NIS2
12 min read

10 Steps to NIS2 Compliance

Practical step-by-step guide

NIS2 can seem overwhelming. Ten areas of measures, incident reporting, documentation, audits... Where to start? In this article, we give you a practical, step-by-step guide.

Steps Overview

1

Determine if you fall under NIS2

Low1 day

Check two criteria - sector (energy, transport, healthcare, manufacturing...) and size (50+ employees or €10+ million turnover). Output: clear YES/NO answer and category.

2

Get management support

Medium1-2 weeks

NIS2 requires management involvement. Prepare a presentation on NIS2, sanctions, and necessary resources. Agree on an executive sponsor and regular reporting.

3

Do an assessment

Low1-2 days

Go through 10 NIS2 areas and evaluate current status. What do you have? What is missing? What is the priority? Our free assessment will help you with this.

4

Analyze risks

Medium2-4 weeks

Identify assets (systems, data, infrastructure), threats (ransomware, phishing, DDoS), and assess risks. Define measures for high risks.

5

Create documentation

Medium4-8 weeks

Priority 1: Cybersecurity Policy and Incident Response Plan. Priority 2: Risk Register, Continuity Plan, Access Policy. Priority 3: Remaining documents.

6

Implement technical measures

High2-6 months

Basics: firewall, antivirus/EDR, backup, encryption, MFA. Advanced: network segmentation, SIEM, vulnerability scanning, PAM.

7

Set up incident management

Medium2-4 weeks

Define Incident Response Team, escalation matrix, playbooks for common incidents. Prepare forms and contacts for reporting to authorities.

8

Secure supply chain

Medium1-3 months

Map suppliers, assess risk, define security requirements in contracts. Set up regular evaluation.

9

Train employees

LowOngoing

For all: basics of cyber hygiene. For IT: technical training. For management: responsibility under NIS2. Record attendance.

10

Test and improve

MediumOngoing

Monthly: metrics review. Quarterly: vulnerability scan, access review. Yearly: penetration test, risk revision, audit.

Timeline

Month 1
Scope determination, management support, assessment
Month 2-3
Risk analysis, basic documentation
Month 4-6
Technical measures (phase 1), incident management
Month 5-6
Supply chain, initial training
Month 7+
Testing, improvement, next phases

Realistic timeline for a medium-sized company: 6-12 months for basic compliance.

Checklist

  • I know if I fall under NIS2 and in which category
  • I have management support and budget
  • I have a gap analysis with priorities
  • I have a risk register
  • I have at least 2 key documents
  • I have basic technical measures
  • I know who and how to report incidents to
  • I have an overview of critical suppliers
  • Employees have completed basic training
  • I have a plan for regular testing

Start with Step 1 and 3

Verify scope and do an assessment. Our free NIS2 assessment will tell you where you are and what is missing.

This article is for informational purposes. For specific implementation, consult an expert.