Ga naar inhoud

NIS2 gap analysis

NIS2 gap analysis: commercial long-tail guide with concrete steps, pitfalls and a clear path to ISO Ready.

Book an informal conversation

ISO Ready helps you align policy, risk, and evidence — without endless document churn.

Check your NIS2 gaps

What readiness means commercially

NIS2 gap analysis is measurable audit preparedness: maturity (process) + evidence (proof) + gaps (what is still missing).

Maturity levels in plain language

Level 1 ad hoc, 2 repeatable, 3 defined and measured, 4 optimised. Certification typically needs level 3 on core processes in scope.

Gap analysis vs readiness scan

Gap analysis is deep; a scan is faster and prioritises top actions. Use scans for budget approval, gap analysis for the implementation plan.

Implementation and project planning

Every gap needs owner, due date and evidence type. Without follow-up, readiness is a snapshot. Executives need a monthly view.

NIS2 and ISO 27001 together

Separate registers per regulation, one risk story and one improvement loop.

Common mistakes

No line ownership, policy-only uploads, no re-test after fixes. Auditors sample real behaviour.

Checklist

  • Baseline maturity
  • Run scan or gap
  • Prioritise risks
  • Quarterly implementation plan
  • Re-check before internal audit

Next step with ISO Ready

For NIS2 gap analysis, ISO Ready keeps gaps, actions and evidence in one workflow — moving from search intent to audit-ready status with less spreadsheet drift. Run the readiness scan on iso-ready.nl (UTM: content_hub).

It does not replace a certification body: you retain ownership of scope, risk and decisions.

Practice notes (1)

In SME and SaaS programmes, NIS2 gap analysis often stalls when NIS2 gap analysis is discussed but not recorded with owners and evidence. Certification bodies sample three tracks: policy, operation and monitoring. Missing any track yields a finding — even with good intent.

State which systems, suppliers and roles are in scope. Record change and exception decisions (who may deviate, for how long, with what risk). Link actions to the risk register so controls are clearly tied to analysis.

Give executives three quarterly numbers: open high-risk actions, mean time to close corrective actions, and percentage of controls with fresh evidence. That makes NIS2 gap analysis governable rather than abstract.

Practice notes (2)

In SME and SaaS programmes, NIS2 gap analysis often stalls when NIS2 gap analysis is discussed but not recorded with owners and evidence. Certification bodies sample three tracks: policy, operation and monitoring. Missing any track yields a finding — even with good intent.

State which systems, suppliers and roles are in scope. Record change and exception decisions (who may deviate, for how long, with what risk). Link actions to the risk register so controls are clearly tied to analysis.

Give executives three quarterly numbers: open high-risk actions, mean time to close corrective actions, and percentage of controls with fresh evidence. That makes NIS2 gap analysis governable rather than abstract.

Practice notes (3)

In SME and SaaS programmes, NIS2 gap analysis often stalls when NIS2 gap analysis is discussed but not recorded with owners and evidence. Certification bodies sample three tracks: policy, operation and monitoring. Missing any track yields a finding — even with good intent.

State which systems, suppliers and roles are in scope. Record change and exception decisions (who may deviate, for how long, with what risk). Link actions to the risk register so controls are clearly tied to analysis.

Give executives three quarterly numbers: open high-risk actions, mean time to close corrective actions, and percentage of controls with fresh evidence. That makes NIS2 gap analysis governable rather than abstract.

Practice notes (4)

In SME and SaaS programmes, NIS2 gap analysis often stalls when NIS2 gap analysis is discussed but not recorded with owners and evidence. Certification bodies sample three tracks: policy, operation and monitoring. Missing any track yields a finding — even with good intent.

State which systems, suppliers and roles are in scope. Record change and exception decisions (who may deviate, for how long, with what risk). Link actions to the risk register so controls are clearly tied to analysis.

Give executives three quarterly numbers: open high-risk actions, mean time to close corrective actions, and percentage of controls with fresh evidence. That makes NIS2 gap analysis governable rather than abstract.

Practice notes (5)

In SME and SaaS programmes, NIS2 gap analysis often stalls when NIS2 gap analysis is discussed but not recorded with owners and evidence. Certification bodies sample three tracks: policy, operation and monitoring. Missing any track yields a finding — even with good intent.

State which systems, suppliers and roles are in scope. Record change and exception decisions (who may deviate, for how long, with what risk). Link actions to the risk register so controls are clearly tied to analysis.

Give executives three quarterly numbers: open high-risk actions, mean time to close corrective actions, and percentage of controls with fresh evidence. That makes NIS2 gap analysis governable rather than abstract.

Practice notes (6)

In SME and SaaS programmes, NIS2 gap analysis often stalls when NIS2 gap analysis is discussed but not recorded with owners and evidence. Certification bodies sample three tracks: policy, operation and monitoring. Missing any track yields a finding — even with good intent.

State which systems, suppliers and roles are in scope. Record change and exception decisions (who may deviate, for how long, with what risk). Link actions to the risk register so controls are clearly tied to analysis.

Give executives three quarterly numbers: open high-risk actions, mean time to close corrective actions, and percentage of controls with fresh evidence. That makes NIS2 gap analysis governable rather than abstract.

Practice notes (7)

In SME and SaaS programmes, NIS2 gap analysis often stalls when NIS2 gap analysis is discussed but not recorded with owners and evidence. Certification bodies sample three tracks: policy, operation and monitoring. Missing any track yields a finding — even with good intent.

State which systems, suppliers and roles are in scope. Record change and exception decisions (who may deviate, for how long, with what risk). Link actions to the risk register so controls are clearly tied to analysis.

Give executives three quarterly numbers: open high-risk actions, mean time to close corrective actions, and percentage of controls with fresh evidence. That makes NIS2 gap analysis governable rather than abstract.

Key takeaways

  • Start with scope and maturity — not document volume.
  • Link every control to evidence and an owner.
  • Use readiness/gap before locking budget.

Veelgestelde vragen

What does NIS2 gap analysis typically cost in time and money?
It depends on scope and maturity. Start with a readiness or gap assessment before presenting a fixed budget.
Can we certify without a consultant?
Yes, if you have senior ownership and audit literacy. Software helps execution and evidence, not scope governance.
How fast can we become audit-ready?
Limited scope and solid logging: a few months. Complex chains or legacy IT: often six months or more.
Gap analysis vs scan?
Scans prioritise quickly; gap analyses feed the implementation plan. Many teams scan first, then gap.
Why ISO Ready after reading this?
Because you need one place to track actions, evidence and risks — otherwise content does not turn into progress.

Run the NIS2 readiness scan

Align NIS2 expectations with your existing management system.

Start NIS2 scan