The NIS2 directive extends cybersecurity obligations to far more companies than its predecessor. For many organisations it means the first time that the management board is personally accountable for information security. Below is a practical path we take with clients.

Step 1: determine whether NIS2 applies to you

Before you spend a single zloty, check whether you are an essential or important entity. It depends on the sector and the size of the organisation, measured by headcount and turnover.

  • List the sectors the company operates in and compare them with the directive’s annexes.
  • Check the size thresholds. Some companies fall under NIS2 despite a small IT department.
  • Take the supply chain into account. Large clients can require compliance contractually, even if you formally do not have to.

In practice the most misunderstandings come from the assumption that NIS2 concerns only large companies. That is a mistake that ends in a late start.

Step 2: carry out a gap analysis

Once you know the directive covers you, take an honest snapshot of the current state. Compare what you have with the NIS2 requirements.

What to check

  • Risk management: whether it exists at all and whether it is documented.
  • Access control, multi-factor authentication and identity management.
  • Backups and the ability to recover after a failure.
  • Incident handling and reporting.
  • Security of the supply chain and IT providers.

The result of this step is a list of gaps ordered by risk, not by what is easiest to buy.

Step 3: implement measures starting from the biggest risk

Do not try to do everything at once. Start with the areas that reduce risk the most at a reasonable cost.

  • Roll out MFA and tidy up permissions. It is a cheap change with a big effect.
  • Ensure ransomware-resistant backups and test the restore.
  • Deploy EDR-class device protection and basic monitoring.

Only once you have the foundation should you move to more advanced measures. Compliance that does not raise real security is a waste of money.

Step 4: write procedures that can actually be used

NIS2 requires procedures, but only those used in practice make sense. Focus on documents someone will actually open in a crisis.

  • A procedure for risk management and reviews.
  • A business continuity and recovery plan.
  • A procedure for handling and reporting incidents, with deadlines.

Step 5: prepare for incident reporting

This is one of the tougher requirements. The company must be able to detect an incident, assess it and report it within the set time.

  • Establish who makes the decision to report and on what basis.
  • Ensure the ability to gather the facts: logs, scope, data.
  • Rehearse the scenario before it happens for real.

Step 6: maintain compliance over time

NIS2 is a process, not a project with an end date. Plan reviews, updates to procedures and training for the team, including the management, whom the directive concerns directly.

If you want to go through this path with someone who has done it many times, take a look at our NIS2 implementation service. We start with a gap analysis, not with an invoice for software.