How to Conduct a NIS2 Gap Analysis

A gap analysis is the foundational exercise of any NIS2 compliance programme. It tells you where you stand today against the requirements of Article 21 and the other NIS2 obligations, and provides the evidence base for building a prioritised remediation plan. Without a thorough gap analysis, you risk investing in the wrong areas or missing critical requirements entirely.

What Is a Gap Analysis

A gap analysis is a structured comparison between your current state (the controls and processes you have today) and the required state (full NIS2 compliance). For each requirement, you assess whether you fully meet it, partially meet it, or do not meet it at all. The output is a gap register — a prioritised list of deficiencies with associated risk levels, remediation recommendations, effort estimates, and owners.

The 4 Assessment Domains

Organising your gap analysis into four domains helps manage the process and ensures comprehensive coverage:

• Governance & Policy — leadership commitment, security policies, roles and responsibilities, risk management framework
• Technical Security — access controls, network security, endpoint security, cryptography, patch management, monitoring
• Operational Processes — incident response, business continuity, backup and recovery, change management, vulnerability management
• Supply Chain — supplier inventory, supplier assessments, contractual security requirements, ongoing monitoring

Methodology

Follow these steps to conduct a thorough and defensible gap analysis:

1. 1Define scope — confirm which entities, systems, and services are in scope for the assessment
2. 2Gather evidence — collect existing policies, procedures, system configurations, audit reports, training records, and supplier contracts
3. 3Schedule interviews — plan interviews with stakeholders including IT management, security team, operations, legal, HR, and the board
4. 4Conduct interviews and walkthroughs — assess each requirement by interviewing relevant stakeholders and walking through evidence
5. 5Score each requirement — assign a RAG (Red/Amber/Green) score based on your assessment
6. 6Document findings — for each gap, document the finding, supporting evidence, risk level, and recommended remediation
7. 7Prioritise remediation — sequence gaps by risk level and implementation effort
8. 8Present findings — report to senior management with an executive summary and recommended roadmap

Governance & Policy Assessment Items

• Does a board-approved information security policy exist and is it current (reviewed within 12 months)?
• Is there a named individual (CISO or equivalent) with responsibility for cybersecurity?
• Is there a formal risk assessment process with documented risk register?
• Have the board and senior management received cybersecurity training within the last 12 months?
• Are roles and responsibilities for security documented and communicated?
• Is there a formal process for reviewing and updating security policies?

Technical Security Assessment Items

• Is MFA deployed for all remote access, privileged access, and email/collaboration tools?
• Is an accurate and current asset inventory maintained?
• Is least-privilege access enforced and are access reviews conducted regularly?
• Are all systems encrypted at rest and in transit using current algorithms (TLS 1.2+)?
• Is there a documented and tested patch management process with defined SLAs by severity?
• Is endpoint detection and response (EDR) deployed across all endpoints?
• Is network segmentation implemented to limit lateral movement?
• Is security event monitoring (SIEM or equivalent) in place with defined alert thresholds?

Operational Processes Assessment Items

• Is there a documented and tested incident response plan (IRP)?
• Does the IRP specifically address the NIS2 24h/72h reporting timeline?
• Is there a documented business continuity plan (BCP) covering cyber scenarios?
• Are backups taken regularly, tested for restorability, and isolated from the primary environment?
• Is there a vulnerability management process with regular scanning?
• Are penetration tests conducted at least annually?
• Is there a formal change management process that includes security review?

Supply Chain Assessment Items

• Is there a complete inventory of suppliers and service providers?
• Are suppliers classified by criticality (Critical/High/Medium/Low)?
• Have Critical and High suppliers been assessed for security posture within the last 12 months?
• Do supplier contracts include security obligations and incident notification requirements?
• Is there a right to audit included in Critical supplier contracts?
• Is there an ongoing monitoring process for Critical supplier security status?

Scoring Your Gaps

Prioritising Remediation

Not all gaps are equal. Prioritise your remediation plan using a combination of risk impact (what is the potential harm if this gap is exploited), likelihood (how probable is exploitation given your threat environment), and implementation effort (how long and how much will it cost to close this gap). Gaps that are high impact, high likelihood, and low effort to fix should be addressed immediately. Gaps that require significant investment should be planned as projects with executive sponsorship. Maintain a remediation tracker that is reviewed monthly by your security governance committee.