For thousands of organisations, NIS2 arrived as a shock: "We're regulated now?" The directive's expanded scope pulls in a vast range of essential and important entities that never previously thought of themselves as cybersecurity-regulated. The instinct is to panic, buy tools, or freeze. None of those help. NIS2 is large, but it is not mysterious — and you do not have to do everything at once. You have to do the right things, in the right order.
Having built security programmes from nothing inside government and banks, I can tell you the first 90 days decide whether this becomes a controlled, fundable programme or a year of thrashing. Here is how to go from "where do we even start?" to a credible, prioritised roadmap — calmly.
First, get oriented (before you assess anything)
Three questions settle the ground:
- Are we in scope, and as what? Essential or important entity? The category affects supervision and expectations. Sector and size determine this under your national transposition.
- Who is our regulator, and what are the national specifics? NIS2 is an EU directive transposed into national law — the concrete obligations and deadlines come from your country's act, not the directive alone.
- What are our registration and reporting duties? Many entities must register with the national authority, and all must be able to report significant incidents on tight clocks (an early warning typically within 24 hours, a notification within 72).
Getting these answers first stops you assessing the wrong scope.
You don't have to do everything at once. You have to do the right things, in the right order — and be able to show the reasoning.
The 90-day arc
Orient & assess
Confirm scope and obligations. Identify your critical services and the assets, people and suppliers behind them. Run a focused gap assessment against the NIS2 measures (Article 21) — governance, risk management, incident handling, business continuity, supply-chain, access control, cryptography, training. Aim for an honest baseline, not a perfect one.
Prioritise & govern
Turn gaps into a risk-ranked roadmap: what to do first (high risk, low effort, or legally required), next, and later — each with an owner and a date. Stand up governance: assign accountability, brief management (whose involvement NIS2 expects), and put incident-reporting workflows in place so you can meet the clocks from day one.
Implement quick wins & commit the plan
Close the cheap, high-impact gaps now — MFA, backups you've actually tested, patching cadence, an incident contact tree, basic awareness training. Formalise the multi-quarter plan, secure budget, and set the rhythm (a quarterly review) that turns compliance into an ongoing capability rather than a one-off scramble.
Practical tips: staying out of the overwhelm
- Lead with risk, not the checklist. Prioritise by what would actually hurt your critical services. A risk-based story is also what a regulator wants to see.
- Nail the incident clock early. Even before controls mature, make sure you could detect and report a significant incident within the deadlines. Regulators forgive imperfect maturity faster than a missed notification.
- Get the basics right before the exotic. Identity/MFA, patching, backups, logging and awareness prevent most real incidents. Don't buy advanced tooling on weak foundations.
- Use ISO 27001 as your scaffolding. If you build an ISMS, most NIS2 measures fall out of it — and you avoid running compliance as a separate, throwaway project.
- Don't forget the supply chain. NIS2 expects you to manage supplier risk. Start a simple register of critical suppliers and what they do for you.
- Engage management in writing. Record that leadership has been briefed and has approved the approach — accountability is part of the obligation, not optional.
- Document the journey, not just the destination. A dated gap assessment, a roadmap and evidence of progress demonstrate diligence even while you're still implementing.
- Phase the budget. Fund the quick wins immediately and stage the rest. A credible 12–18 month plan beats an unfunded wish-list.
What "good" looks like at day 90
You should be able to hand a regulator — or your own board — three things: a clear statement of scope and obligations, an honest gap assessment, and a risk-prioritised roadmap with owners, dates and management sign-off, plus evidence that the highest-risk basics are already in hand. That is a defensible position. Perfection is not expected at 90 days; direction and control are.
The pitfalls to avoid
The first trap is paralysis — trying to read the entire directive before doing anything. The second is tool-shopping: buying a platform to "solve NIS2" before you understand your own risks. The third is treating it as a one-off certificate rather than an operating discipline you maintain. NIS2 moved cybersecurity from "nice to have" to a legal duty; the organisations that thrive treat it as a capability they run, improving each quarter.
Start with orientation, lead with risk, fix the basics, and commit to a funded, owned roadmap. Do that in 90 days and NIS2 stops being an overwhelming threat and becomes what it was meant to be — a structured way to make your organisation genuinely harder to take down.
Newly in scope of NIS2?
We run focused gap assessments and turn them into a prioritised, fundable roadmap — so you can begin execution immediately, without the overwhelm.
Book a 20-minute discovery callThis article is general information from circl3.tech, not legal advice. NIS2 obligations and deadlines depend on your sector, size and national transposition — we recommend a scoped assessment for your organisation.