How to Run a NIS2 Gap Analysis: A Step-by-Step Guide for Your Organisation

A compliance officer at a Dutch logistics company opens a spreadsheet. Across the top: the ten cybersecurity measures from NIS2 Article 21. Down the side: every department, system, and process the company runs. Most cells are empty. She now knows exactly where the problems are — and more importantly, where to spend the budget first.

That spreadsheet is a NIS2 gap analysis. It is the single most useful step any organisation can take right now, before enforcement deadlines hit and regulators start asking questions.

If your organisation falls under NIS2 — or suspects it might — here is how to run one properly.

What a NIS2 Gap Analysis Actually Is

A gap analysis compares what your organisation does today against what NIS2 requires. Nothing more, nothing less.

NIS2 is not a certification. It is a legal obligation under EU Directive 2022/2555 that requires organisations in covered sectors to implement specific cybersecurity measures, report incidents within strict deadlines, and ensure board-level oversight of security.

A gap analysis maps your current security posture against these requirements and produces a clear list of what is missing, what is partially in place, and what is already compliant. The output is a prioritised action plan — not a pass/fail verdict.

If your organisation already holds ISO 27001 certification, you have a head start. But NIS2 and ISO 27001 are not the same thing — the directive includes specific obligations around incident reporting timelines, supply chain security, and board liability that ISO 27001 does not cover.

Step 1: Confirm You Are in Scope

Before investing time in a full gap analysis, verify that NIS2 actually applies to your organisation. The scope rules are straightforward:

Your organisation operates in one of the essential or important sectors defined by the directive
You have 50 or more employees, or annual turnover exceeding EUR 10 million
Some entities — DNS providers, trust service providers, TLD registries — are always in scope regardless of size

Do not overlook the supply chain angle. Even if your organisation is below the thresholds, your largest clients may be NIS2 entities. Under Article 21(2)(d), they are required to manage supply chain security risks — which means they will start demanding evidence of your security posture.

Does NIS2 Apply to Your Organisation?
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes▼
No▼
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
✗
NIS2 does not directly apply to your organisation.
Yes▼
No▼
✓
NIS2 applies to your organisation as an Essential or Important Entity.
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes▼
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes ↓No →
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
Yes ↓No →
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes ↓No →
✗
NIS2 does not directly apply to your organisation.
✓
NIS2 applies to your organisation as an Essential or Important Entity.
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
Applies
Possibly applies
Does not apply

Step 2: Map Against the 10 Article 21 Measures

Article 21 is the backbone of NIS2 compliance. It prescribes ten minimum cybersecurity risk-management measures that every entity in scope must implement. Your gap analysis should assess each one individually.

Article 21 — 10 NIS2 Cybersecurity Measures
🛡️
Article 21
10 Cybersecurity Measures
📊Governance & Strategy
1Risk analysis & information security policies
6Effectiveness assessment of security measures
🚨Incident & Continuity
2Incident handling & notification
3Business continuity & disaster recovery
🔗Supply Chain & Systems
4Supply chain security
5Security in network & information systems development
🔐Technical Controls
8Cryptography & encryption
10Multi-factor authentication & secure communications
👥People & Assets
7Cyber hygiene & training
9HR security & access control

For each measure, document three things:

Current state — what exists today? Policies, tools, processes, evidence
Gap — what is missing or incomplete compared to the NIS2 requirement?
Priority — how critical is this gap based on risk and enforcement likelihood?

Here is how to approach the assessment for the measures where organisations most commonly fall short.

Risk Analysis and Information Security Policies

Do you have a documented, board-approved information security policy? Not a five-year-old document sitting in SharePoint — a current policy that reflects your actual risk landscape and has been formally approved by management as Article 20 requires.

What to check: Date of last board approval, whether the policy covers all NIS2-relevant systems, whether it has been communicated to employees.

Incident Handling

Can your organisation detect, classify, and report a cybersecurity incident within 24 hours? The NIS2 reporting deadlines — 24 hours for early warning, 72 hours for full notification, one month for the final report — require processes that most midsized organisations do not have.

NIS2 Incident Reporting Timeline
24h
⚡Early Warning
Notify the competent authority (CSIRT/NCA) within 24 hours of becoming aware of a significant incident.
Step 1
72h
📋Incident Notification
Submit a detailed notification within 72 hours with an initial assessment of severity, impact and indicators of compromise.
Step 2
1mo
📊Final Report
Deliver a comprehensive final report within one month covering root cause, remediation taken and cross-border impact.
Step 3
24h
⚡Early Warning
Notify the competent authority (CSIRT/NCA) within 24 hours of becoming aware of a significant incident.
72h
📋Incident Notification
Submit a detailed notification within 72 hours with an initial assessment of severity, impact and indicators of compromise.
1mo
📊Final Report
Deliver a comprehensive final report within one month covering root cause, remediation taken and cross-border impact.

What to check: Defined escalation procedures, contact details for the national CSIRT, template notifications, monitoring tools that support detection within the required timeframe.

Supply Chain Security

This is the measure most organisations underestimate. Article 21(2)(d) requires you to assess and manage the security risks in your supply chain — including your IT service providers, cloud vendors, and software suppliers.

What to check: Contracts with security clauses, supplier risk assessments, right-to-audit clauses, incident notification requirements for suppliers.

Effectiveness Assessment

Having security measures is not enough. Article 21 requires you to evaluate whether those measures actually work. This means testing, auditing, and reviewing — regularly, not once.

What to check: Penetration test reports, internal audit schedule, metrics for measuring security control effectiveness, follow-up on previous findings.

Step 3: Score Your Gaps

Use a simple three-level scoring system for each of the ten measures:

Score	Meaning	Action Required
Green	Measure is implemented, documented, and regularly reviewed	Maintain and evidence
Amber	Partially implemented or documentation is outdated	Remediate within 3-6 months
Red	Not implemented or fundamentally lacking	Prioritise immediately

Be honest. The gap analysis is an internal tool — inflating your scores defeats the purpose. When a regulator eventually asks for evidence of your NIS2 compliance programme, a genuine gap analysis with a clear remediation timeline demonstrates far more maturity than a polished document that does not reflect reality.

Step 4: Prioritise by Risk and Regulatory Focus

Not all gaps carry equal weight. Prioritise based on two factors:

Risk exposure — which gaps, if exploited, would cause the most damage to your organisation? An unpatched vulnerability management process (measure 5) combined with weak incident handling (measure 2) creates a scenario where a breach goes undetected and unreported — triggering both operational damage and regulatory penalties.

Regulatory focus — EU national authorities have indicated that initial enforcement will concentrate on:

Registration compliance (are you registered?)
Incident reporting capabilities (can you meet the 24/72 deadlines?)
Board-level governance (has your management approved cybersecurity measures?)
Supply chain due diligence (have you assessed your suppliers?)

These four areas should be at the top of your remediation list regardless of your internal risk assessment.

Step 5: Build Your Remediation Roadmap

Transform your gap analysis into a concrete action plan with owners, deadlines, and budget estimates.

Quick wins (1-3 months):

Formalise board approval of existing security policies
Schedule management cybersecurity training (Article 20 requirement)
Register with your national authority if the portal is open
Establish an incident response contact chain

Medium-term actions (3-6 months):

Implement or upgrade monitoring and detection capabilities
Conduct supplier security assessments for critical vendors
Deploy multi-factor authentication across all critical systems
Develop and test incident notification templates

Longer-term initiatives (6-12 months):

Build a continuous effectiveness assessment programme
Integrate supply chain security requirements into procurement processes
Establish a regular audit and review cycle
Align business continuity plans with NIS2 requirements

Common Mistakes in NIS2 Gap Analyses

Treating it as a one-off exercise. NIS2 compliance is ongoing. Your gap analysis should be a living document that you revisit quarterly — at minimum after any significant change in your IT environment, organisational structure, or threat landscape.

Ignoring the supply chain. Organisations tend to focus inward. But Article 21(2)(d) explicitly requires you to look outward — at your suppliers, service providers, and dependencies. A gap analysis that stops at your own perimeter is incomplete.

Skipping the board. Article 20 makes management bodies personally accountable. If your board has not been briefed on the gap analysis results and has not formally approved the remediation plan, you have a governance gap that regulators will notice.

Over-engineering the process. You do not need a six-month consulting engagement to run a gap analysis. A structured self-assessment against the ten Article 21 measures, done honestly and documented properly, gets you 80% of the way there.

Start With a Quick Assessment

Running a full NIS2 gap analysis takes time and internal coordination. But you can get a clear initial picture in minutes.

Take the free NIS2 Quick Scan — it maps your organisation against the Article 21 requirements and shows you exactly where your biggest gaps are. It is the fastest way to understand your NIS2 readiness before committing to a full remediation programme.

The organisations that start their gap analysis now — while enforcement is ramping up across Europe — will have the time to close gaps methodically, without the pressure and premium costs that come with last-minute compliance rushes.