When companies kick off the NIS2 readiness journey, the first instinct is always technical: assess firewalls, check backups, encrypt everything. But within weeks, it will become clear—the most critical asset isn’t a tool or control. It is coordination.
Like building a bridge across a regulatory canyon, NIS2 compliance is a multidisciplinary effort. Without clear ownership, defined milestones, and executive visibility, even the most well-intentioned security initiatives stall.
That’s why, for essential entities preparing for NIS2, project management is not a support function—it’s the cornerstone. From defining the scope of the gap analysis to tracking supplier reviews, incident response updates, and board-level approvals, every requirement of the Directive demands structured execution.
Security without planning is just hope. And hope isn’t an audit defense.
As the NIS2 Directive reaches its post-transposition implementation phase, Chief Information Security Officers (CISOs) at essential entities face the critical task of aligning their organizations with regulatory expectations and preparing for formal gap assessments. The European Union Agency for Cybersecurity (ENISA)’s 2024 Report on the State of Cybersecurity in the Union offers timely guidance and urgency: the window for proactive NIS2 readiness is now.
Below, we outline the top priorities for CISOs over the coming 12 months as they prepare their organizations for a structured NIS2 gap analysis.
1. Map and Govern the Scope: Know Your Entity Classification
Essential and important entities under NIS2 are obligated to maintain robust cyber risk governance and response capabilities. Step one for the CISO is confirming if the organization falls under the essential entity classification—and if so, ensuring that internal stakeholders fully understand the obligations this entails.
Action Items:
- Formally identify your organization’s status under NIS2.
- Ensure the Board and executive leadership are aware of governance obligations (Article 20).
- Nominate or affirm internal responsibility for NIS2 implementation and oversight.
2. Perform a Structured Gap Analysis Against Article 21
Article 21 of NIS2 sets out detailed risk management obligations. ENISA reports that while most Member States have defined baseline controls, many entities lack formalized internal procedures for reviewing and updating cybersecurity measures .
Key Measures to Assess:
- Policies on risk analysis, incident handling, and business continuity
- Supply chain and third-party security controls
- Cyber hygiene and training
- Multi-factor authentication, cryptography, and access controls
Recommendation: Use the Implementing Regulation (EU) 2024/2690—which harmonizes Article 21 technical requirements—as the baseline for assessment.
3. Assess and Document Incident Response Readiness
ENISA highlights that many entities still lack effective incident detection, classification, and response capabilities. Yet under NIS2 Article 23, timely incident reporting is mandatory—and failure to comply can result in penalties.
Immediate Goals:
- Ensure a defined, rehearsed incident response plan exists.
- Conduct tabletop exercises focused on DDoS, ransomware, and supply chain attacks.
- Implement or enhance Security Operations Center (SOC) visibility and log collection.
4. Formalize Your Third-Party Risk Management Lifecycle
Only half of EU Member States currently address supply chain security in national strategies. ENISA notes that entities are still struggling to assess vendor risk consistently .
CISO Checklist:
- Define a structured third-party lifecycle from onboarding to offboarding.
- Perform due diligence using standardized questionnaires (e.g., CATS).
- Evaluate critical suppliers for SLA adherence, incident history, and risk profiles.
- Integrate supplier discussions into management review meetings at least twice per year.
5. Enhance Cyber Hygiene and Workforce Training
Although technical controls are crucial, ENISA’s data shows that basic digital skills remain a challenge across the EU, with cyber awareness and incident reporting procedures often unclear to employees .
CISO Priorities:
- Expand training beyond IT to include HR, Finance, and Operational units.
- Include phishing simulations and secure development by design.
- Ensure Navigators (e.g., helpdesk engineers) are specifically trained to prevent data loss.
6. Establish Metrics and Prepare for the Management Review
The Management Review process, as required by NIS2 and aligned with ISO 27001, should not be a formality. ENISA recommends that these reviews incorporate:
- Incident statistics
- Audit findings
- Supplier performance and risks
- Workforce training participation
- Remediation action status
Make sure the ISMS performance report reflects structured evidence aligned with NIS2 governance expectations.
7. Embed NIS2 Requirements into Cross-Regulatory Strategy
Don’t isolate NIS2. Integrate its requirements with DORA (for finance), CRA (product security), GDPR, and sectoral obligations. ENISA warns of fragmentation risk if legislation is interpreted and implemented in silos .
Suggested Action:
- Create a central compliance register to map NIS2 overlaps with other regulations.
- Involve legal, compliance, and risk teams in the implementation roadmap.
Conclusion: From Compliance to Resilience
For CISOs, the next 12 months are critical to transition NIS2 compliance from documentation to implementation. With enforcement mechanisms ramping up and sector-specific risk assessments on the horizon, a structured, executive-supported approach will define success.
The message from Qfirst is clear: maturity, collaboration, and operational readiness are the new standards for Europe’s cybersecurity posture.
