For mid-sized companies, NIS2 can feel like a regulation written for utilities and telecoms giants — yet the directive deliberately pulls thousands of medium-sized manufacturers, suppliers, and service providers into scope. The good news: you do not need an enterprise security budget to comply. You need structure, sequencing, and evidence. This guide walks you through implementation in the order that actually works on the ground, drawn from real projects rather than the text of the directive alone.
Treat what follows as a project plan, not a reading list. Each step produces a concrete artifact — a scope determination, a gap register, a governance decision, an incident playbook — that auditors and regulators will eventually ask to see. If a step does not leave a paper trail, it is not finished.
Step 1: Confirm applicability and document it
Determine whether you are an "essential" or "important" entity by mapping your sector against the NIS2 Annexes and your headcount and turnover against the size thresholds. Medium entities (50+ staff or €10M+ turnover) in a covered sector are generally captured; larger ones almost certainly are. But size is not the only trigger — if you supply an essential entity, their obligations cascade to you through contracts.
- Map every line of business against Annex I (essential) and Annex II (important) sectors.
- Check whether any major customer is itself an essential entity — your supply-chain obligations follow.
- Write a short, dated scope determination memo. A regulator's first question is often "are you in scope, and how did you decide?"
- If you conclude you are out of scope, document the reasoning just as carefully — that decision must withstand challenge.
Step 2: Assess the gap against Article 21
Article 21 defines ten minimum risk-management measures. Rather than guessing, run a structured gap assessment that scores each measure on a simple maturity scale and links it to evidence you already hold. This single document becomes your roadmap, your budget justification, and your audit baseline.
- Score each of the ten measures: not started, partial, operational, or mature.
- For every "partial" or better, note where the supporting evidence lives.
- Rank gaps by risk, not by ease — close what would hurt most first.
- Keep the assessment as a living spreadsheet you revisit quarterly, not a one-off report.
Step 3: Establish governance and assign ownership
NIS2 makes management bodies personally accountable, so governance is not optional paperwork — it is the part regulators scrutinize hardest. The most common failure in mid-sized firms is a security program that lives entirely inside IT with no visible leadership involvement.
- Secure explicit management approval of the risk measures and a realistic budget.
- Name a single accountable owner — an internal lead or a virtual CISO if you lack the role in-house.
- Schedule the management training the directive requires, and keep attendance records.
- Put a recurring risk review on the leadership agenda so oversight is demonstrable, not theoretical.
Step 4: Implement controls and stand up incident reporting
With priorities clear, close the highest-risk gaps and build the operational muscle NIS2 cares about most: incident handling. The reporting clock is unforgiving — an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month of a significant incident.
- Define what counts as a "significant incident" for your organization in advance.
- Build a reporting workflow that hits the 24h / 72h / 1-month milestones without scrambling.
- Review your key suppliers and add security clauses to contracts where they are missing.
- Automate evidence capture — access reviews, training logs, patch records — so it accumulates by default.
The 24-hour early warning is not a technical problem — it is an organizational one. If your team has never rehearsed who calls whom, the first real incident is the worst possible time to find out.
Step 5: Test, rehearse, and prove readiness
A control you have never exercised is a hypothesis, not a capability. Before a regulator or a real attacker tests your incident process, test it yourself with a tabletop exercise that walks the leadership team through a realistic scenario end to end.
- Run a half-day tabletop simulating a ransomware or data-breach scenario at least annually.
- Capture the lessons and feed them back into the playbook and the risk register.
- Verify your reporting templates and contact lists are current and accessible during an outage.
Step 6: Sustain compliance as an ongoing program
NIS2 is not a milestone you pass once. It is a state you maintain. The organizations that stay compliant treat the gap register, evidence collection, and management review as a continuous cycle rather than a pre-audit panic. Keep your documentation synchronized with how the business actually operates, and each subsequent review becomes an update rather than a rebuild.
Implemented in this sequence — scope, gap, governance, controls, testing, sustainment — NIS2 becomes a manageable program even for a lean team. Start with an honest assessment, fix what matters most first, keep leadership genuinely engaged, and let your evidence accumulate naturally rather than under deadline pressure.
Topics
Related resources
Turn this into a plan that passes the audit
Book a free 30-minute consultation and we'll map your fastest, lowest-risk path to compliance — no jargon, no sales pitch.
Book a free consultation