NIS2 gap assessment for an essential operator

Sector

Infrastructure · operator classified as an essential entity under NIS2 · 200-500 employees · 24/7 critical operations.

Initial situation

The national transposition of NIS2 required the organisation to reach a specific maturity level within defined deadlines, with relevant administrative sanctions for non-compliance. The internal team knew the directive, but lacked an objective metric of how far they actually were from the required controls.

Approach

We applied an assessment framework derived from NIS2 controls mapped against ISO 27001, ENS and the competent national regulator's guidance. We covered ten domains: governance, risk management, continuity, cryptography, access management, supply chain, incident management, training, physical security and regulatory reporting. Each domain was evaluated through interviews, documentary review and technical verification where applicable. We built a six-month plan organised in quarterly work packages with defined owners.

Result

The initial gap was 35% compliance. By the end of the six-month plan the organisation reached 92% compliance against applicable controls, with the remaining 8% in a documented 12-month plan due to investment dependencies.

Lesson

NIS2 is not passed with a one-off project: it is passed with a programme the organisation can keep running once the consultant leaves.

Time and effort

4-6 week diagnostic · 6-month plan · 120-180 consulting hours distributed.