NIS2 Implementation: Practical Roadmap

Implementing NIS2: The Practical Roadmap

The NIS2 Implementation Act (NIS2UmsuCG) has been in force since 06.12.2025. The requirements are extensive, and the regulatory pressure is real: the supervisory authority can demand evidence and impose sanctions. At the same time, experience shows that building a NIS2-compliant security level typically takes 12 to 18 months. Organisations that have not yet started are already behind schedule and must act immediately.

This practical roadmap shows you how to structure NIS2 implementation in three phases. The plan is deliberately pragmatic: it prioritises measures by compliance relevance and risk reduction so that you achieve measurable progress quickly.

Timeline: 3-6-12 Months

Month 1–3: Lay the Groundwork

In the first three months, you lay the foundation for your NIS2 compliance. The focus is on assessment, governance, and quick wins. This phase is critical because it sets the direction for the entire implementation. Errors in the foundation phase propagate through the entire project.

Time investment: Allow for 15-20 person-days for the as-is analysis and 5-10 person-days for the gap analysis. The applicability assessment including legal validation typically takes 2-3 weeks. The governance setup (steering committee, project team, roles) should be in place within the first week.

• 1.Complete the applicability assessment: Definitively clarify whether and in which category your organisation falls under NIS2. Document the result. Use our applicability check if needed.
• 2.Set up governance: Appoint a NIS2 sponsor at the executive level. Assemble a project team that includes representatives from IT, legal, procurement, and business departments. Establish a steering committee.
• 3.Conduct the as-is analysis: Assess the current security status against the ten measures under Art. 21. Inventory IT assets, existing policies, and processes.
• 4.Conduct the gap analysis: Compare the current state with NIS2 requirements. Prioritise the identified gaps by risk and compliance relevance.
• 5.Implement quick wins: Enable multi-factor authentication for all admin accounts. Tighten the password policy. Enable logging for critical systems. Create an initial contact list for the supervisory authority.

Month 4–6: Implement Core Measures

In the second phase, you implement the central security measures. The focus is on the areas that the supervisory authority will check first during an inspection: risk analysis, incident response, documented security policies, and training records.

This phase is the most labour-intensive. Plan for 30-40 person-days for the risk analysis (including workshops with all business areas), 15-20 person-days for building the incident response process, and 10-15 person-days for creating security policies. If you engage external consultants, this is the phase with the highest consulting demand.

• 6.Create the risk analysis: Conduct a full risk analysis using a recognised methodology (ISO 27005, BSI 200-3). Involve all business areas. Have the results approved by senior management.
• 7.Build the incident response process: Define roles, escalation paths, and reporting templates. Set up technical detection (SIEM, monitoring). Prepare the authority notification chain (24h / 72h / 30 days).
• 8.Develop security policies: Create policies for information security, access controls, cryptography, backup, and remote work. Align them with senior management and communicate them across the organisation.
• 9.Launch the training programme: Conduct a first round of security awareness training. Ensure that senior management demonstrably participates. Start phishing simulations.
• 10.Develop business continuity plans: Create a Business Impact Analysis. Define RPO/RTO values for critical systems. Develop disaster recovery plans and test backups.

Month 7–12: Increase Maturity

In the third phase, you deepen the measures, close remaining gaps, and build a continuous improvement process. This phase distinguishes solid compliance from a mere checkbox mentality. The goal is not just to meet minimum requirements but to build a security level that withstands a supervisory audit.

Time investment: Supplier assessment alone can require 20-40 person-days, depending on the number of critical suppliers. Also plan 5-10 days for conducting and evaluating emergency exercises, and 10-15 days for the internal audit. The continuous improvement process (PDCA cycle) is not a one-time project but a permanent operating mode that must be integrated into regular workflows.

• 11.Build supplier assessment: Implement a structured assessment process for all critical suppliers. Embed security requirements in contracts. Conduct initial supplier audits.
• 12.Conduct emergency exercises: Test the incident response process in a realistic exercise. Simulate a ransomware attack or data loss. Document findings and improve processes.
• 13.Conduct internal audit: Review the effectiveness of all implemented measures. Use the Art. 21 measures as an audit framework. Identify improvement opportunities.
• 14.Establish continuous improvement: Set up a PDCA cycle (Plan-Do-Check-Act). Define KPIs for information security. Plan regular management reviews.
• 15.Prepare authority registration: Compile all required information for registration with the supervisory authority. For essential entities: Prepare the NIS2 compliance documentation.

Quick Wins: Immediate Actions in the First 30 Days

Regardless of where you stand in the overall project: These measures can be implemented in the first 30 days. They immediately reduce your risk, create internal visibility, and provide initial evidence for compliance documentation.

Week 1: Governance and Responsibilities

Officially appoint a NIS2 sponsor at the executive level. Document this appointment in writing with date and signature. Assemble a core team (IT director, data protection officer, procurement, legal). Schedule an initial kick-off meeting to clarify scope, timeline, and responsibilities. Create a project document with milestones. Register your organisation with the authority's reporting portal and provide the contact information.

Week 2: Technical Quick Wins

Enable multi-factor authentication (MFA) for all administrator accounts and privileged access. Check whether MFA is also active for VPN connections and cloud services. Tighten the password policy to at least 14 characters with complexity requirements. Enable logging and monitoring for critical systems (domain controller, firewalls, email servers). Ensure logs are retained for at least 90 days. Verify that automatic security updates are enabled for all endpoints.

Week 3: Start Inventory

Begin inventorying your IT assets: servers, networks, endpoints, cloud services, SaaS applications. In parallel, create an initial list of all suppliers and service providers with access to your systems or data. These lists form the basis for the risk analysis and supplier assessment. Use existing sources such as Active Directory, CMDB, contract management, and billing systems.

Week 4: Incident Response Basics

Create an emergency contact list for security incidents: Who is notified internally? Who is the contact at the supervisory authority? Which IT forensics provider will be called upon in an emergency? Define a simple escalation matrix: When is senior management informed? At what severity level is an external report made? Create an initial reporting template for the 24-hour early warning to the authority. These basics are not perfect, but they ensure you do not start from zero in an emergency. You can refine the process in the following months. Full details on the NIS2 Requirements can be found on our detail page.

Resource Planning: What Does It Really Take?

One of the most common questions during NIS2 implementation: What does it cost, and how many people do I need? The honest answer: It depends on your starting position. An organisation with an existing ISMS under ISO 27001 has already completed 70% of the work. An organisation without any information security structure faces a foundational build. Here are realistic benchmarks for a typical mid-sized company without an ISMS.

Team and Roles

Minimum staffing for organisations with 50-249 employees: a project manager (50-100% allocation in the first year, often the IT director or an external consultant), a core team of 3-5 people from IT, legal, procurement, and a business department (each with 20-30% allocation), and active involvement of senior management (at least 2 hours per week for reviews and decisions).

For organisations with 250+ employees: a full-time project manager, a CISO (internal or as an external managed CISO), a core team of 5-10 people, and dedicated specialists for incident response and risk management. Senior management should plan monthly management reviews.

Budget: Realistic Ranges

For organisations with 50-249 employees: EUR 50,000-150,000 in the first year. Typically, 30-50% goes to external consulting (gap analysis, risk analysis, policy development), 20-30% to tools (GRC platform, SIEM/monitoring, training platform), and 20-30% to technical measures (MFA rollout, backup improvements, network segmentation). From the second year, costs decrease to EUR 30,000-80,000 annually for ongoing operations, training, and regular audits.

For organisations with 250+ employees: EUR 200,000-500,000 in the first year. Larger organisations have more complex IT landscapes, more suppliers, and higher requirements for incident response and monitoring. Ongoing operations from the second year amount to EUR 100,000-250,000 annually.

These figures may seem high but must be viewed in relation to the potential sanctions: up to EUR 10 million or 2% of worldwide annual turnover for essential entities. Add personal executive liability. More on the consequences can be found on our NIS2 Penalties and Sanctions page.

Tools: What You Really Need

Not every organisation needs a SOC (Security Operations Centre) or an enterprise SIEM. For mid-sized companies, a pragmatic tool selection is crucial. These three categories cover the core needs:

• •GRC Platform: For framework management, risk management, measure tracking, evidence management, and supplier assessment. An integrated platform like Kopexa replaces dozens of spreadsheets and ensures traceability and audit readiness.
• •SIEM/Monitoring: For detecting security incidents and meeting reporting obligations. For mid-sized companies, cloud-based solutions such as Microsoft Sentinel, Wazuh, or comparable managed SIEM services are often sufficient.
• •Training Platform: For mandatory security awareness training and phishing simulations. Providers like KnowBe4, SoSafe, or Hornetsecurity offer content specifically tailored to various markets.

Before procuring new tools, check what you already have in place. Many organisations already use Microsoft 365 E5, which includes Defender for Endpoint, Compliance Manager, and basic SIEM capabilities. Build on existing licences before introducing new tools.

The 5 Most Common Mistakes in NIS2 Implementation

From working with organisations across various industries and sizes, we know the typical stumbling blocks in NIS2 implementation. Here are the five most common mistakes and how to avoid them:

1. Starting Too Late

By far the most common mistake. The NIS2UmsuCG has been in force since 06.12.2025. Organisations that have not yet started are already behind schedule. Building a NIS2-compliant security level takes 12 to 18 months. Every month without progress increases the risk of sanctions and personal executive liability.

2. Treating NIS2 as a Pure IT Project

NIS2 affects the entire organisation. Executives are personally liable, procurement must assess suppliers, HR must organise training, and risk management must integrate cyber risks. Organisations that set up NIS2 as a pure IT project regularly fail due to organisational complexity.

3. Ignoring the Supply Chain

Supply chain security is the biggest challenge for many organisations. Supplier assessment, contractual adjustments, and continuous monitoring require considerable effort. Many organisations postpone this area and then face time pressure. Start the supplier assessment in parallel with internal implementation, not after it.

4. Neglecting Training

Security awareness training is often seen as secondary. NIS2 sees it differently: the directive explicitly obliges senior management to participate. Training records are one of the first items checked during an audit. A missing training programme is a clear compliance deficit.

5. Underestimating Documentation

The best security measure is useless if you cannot prove it. NIS2 and the supervisory authority require comprehensive documentation: risk analyses, security policies, incident logs, training records, audit reports. Organisations that treat documentation as an afterthought perform poorly in audits. More on the consequences can be found on our NIS2 Penalties and Sanctions page.

Which Tools Support NIS2 Implementation?

The complexity of NIS2 requirements makes using a dedicated GRC tool (Governance, Risk & Compliance) virtually indispensable. Manual implementation with spreadsheets and file shares is theoretically possible but does not scale and becomes problematic during evidence management at the latest.

A GRC platform like Kopexa supports NIS2 implementation in multiple areas:

• •Framework Management: Store NIS2 requirements as a structured framework and track implementation status. Map controls to measures and make progress transparent.
• •Risk Management: Systematically capture, assess, and treat risks. Maintain a risk register and conduct risk analyses using recognised methodologies.
• •Incident Management: Capture security incidents in a structured manner, define workflows for handling, and prepare notification chains to the authority.
• •Evidence Management: Collect evidence centrally, version it, and provide it for audits when needed. No more scattered documents in email inboxes and network drives.
• •Supplier Assessment: Classify suppliers, send assessment questionnaires, track results, and create follow-up tasks.

The advantage of an integrated platform: All information is in one place. At a glance, you can see where you stand, which measures are outstanding, and which evidence is missing. This saves time, reduces errors, and gives you confidence during audits.

Already have an ISMS under ISO 27001? Then you are building on a solid foundation. Approximately 70% of NIS2 requirements are covered by ISO 27001. Details on the overlap can be found in our NIS2 & ISO 27001 Mapping.