The EU’s NIS2 Directive sets a new benchmark for cyber security and risk management across essential and important entities. With local transpositions already underway, organisations must act quickly to ensure compliance, avoid penalties, and strengthen resilience against cyber threats. 

Using these four practical steps, you can build a sustainable path toward NIS2 compliance: 

1. Understand Local Transposition Requirements

While NIS2 provides an EU-wide framework, each member state has flexibility in how it is transposed into national law. For example, Belgium requires organisations to demonstrate compliance either through ISO 27001 certification or the Cyber Fundamentals Framework. Other jurisdictions may have similar or differing approaches. 
 
Action point: Review your jurisdiction’s specific NIS2 transposition and clarify your sector’s legal requirements.

Your contacts
Edward Starkie
Edward Starkie

Director, GRC | Cyber Risk

estarkie@thomasmurray.com

Shreeji Doshi
Shreeji Doshi

Director, GRC | Cyber Risk

sdoshi@thomasmurray.com

2. Choosing a Leading Framework for Compliance

To effectively manage cyber security risks and demonstrate compliance, organisations should adopt a leading framework like ISO/IEC 27001:2022 or the NIST Cybersecurity Framework (CSF) 2.0. While both are robust and widely respected, they have different strengths:

  • ISO 27001 is a globally recognised standard that focuses on establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Its prescriptive, auditable nature makes it an excellent choice for a formal certification.
  • NIST CSF 2.0 is a flexible, risk-based framework that provides guidance for managing and reducing cyber security risks. It is not certifiable but is widely used, particularly in the U.S., for building and assessing an information security programme. 

For organisations seeking compliance with the NIS2 Directive, aligning with ISO 27001 is a practical choice as it is one of the explicitly referenced standards in NIS2 transposition. ISO 27001 provides specific "how-to" guidance to implement many of the NIS2 requirements.

3. Conducting a NIS2 Compliance Assessment 

A NIS2 compliance assessment is a critical first step to understand your organisation's current cyber security posture and identify how to achieve compliance. An organisation's internal audit or risk management team can perform this assessment for an objective view. External providers can also do so for an independent perspective. The process involves: 

  1. Scoping: Defining the systems, data, and processes to be included in the assessment.
  2. Mapping: Using your chosen framework (e.g., ISO 27001) to map against the specific requirements of the NIS2 Directive as outlined in your national law.
  3. Assessing: Evaluating existing cyber security controls and policies against the mapped requirements.
  4. Reporting: Documenting the gaps, identifying areas of non-compliance, and prioritising them based on risk. 

3.1. Potential Gaps for ISO 27001-Certified Organisations

While an ISO 27001 certification is an excellent foundation for NIS2 compliance, it does not guarantee full adherence to the directive. There are still a number of potential gaps to address: 

  • Specific Incident Reporting: NIS2 mandates specific, strict incident reporting obligations to national authorities (e.g., CCB in Belgium) with tight deadlines (24-hour initial notification, 72-hour detailed report). ISO 27001's reporting is generally internal unless specified by other regulations.
  • Sector-Specific Requirements: NIS2's focus on critical sectors may introduce requirements not explicitly covered by the general ISO 27001 standard.
  • Supply Chain Security: ISO 27001 Annex A includes controls for supplier relationships. However, NIS2 requires a more granular and formalised approach to assessing and managing the cyber security risks of direct suppliers and service providers.
  • Governance and Accountability: NIS2 places direct liability on senior management and board members for non-compliance, a stronger legal obligation than what is typically implied by an ISO 27001 ISMS. 

NIS2 Compliance Assessment

Take advantage of our free high-level NIS2 Compliance Assessment

Assess your organisation’s alignment with the NIS2 Directive and identify any gaps in cyber risk management and regulatory compliance.

Access the assessment

4. Creating a NIS2 Compliance Roadmap

Based on the findings of your gap assessment, the next step is to develop a comprehensive NIS2 compliance roadmap. This is a strategic action plan that prioritises the identified gaps and outlines the steps, resources, and timelines needed to achieve and maintain compliance.

Key components of the roadmap include:

  • Prioritised Action Plan: A list of activities to close the identified gaps, ordered by criticality and impact. This could include policy updates, new technology implementation, or staff training.
  • Roles and Responsibilities: Each action item should have a clear designation of responsibility.
  • Timeline and Milestones: A realistic schedule with key milestones to track progress.

To ensure the roadmap is effectively executed, an organisation should establish a NIS2 compliance monitoring team to oversee implementation. Their responsibilities include:

  • Tracking the progress of action items.
  • Conducting periodic reviews and internal audits.
  • Reporting on the status of compliance to senior management.
  • Ensuring continuous improvement by adapting to new threats and changes in the regulatory landscape.

Regular reporting to management and the board is crucial under NIS2. It reinforces accountability and provides assurance that the organisation is actively managing its cyber security risk.

Conclusion

Although the NIS2 Directive compliance process is complex, it provides organisations with a clear opportunity to strengthen their cyber security posture.

Organisations can build a structured approach to compliance by proactively engaging with the directive’s local transposition and adopting a robust framework like ISO 27001.

The NIS2 compliance assessment serves as a crucial diagnostic tool, identifying specific areas that require attention, even for organisations that are already ISO 27001 certified.

Ultimately, NIS2 compliance is not merely a box-ticking exercise; it is a strategic imperative that safeguards critical infrastructure, protects sensitive data, and builds long-term resilience against an evolving threat landscape.

Organisations that embrace this proactive and structured approach will not only meet their legal obligations but will also gain a competitive advantage through enhanced trust and a more secure operational environment.

Cyber Risk

NIS2 Directive Compliance Support

With over 30 years of experience enabling financial entities with managing risk, Thomas Murray is uniquely positioned to support your organisation through NIS2 compliance and beyond.

Our expertise lies at the intersection of cyber security, operational resilience, risk management, and regulatory compliance. Our consultants work closely with you to deliver insights based on real threat actor activity and industry-specific intelligence.

Learn more
DORA regulation

Compliance Digest Newsletter

Subscribe to Compliance Digest and stay up to date with regulations affecting the finance sector.