Decision guide · Compliance
How to reach NIS2 readiness as a mid-market or enterprise operator
NIS2 readiness is not one decision; it is ten overlapping ones. The ten cybersecurity risk-management measures in Art. 21 each translate into a buying or governance decision (identity, logging, incident response, supply chain, training, crypto, backup, vulnerability management, access control, physical). The right structure treats each as its own weighted, auditable case and links them to the Art. 20 board accountability file.
TL;DR
NIS2 readiness is ten decisions. Run each one structured, link them to board sign-off.
Who owns this decision
CISO as programme owner, management body as accountable party, IT Operations, Legal, Data Protection and Procurement as active stakeholders.
Key criteria to weight
Scope determination
Essential vs important entity, size thresholds, sector mapping. Gets it wrong, everything downstream is wrong.
Art. 20 management accountability
Board training, sign-off, documented oversight of each risk-management measure.
Art. 21 measure coverage
Ten named measures, each with its own evidence trail.
Incident reporting capability
24 / 72 / 30-day cascade. End-to-end tested, not only procedural.
Supply-chain risk
Third-party ICT suppliers. Explicit register with assessments.
Evidence quality
Decision memos, not policy PDFs. Auditors ask what was decided and why.
Step-by-step decision flow
- 1
Confirm scope
In scope or out. Essential or important. Put the legal analysis on file.
- 2
Map Art. 21 measures
List each of the ten measures and the current control state.
- 3
Prioritise the gaps
Rank by exposure, not by ease. Identity and logging usually top.
- 4
Run each gap as a decision
Each gap becomes its own decision case: trigger, options, scoring, memo.
- 5
Link to Art. 20 file
Each memo feeds into a board-level master file showing management oversight.
- 6
Rehearse the incident cascade
24 / 72 / 30 hours and days. Tabletop, then live. Evidence it.
Compliance note
NIS2 applies from October 2024. National implementations continue to land across EU member states. The DecisionOS structure is deliberately aligned to Art. 20 management-body expectations.
Common pitfalls
- !Running NIS2 as a policy-writing exercise instead of a decision programme.
- !Treating the management body as a rubber stamp rather than the accountable party.
- !No end-to-end incident cascade rehearsal.
- !Third-party register missing half the critical suppliers.
FAQ
Who is in scope for NIS2?
Essential and important entities in 18 sectors, usually at 50+ employees or 10M EUR turnover, with specific exceptions. The in-scope test itself is often a dealbreaker up front: if you are in scope, certain decisions (identity, logging, incident reporting) become non-negotiable.
What does NIS2 Art. 20 require from management bodies?
Management bodies must approve cybersecurity risk-management measures and oversee their implementation; they are personally accountable. Practically, this means board-ready documentation of each material security decision, which is where a DecisionOS memo is designed to fit.
How do I get to NIS2 readiness in a structured way?
Start with scope, then map the 10 cybersecurity risk-management measures, then run each underlying decision as a separate, auditable case. The bottleneck is documentation quality, not technical capability.