Who this is for: IT managers and CTOs at mid-sized EU companies (50–500 employees) who need to assess their NIS2 exposure before engaging external consultants. This note doesn't replace a formal audit — it helps you understand what one will look for.
Why bother doing this yourself first
External NIS2 audits are expensive when you don't know where you stand. Auditors who find that your documentation doesn't exist, your incident response plan has never been tested, and your supplier contracts have no security clauses will spend a lot of billable hours writing down what isn't there. Doing a first-pass assessment internally before engaging anyone external means that audit time is spent on substance, not discovery.
It also forces the right conversation internally. NIS2 compliance isn't a project you can delegate to the IT department and sign off on. It requires decisions from management — on risk appetite, incident response authority, and third-party relationships — that legal and operations need to be involved in. Doing the gap analysis yourself surfaces those conversations early.
Step 1: Confirm whether you're in scope
NIS2 applies to "essential" and "important" entities in specific sectors. The size threshold is generally 50+ employees or €10M+ revenue, but sector-specific rules apply. If you operate in energy, transport, health, water, digital infrastructure, financial markets, or public administration, you're likely in scope. Manufacturing, food, chemicals, postal services, and waste management are also covered under "important" entities.
The entity classification affects your obligations. Essential entities face stricter supervisory requirements and higher maximum fines (€10M or 2% of global turnover). Important entities face lighter-touch ex-post supervision but the same technical requirements under Article 21.
If you're unsure whether you're in scope, that uncertainty is itself a gap. Your national transposition of NIS2 may add detail — France transposed NIS2 through loi n° 2023-703 in July 2023, administered by ANSSI.
Step 2: The ten Article 21 areas
Article 21(2) defines ten security areas all in-scope entities must address. Here's what each one means in practice and the question you should ask yourself:
1. Risk analysis and information security policies
Do you have a documented security policy approved by senior management, and a formal risk assessment process that's been run in the last 12 months? If your security policy is a Word document no one reads, this is a gap.
2. Incident handling
Do you have a written incident response plan? Has anyone tested it? NIS2 requires a 24-hour early warning and 72-hour notification to your national authority for significant incidents. Do you know what triggers a "significant incident" under the directive?
3. Business continuity, backups, and disaster recovery
When did you last test your backup restoration? Do you have a documented RTO and RPO? Business continuity is often documented but rarely practised — a plan no one has followed in a drill is not a plan.
4. Supply chain security
Do your supplier contracts include security clauses? Do you know which third parties have access to your systems or data? This is one of the most commonly underprepared areas, particularly for companies that have grown through acquisition or rely heavily on SaaS tools.
5. Security in network and information systems acquisition, development and maintenance
If you develop software, do you have a secure development lifecycle? Do you patch third-party components? Do you have a process for managing vulnerabilities when they're disclosed?
6. Policies and procedures for assessing effectiveness
This is about measurement. Can you demonstrate that your security controls are working? Penetration testing results, vulnerability scan reports, and audit logs all contribute here.
7. Cybersecurity hygiene practices and training
NIS2 Article 20 also requires that management bodies receive cybersecurity training. This is frequently overlooked — it's not enough for the IT team to have done training; the board needs to as well.
8. Policies on the use of cryptography and encryption
Do you have a documented encryption policy? Is sensitive data encrypted at rest and in transit? Do you have key management procedures?
9. Human resources security, access control, and asset management
Do you apply least privilege? Do you have an offboarding process that revokes access promptly? Is there an asset register for your information systems?
10. Multi-factor authentication and secure communications
MFA is now an explicit requirement, not a best practice recommendation. If your remote access, email, or administrative accounts aren't protected by MFA, that's a finding.
Step 3: Document what you find
For each area, note: what exists (policies, tools, processes), what's missing, and who owns the gap. Don't try to fix everything at once. Prioritise based on likelihood of harm and your incident notification obligations — gaps in incident handling and supply chain security tend to be the highest priority because they affect your legal obligations immediately.
Common finding: Most mid-sized companies have good technical controls in some areas (MFA, patching) and poor documentation everywhere. The problem isn't usually that the security measures don't exist — it's that there's no evidence they exist in a form that survives an audit or a significant incident.
What to do with the results
A self-assessment gives you a starting point. It won't satisfy a regulator if an incident occurs, and it won't produce the kind of documented evidence that an external audit would. But it tells you which areas need the most work before you bring in external help, and it means you're not paying someone to tell you that you don't have a written security policy.
If you run this assessment and find significant gaps in incident handling, supply chain security, or access control, those are worth addressing with external help. If the main issue is documentation — policies exist in practice but not on paper — that's often something you can fix internally before an audit.