or biannual security assessments are a good start
• Track and document KPIs related to incident frequency, response times, or failed patches
• Revisit your risk assessments at least annually, and after major business changes
• Conduct internal audits or self-assessments to test if your procedures work in practice

If your company is large or operates in a regulated industry, you may want to involve third-party auditors.

8. Assign and train people

Technology alone won’t make you compliant. NIS2 puts a strong emphasis on people and skills, starting at the top.

Under Article 20, training is mandatory for members of the management body. That means executives need a working understanding of cyber risks and governance. They need enough to evaluate decisions and lead when it matters. 

This isn’t just a box-ticking. It’s about making security a shared responsibility.

NIS2 also encourages regular training for employees, tailored to their role. A software developer needs a different kind of awareness than a finance team lead, and a customer support rep may need specific training on phishing or secure data handling.

9. Stay updated

Even after your company meets the initial requirements, compliance isn’t a one-time milestone. NIS2 is a living directive. Regulations evolve, interpretations change, and national enforcement practices will mature over time.

To stay ahead:

• Subscribe to updates from ENISA, your national NIS authority, and sector-specific regulators
• Follow the development of peer review methodologies (coming from January 2025)
• Monitor emerging implementing acts, technical guidelines, and related laws like the Cyber Resilience Act, DORA, and the AI Act
• Stay engaged with industry groups and compliance communities. Many are already sharing practical lessons from early implementation

If you’re working across borders or in complex industries like manufacturing, digital services, or telecom, these updates can materially affect your obligations.

💡 Tip: Assign someone in legal, compliance, or IT governance to track regulatory developments and flag relevant updates. Even a quarterly email to leadership can keep awareness high and surprise audits low.

A few bonus things you might not know (but should)

NIS2 has plenty of obvious requirements. But, here are a few important points that may slip under the radar:

• Your obligations may begin before you’re officially notified
  You don’t need a formal letter or registry inclusion to be in scope. If your organization meets the criteria (sector, size, service type), you’re automatically considered an essential or important entity.
• Non-EU companies must appoint an EU representative
  If you’re based outside the EU but offer services like cloud hosting, online platforms, or social networks to EU customers, you need a designated legal representative within the EU.
• A breach in one business unit may trigger reporting for the whole group
  If you’re part of a corporate group and one legal entity is affected, the impact could escalate to the parent company or other subsidiaries.
• National authorities can issue binding instructions without waiting for a breach
  Regulators don’t have to wait for an incident. If they find deficiencies in your risk management practices, they can issue warnings or force remediation, even if you haven’t had a security event.
• Voluntary peer reviews will start in 2025 and could shape expectations
  Member States will begin exchanging review insights in early 2025. Even if your company isn’t involved, outcomes from these reviews could raise the bar for what’s considered “adequate” across industries.
• Failure to cooperate can be penalized, not just the incident itself
  If your company delays, obstructs, or provides incomplete information during an inspection or audit, that alone can lead to fines or sanctions under national enforcement rules.

These are the kinds of details that make a real difference during implementation — and the ones that often catch companies off guard if they rely only on high-level summaries.

Act, don’t catch up

The clock is ticking for companies to get serious about cybersecurity. It’s not just about avoiding fines. It’s about protecting your operations, your customers, and your reputation in a digital world that’s only getting riskier.

Start now. Stay informed. And when in doubt, go back to the basics: accountability, visibility, and action.