How to Conduct a NIS2 Gap Analysis: Step-by-Step Readiness Assessment for 2026

A NIS2 gap analysis is the single most important action your organization can take right now. Not because it’s a regulatory requirement in itself — but because it tells you exactly where you stand before your national supervisory authority shows up unannounced.

Since October 2024, EU Member States have been transposing NIS2 into national law and establishing enforcement mechanisms. France’s ANSSI has already issued formal notices (NIS2 France ANSSI Compliance Guide). Germany’s BSI is conducting supervisory visits (BSI NIS2 Enforcement: What German Entities Must Do). Italy’s ACN and Spain’s INCIBE are building their supervisory capabilities (NIS2 Italy ACN Guide, NIS2 Spain INCIBE Guide).

The organizations that survive enforcement are the ones that conducted a thorough gap analysis early and addressed critical gaps before regulators arrived. This guide gives you the complete methodology.

What Is a NIS2 Gap Analysis?

A NIS2 gap analysis is a structured comparison between your current cybersecurity posture and the requirements defined in the NIS2 Directive (EU 2022/2555), specifically:

• Article 21: Technical, operational, and organizational security measures
• Article 20: Management body responsibilities and governance
• Article 23: Incident reporting obligations (24h/72h/1-month timelines)
• Article 32: Obligations for essential and important entities

The goal is to identify specific gaps — controls that are missing, partially implemented, or inadequately documented — and produce a remediation roadmap with priorities, timelines, and cost estimates.

Key distinction: A gap analysis is NOT the same as a risk assessment. A risk assessment identifies threats and vulnerabilities. A gap analysis measures your current state against a specific regulatory standard. You need both, but the gap analysis is what tells you whether you’re compliant.

Before You Start: Determine Your Entity Classification

Your gap analysis scope depends entirely on whether you’re an essential entity or an important entity. The requirements differ in scope and enforcement intensity.

Factor	Essential Entity	Important Entity
Size threshold	250+ employees OR €50M turnover + €43M balance sheet	50–249 employees OR €10M–€50M turnover
Sectors	Energy, transport, banking, financial market infra, health, drinking water, digital infrastructure, ICT service management, public administration, space	All essential sectors plus postal, waste management, chemicals, food, medical devices, manufacturing, digital providers

For more on this topic, see our How NIS2 Compliance Lowers Cyber Insurance Premiums. | Supervision | Ex-ante (proactive, ongoing) | Ex-post (after incidents or complaints) | | Max fines | €10M or 2% global turnover | €7M or 1.4% global turnover | | Personal liability | Management bodies personally liable | Proportionate measures |

Not sure which category applies to you? Check our detailed breakdown in NIS2 Essential vs Important Entities: Complete Classification Guide.

The 7-Step NIS2 Gap Analysis Methodology

Step 1: Asset Inventory and Scope Definition (Week 1)

You cannot analyze gaps against requirements you haven’t mapped to your environment. Start by documenting:

Network and Information Systems:

• All IT systems, OT systems, and IoT devices in scope
• Network diagrams and data flow maps
• Cloud services and SaaS applications
• Third-party integrations and APIs

Data Assets:

• Classification of data processed (personal, financial, operational, sensitive)
• Data storage locations and processing activities
• Data flows between systems and to third parties

Organizational Scope:

• Legal entities, subsidiaries, and branch offices
• Geographic locations and cross-border data flows
• Outsourced functions and managed service providers

Output: Complete asset register with NIS2-relevant classification. This becomes the foundation for all subsequent gap identification.

Step 2: Map Requirements to Controls (Week 2)

NIS2 Article 21 defines 10 mandatory security measures. For each one, map what the directive requires to what controls you currently have in place:

#	Article 21 Measure	Key Requirements	Your Current Control
1	Risk analysis and information system security policies	Documented policies, periodic risk assessments, all-hazards approach	[Document here]
2	Incident handling	Detection, analysis, containment, recovery procedures	[Document here]
3	Business continuity and crisis management	BCDR plans, backup procedures, crisis communication	[Document here]
4	Supply chain security	Third-party risk assessments, contractual security clauses	[Document here]
5	Security of network and information systems	Network segmentation, vulnerability management, patch management	[Document here]
6	Systems acquisition, development, and maintenance	Secure SDLC, change management, configuration management	[Document here]
7	Risk assessment and operational security	Threat intelligence, penetration testing, security monitoring	[Document here]
8	Cryptography and encryption	Encryption at rest and in transit, key management	[Document here]
9	Human resources security	Security awareness training, role-based access, background checks	[Document here]
10	Multi-factor authentication and access control	MFA implementation, privileged access management, zero trust	[Document here]

For a detailed breakdown of each measure, see our NIS2 Article 21 Technical Measures: Complete Security Requirements guide.

Step 3: Evidence Collection and Documentation Review (Week 2–3)

For each control mapped in Step 2, collect evidence of implementation:

Document Evidence:

• Security policies and procedures (are they current? approved? communicated?)
• Risk assessment reports (when was the last one? does it cover all systems?)
• Incident response playbooks (are they tested? updated in the last 12 months?)
• Training records (who completed what, when, pass rates)
• Third-party audit reports (SOC 2, ISO 27001, penetration test results)

Technical Evidence:

• SIEM logs and alert configurations
• Vulnerability scan reports
• Patch management compliance reports
• MFA enrollment rates
• Backup and recovery test results
• Network segmentation diagrams

Gap rating scale:

• ✅ Compliant — Control implemented, documented, tested, and evidence available
• ⚠️ Partial — Control exists but incomplete, undocumented, or not tested
• ❌ Gap — Control missing or fundamentally inadequate
• 🔍 Unknown — Cannot determine status (needs investigation)

Step 4: Gap Assessment and Risk Scoring (Week 3)

Not all gaps carry equal risk. Score each gap on two dimensions:

Impact Score (1–5): What happens if this gap is exploited or discovered by regulators?

• 5 = Regulatory fine likely + operational disruption
• 4 = Regulatory warning + significant security risk
• 3 = Moderate security risk, limited regulatory attention
• 2 = Low security risk, minor compliance issue
• 1 = Administrative gap, minimal risk

Effort Score (1–5): How much time, money, and resources to close this gap?

• 5 = Major project (6+ months, €100K+)
• 4 = Significant project (3–6 months, €30K–€100K)
• 3 = Moderate effort (1–3 months, €10K–€30K)
• 2 = Minor effort (1–4 weeks, €2K–€10K)
• 1 = Quick win (< 1 week, < €2K)

Priority = Impact × Effort — High-impact, low-effort gaps are your quick wins. High-impact, high-effort gaps need immediate planning.

Step 5: Incident Reporting Readiness Check (Week 3)

Article 23’s incident reporting requirements are the most time-sensitive NIS2 obligation. Your gap analysis must specifically assess readiness for the three reporting windows:

24-Hour Early Warning:

• Do you have a process to detect significant incidents within hours?
• Can you classify an incident as “significant” within the NIS2 definition?
• Do you know which national CSIRT to notify?
• Is there a pre-drafted early warning template ready to fill in?

72-Hour Incident Notification:

• Can you provide initial assessment of severity and impact within 72 hours?
• Do you have a process to determine cross-border impact?
• Can you identify indicators of compromise for the notification?

1-Month Final Report:

• Do you have a post-incident review process that captures root cause, threat type, and mitigation measures?
• Can you produce the required final report format within one month?

For detailed reporting requirements, see NIS2 Incident Reporting Requirements: Complete Guide.

Step 6: Governance and Management Body Assessment (Week 4)

NIS2 Article 20 introduces personal liability for management bodies. Your gap analysis must assess:

• Has the board approved cybersecurity risk management measures?
• Does the board receive regular cybersecurity briefings (at least quarterly)?
• Are management body members trained in cybersecurity?
• Is there a defined escalation path from security team to board?
• Are cybersecurity responsibilities documented in management role descriptions?
• Does the organization have cyber insurance to protect against management liability?

This is where many organizations have their biggest gaps. Board-level cybersecurity governance is new for most EU companies, and the personal liability provisions in NIS2 Board Liability: Management Personal Fines make this a non-negotiable priority.

Step 7: Produce the Remediation Roadmap (Week 4)

Compile all findings into a structured remediation plan:

Phase 1 — Critical (0–3 months):

• Close gaps that could trigger regulatory action immediately
• Implement incident detection and reporting processes
• Establish board-level governance structures
• Deploy multi-factor authentication across all critical systems

Phase 2 — High Priority (3–6 months):

• Complete supply chain risk assessments (NIS2 Supply Chain Guide)
• Implement business continuity and crisis management plans
• Conduct organization-wide security awareness training
• Document all security policies and procedures

Phase 3 — Enhancement (6–12 months):

• Achieve full Article 21 compliance across all 10 measures
• Conduct penetration testing and vulnerability assessments
• Establish continuous monitoring capabilities
• Prepare for supervisory audits

Phase 4 — Optimization (12–18 months):

• Achieve maturity level suitable for certification (ISO 27001 alignment)
• Implement advanced threat detection and response
• Establish metrics and KPIs for ongoing compliance monitoring

Free NIS2 Compliance Checklist

We’ve distilled the gap analysis into a 15-point checklist you can use to quickly assess your readiness. Download it free — it covers all 10 Article 21 measures plus incident reporting and governance requirements:

👉 Download the Free NIS2 Compliance Checklist PDF — 15-point guide with Article references and implementation tips.

How Much Does a NIS2 Gap Analysis Cost?

The cost of conducting a gap analysis depends on your approach:

Approach	Cost	Timeline	Best For
DIY with templates	€2,000–€8,000 (staff time)	4–8 weeks	Small important entities with basic security
Hybrid (DIY + advisor)	€10,000–€30,000	3–6 weeks	Medium entities with some controls
External consultant	€20,000–€80,000	2–4 weeks	Essential entities, complex environments
Full compliance audit	€50,000–€200,000	4–8 weeks	Large essential entities in regulated sectors

For a detailed breakdown of all NIS2 compliance costs, see NIS2 Compliance Cost: What Companies Actually Spend in 2026.

The Cyber Insurance Dimension

Here’s what most gap analysis guides won’t tell you: your NIS2 gap analysis doubles as cyber insurance preparation.

Every gap you identify is a risk factor that underwriters evaluate during the application process. Organizations that can demonstrate they’ve conducted a thorough gap analysis and have a remediation plan in place receive significantly better insurance terms than those that haven’t.

Why it matters:

• Underwriters ask specifically about NIS2 compliance during the application process (Cyber Insurance Buying Guide 2026)
• A documented gap analysis shows due diligence — even if gaps exist
• Closed gaps directly reduce premiums by reducing risk exposure
• Board-level governance requirements overlap with insurance policy conditions

Use our Cyber Risk Calculator to estimate your current risk profile and see how compliance improvements affect your insurance costs.

Common Mistakes to Avoid

1. Treating the gap analysis as a one-time exercise. NIS2 requires continuous compliance. Your gap analysis should be repeated at least annually and whenever significant changes occur (new systems, acquisitions, regulatory updates).

2. Ignoring supply chain dependencies. Article 21(d) explicitly requires supply chain security. Your gap analysis must extend to critical third parties, not just internal systems.

3. Focusing only on technical measures. NIS2 is equally about governance, training, policies, and documentation. Management body liability under Article 20 is a governance requirement, not a technical one.

4. Underestimating incident reporting readiness. The 24-hour early warning window is extremely tight. If you can’t detect and classify a significant incident within hours, you have a critical gap regardless of your other controls.

5. Skipping documentation. A gap analysis that isn’t documented doesn’t exist from a regulatory perspective. Every finding, every evidence review, every remediation plan must be written down and maintained.

IT Manager Action Plan

If you’re an IT manager tasked with NIS2 compliance, the gap analysis is your starting point. Here’s a condensed action plan:

1. Week 1: Download the free NIS2 compliance checklist and complete an initial self-assessment
2. Week 2: Map your top 5 critical gaps to the Article 21 requirements
3. Week 3: Present findings to management with cost estimates and timelines — reference the NIS2 Compliance IT Manager Action Plan
4. Week 4: Begin remediating quick wins (MFA deployment, policy documentation, CSIRT contact identification)
5. Month 2–3: Tackle high-impact gaps (incident detection, supply chain assessment, business continuity)
6. Month 4+: Work toward full Article 21 compliance and prepare for supervisory audits

Key Takeaways

• A NIS2 gap analysis compares your current cybersecurity posture against specific NIS2 requirements — it’s the foundation of any compliance program
• The 7-step methodology covers asset inventory, requirement mapping, evidence collection, gap scoring, incident reporting readiness, governance assessment, and remediation planning
• Not all gaps are equal — prioritize by impact and effort to maximize compliance ROI
• Your gap analysis doubles as cyber insurance preparation — use it to improve both compliance and insurance terms
• Document everything — an undocumented gap analysis is worthless from a regulatory perspective
• Repeat at least annually — NIS2 requires continuous compliance, not point-in-time certification

Ready to start? Download the free NIS2 compliance checklist for a 15-point quick assessment, or use our Cyber Risk Calculator to benchmark your security posture against industry standards.

---

Need ongoing NIS2 compliance support? Join as a founding member for unlimited access to compliance tools, premium reports, and expert analysis — €19/month for the first 50 members.