Table of contents
- 1. Confirm your category
- 2. Establish a board-level cyber-security mandate
- 3. Operate a risk-based cyber-security policy
- 4. Run a credible incident-management process
- 5. Address the supply chain
- 6. Cover the basics that auditors verify first
- 7. Prepare your evidence room
- 8. Test your detection and response capability
- 9. Train people, not just admins
- 10. Get continuous monitoring in place
- 11. Document the residual risk
- 12. Run a pre-audit dry run
The NIS2 directive extends the EU's cyber-security obligations to thousands of mid-market organisations that previously sat outside its scope. Whether you operate a manufacturing plant in Bavaria, a logistics hub in Rotterdam or a software house in Warsaw, the question is no longer whether NIS2 applies but how you demonstrate compliance before your competent authority asks.
1. Confirm your category
NIS2 distinguishes between "essential" and "important" entities. Mis-classifying yourself is the most common early error — it changes both your reporting deadlines and the magnitude of fines you face. Map your operating sectors against Annex I and Annex II of the directive before doing anything else.
2. Establish a board-level cyber-security mandate
The directive introduces personal liability for executives. Document who at board level owns cyber-security risk, capture this in your governance framework, and ensure your minutes show genuine oversight — not box-ticking.
3. Operate a risk-based cyber-security policy
NIS2 expects a written, board-approved policy that ties controls to measurable risks. Generic templates downloaded from the internet will not pass scrutiny.
4. Run a credible incident-management process
You will need to report significant incidents to your CSIRT within 24 hours of detection (early warning), 72 hours (notification) and one month (final report). Run table-top exercises now to ensure you can hit those windows under stress.
5. Address the supply chain
NIS2 makes you responsible for assessing the security of your direct suppliers and service providers. Move beyond the annual questionnaire — adopt continuous attestation.
6. Cover the basics that auditors verify first
- Multi-factor authentication on all privileged and remote access
- Patch management with documented SLA
- Backup, restore and disaster-recovery testing within the last 12 months
- Encryption of data in transit and at rest
- Documented identity and access management lifecycle
7. Prepare your evidence room
Auditors do not assess what you say — they assess what you can prove. Build a single-source-of-truth repository of policies, risk assessments, training records, incident reports and asset inventories.
8. Test your detection and response capability
Penetration testing, red-team exercises and tabletop incident response are no longer optional. Schedule them, fund them, and act on the findings.
9. Train people, not just admins
The directive expects security awareness across the organisation. Targeted training for finance, HR and engineering is far more effective than generic e-learning.
10. Get continuous monitoring in place
A 24/7 SOC — whether in-house, hybrid or outsourced — is the difference between detecting an incident and explaining one to your regulator after the fact.
11. Document the residual risk
NIS2 does not demand zero risk. It demands that you understand and accept your residual risk consciously, with the right people informed.
12. Run a pre-audit dry run
Engage a third party — your assessor, your MDR provider, your consultant — to walk the full evidence trail two months before your real assessment.
Where WPROIT helps: our consulting team runs accelerated NIS2 readiness assessments across all 12 areas above, typically delivering a board-ready report in under six weeks.
WPROIT Administrator
Talk to our team