Your 10-Step NIS2 Compliance Roadmap

Achieving NIS2 compliance is a structured programme that requires commitment across your entire organisation — from the boardroom to frontline staff. This 10-step roadmap provides a practical, sequenced approach to building your NIS2 compliance programme. The steps are designed to be followed in order, as each builds on the foundation established in the previous steps.

Step 1 — Determine Scope and Classification

Before investing in any compliance activities, confirm whether your organisation is in scope for NIS2. Check whether you operate in an Annex I or Annex II sector, verify your size (employees and turnover), and consider any special rules that may apply to your sector. Document your classification decision with evidence — this will be required when registering with your national authority. If you are uncertain, seek legal advice from a specialist in EU cybersecurity law or use Nistoo's Entity Check tool.

Step 2 — Inventory Assets and Services

Conduct a comprehensive inventory of all assets (hardware, software, cloud services, data, and people) and the services you provide that are in scope. Map dependencies between systems and understand which assets are critical to delivering your services. This asset inventory forms the basis for your risk assessment and is itself a requirement under the access control and asset management measure (Article 21(2)(i)). Use automated discovery tools where possible to ensure completeness.

Step 3 — Conduct a Gap Analysis

Assess your current security posture against each of the 10 Article 21 requirements and identify gaps. A gap analysis should involve interviews with IT, security, legal, HR, and operations stakeholders to understand what controls already exist. Document each requirement, your current state, the gap, and the risk it represents. Prioritise gaps by risk level and estimated effort to close. This gap analysis drives your entire remediation programme and should be repeated annually.

Step 4 — Conduct a Risk Assessment

NIS2 mandates a risk-based approach, meaning your security measures must be proportionate to the risks you face. Conduct a formal risk assessment that identifies threat sources (malicious actors, insiders, accidents, natural events), vulnerabilities in your assets, and the potential impact of various incident scenarios. Rate each risk for likelihood and impact, and produce a risk register that will drive your control selection and prioritisation. Your risk assessment must be reviewed regularly and after significant changes to your environment.

Step 5 — Implement Security Measures

Based on your gap analysis and risk assessment, implement the controls required to close critical gaps. Start with the highest-risk gaps and work down. Track each control implementation as a project with an owner, due date, and success criteria. Key priorities typically include: MFA deployment, backup and recovery testing, endpoint detection and response, security information and event management (SIEM) deployment, and patch management process improvement. Ensure all controls are documented.

Step 6 — Establish an Incident Response Plan

Create or update your incident response plan (IRP) to specifically address the NIS2 reporting timeline. Your IRP must define: what constitutes a "significant incident" for your organisation, escalation triggers and contact lists, the process for submitting Early Warning, Incident Notification, and Final Report to your national CSIRT or NCA, and internal communication procedures during an incident. Test the plan through tabletop exercises with senior management participation.

Step 7 — Secure the Supply Chain

Implement a supplier risk management programme following the process described in the Supply Chain Security guide. Create your supplier inventory, classify suppliers by criticality, conduct assessments of critical suppliers, update contracts to include security obligations, and establish an ongoing monitoring programme. Engage procurement and legal to ensure new supplier contracts include appropriate security clauses.

Step 8 — Train Staff and Management

Deliver mandatory cybersecurity awareness training to all staff and specific training to senior management on their NIS2 obligations under Article 20. Training content should be role-appropriate: general awareness for all staff, technical training for IT and security personnel, and governance and liability training for the board and C-suite. Maintain records of who has completed training and when. Repeat training annually or when significant threats emerge.

Step 9 — Register with Your National Authority

NIS2 requires covered entities to register with their national competent authority (NCA). The registration process varies by Member State — check your national NIS2 implementing legislation for specific requirements. Typically you will need to provide: your organisation's name and registration details, the sector(s) in which you operate, your entity classification (Essential or Important), the services you provide in scope, and contact details for your cybersecurity point of contact.

Step 10 — Ongoing Monitoring and Improvement

NIS2 compliance is a continuous process. Establish a security governance structure that meets regularly to review your risk landscape, monitor the effectiveness of your controls, and drive continuous improvement. Conduct annual reassessments against Article 21, repeat supplier assessments, update your risk register, review and test your incident response plan, and report on your compliance status to senior management and the board. Track changes in the threat landscape and emerging regulatory guidance from ENISA and your national authority.