5 Steps to NIS2 Compliance: A Practical Guide for EU Organizations

Before investing in compliance work, confirm whether your organization actually falls within NIS2's scope. The directive distinguishes between two categories of covered entities:

Size thresholds: NIS2 applies to organizations with 50+ employees OR €10M+ annual turnover operating in covered sectors. Smaller organizations may still be included if they are the sole provider of a critical service or if a member state extends the scope.

Covered sectors include: energy, transport, banking, financial markets, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal services, waste management, chemicals, food production, manufacturing, digital providers, and research organizations.

Action: Document your determination in writing — including which sector category applies and which member states' implementation you fall under.

Once you've confirmed scope, compare your current security posture against the requirements in NIS2 Article 21. This is the core of the directive — it mandates "appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems."

The Article 21 measures include:

• Risk analysis and information system security policies
• Incident handling (detection, response, recovery)
• Business continuity and disaster recovery
• Supply chain security
• Security in network and information systems acquisition and development
• Policies and procedures to assess the effectiveness of measures
• Cyber hygiene practices and cybersecurity training
• Cryptography and encryption
• Human resources security, access control, and asset management
• Multi-factor authentication and secure communication systems

For each area, document your current state, identify gaps, and assign a risk priority. If you hold ISO 27001, you can map your existing ISMS controls directly — expect to find that 75–80% of requirements are already addressed.

Address the gaps identified in Step 2, prioritized by risk. Common areas where organizations need to invest include:

• Incident response procedures with NIS2-specific reporting timelines — 24h early warning and 72h notification to your NCA must be operationalized, not just documented
• Multi-factor authentication (MFA) — implement across all privileged accounts, remote access, and critical systems
• Supply chain security program — assess and document security practices of key suppliers, including contractual security requirements
• Management training and awareness — NIS2 explicitly requires management bodies to receive training; document attendance and content
• Vulnerability disclosure and patch management — formal procedures for tracking and remediating vulnerabilities within defined timeframes
• Business continuity testing — plans must be tested, not just written; document exercise results

Prioritize controls that have both high regulatory significance and high risk reduction value. Don't try to implement everything at once — a risk-based approach is both NIS2-compliant and practically sensible.

Most EU member states require covered entities to formally register with their National Competent Authority (NCA). This is a legal obligation separate from any technical compliance work — and it is often missed by organizations focused solely on implementing controls.

Registration requirements vary by member state, but typically include:

• Organization name, legal status, and sector classification
• List of IP address ranges and domain names
• Contact details for security incidents
• Identification of management persons responsible for NIS2 compliance

Check the requirements for each EU member state where your organization operates. Some member states have integrated NIS2 registration into existing sector-specific frameworks; others have created new online registration portals.

NIS2 compliance is not a one-time project. Regulatory expectations require that covered entities continuously manage cybersecurity risks and keep their measures up to date. Key ongoing activities include:

• Annual internal reviews — reassess your risk landscape, update your risk register, and verify that controls remain effective
• Incident reporting — maintain your 24h/72h reporting capability and conduct post-incident reviews after any significant event
• Management training — refresh management awareness annually; document participation
• Supplier reassessment — review key suppliers at least annually, particularly after security incidents in your supply chain
• Business continuity testing — conduct at least annual exercises; document and act on findings
• Vulnerability scanning and patching — maintain a regular cadence; document remediation timelines

Build NIS2 compliance activities into your organization's regular operational calendar — not as a separate workstream, but as part of normal security management. Assign ownership, set review dates, and track completion.