General Counsel

Jun 09, 2025

6 min. read

How to conduct a NIS2 directive impact assessment

Share:

How to conduct a NIS2 directive impact assessment

When the revised NIS2 Directive came across my desk last year, I’ll admit it didn’t initially feel urgent. I’d survived GDPR. I’d handled PCI-DSS. But as I dug into its scope, particularly the hefty obligations for essential and important entities, a familiar sense of regulatory gravity set in. This wasn’t just another checkbox exercise. This was a structural rethinking of digital operational resilience, and it demanded a different kind of readiness.

So, I took a step back and asked the most important question: What does compliance actually look like for us? That’s where the impact assessment began.

Understanding the scope before jumping in

The NIS2 Directive expands both the sectors and the entities it covers, moving beyond the original NIS scope to include providers in sectors like manufacturing, space, food, and postal services. The first challenge? Determining whether your organization falls under essential or important entity classification.

If you operate in the EU or provide services to EU-based critical infrastructure, you’re likely in scope. But classification isn’t just academic. It affects your reporting obligations, supervisory measures, and even potential penalties.

To bring clarity to this stage, I created a matrix for our internal review team to assess eligibility based on activity type, size thresholds, and cross-border relevance.

CriteriaEssential entityImportant entity
Sector typeEnergy, transport, healthWaste, postal, chemicals
Company size (as per EU thresholds)Large enterprisesMedium-sized enterprises
Cross-border impact of disruptionHighModerate
Subject to proactive supervisionYesNo (reactive only)
Reporting obligationsWithin 24 hoursWithin 24-72 hours
NIS2 applicability matrix

By mapping operations against this framework, we immediately saw which business units needed to elevate their compliance posture. It also helped cut through internal debates by grounding the conversation in facts.

Mapping the operational landscape

Once we identified our exposure, the next step was understanding where the directive’s teeth would bite hardest. Unlike older directives, NIS2 integrates detailed expectations around risk management, incident reporting, business continuity, and supply chain security.

To avoid shallow analysis, I worked with ICT leads, compliance officers, and legal to break down operational components into five key domains. This enabled a structured walk-through of how we manage risk in each area and highlighted where gaps could jeopardize compliance.

DomainCurrent Maturity LevelNIS2 Requirements MetPriority Actions
Risk managementModeratePartialEstablish central risk register
Incident handlingLowNoDevelop 24/7 escalation protocol
Business continuityModeratePartialFormalize resilience testing schedule
Supply chain managementLowNoImplement third-party risk assessments
Technical and organizational measuresHighYesMaintain and update policies quarterly
Operational domain review table

Having this table in our assessment report became a conversation starter with our board. It moved the discussion from abstract policy compliance to clear, tangible tasks.

Estimating resources and assigning responsibility

Once you’ve visualized your gaps, the next pragmatic step is figuring out who’s going to do what, and how much it’ll cost. The directive is heavy on accountability, especially regarding executive liability, so vague assignments aren’t just risky, they’re non-compliant.

We crafted a resource matrix to align responsibilities across departments and define a basic project budget. This made it easier to defend our resourcing needs to management and clarify ownership early on.

TaskDepartment leadEstimated resource (hrs/month)External support neededDeadline
Cyber risk register developmentIT Security40Yes (consultants)Q2 2025
Incident response framework updateOperations30NoQ2 2025
Legal review of reporting processLegal & Compliance15NoQ1 2025
Vendor risk management programProcurement25Yes (external auditors)Q3 2025
Responsibility and resource matrix

When mapped this way, even reluctant departments understood their stake in the process. Resistance turned into planning.

Creating a living risk register

A core requirement of NIS2 is that entities must maintain a risk-based approach across all systems and processes. That meant going beyond static risk reports and building a living risk register—a continuously updated record of threat scenarios, control effectiveness, and remediation timelines.

To achieve this, we adopted a tiered structure: critical risks (requiring exec oversight), operational risks (tracked monthly), and vendor-related risks (updated quarterly). We also embedded automated reminders and change logs to ensure version control and accountability.

Risk IDRisk descriptionImpact levelLikelihoodOwnerControls In placeReview frequency
R001Ransomware attack on CRM systemHighMediumCIOBackup + EDR + MFAMonthly
R002Vendor API downtimeMediumHighProcurementSLA + MonitoringQuarterly
R003Unpatched software vulnerabilityHighHighIT SecurityPatch management policyBi-weekly
Sample structure of a NIS2 risk register

This format helped demonstrate due diligence in supervisory audits and made internal risk conversations far more precise.

Simplify your NIS2 impact assessment

Assessing your organization’s readiness for NIS2 compliance can feel daunting. CyberUpgrade transforms this challenge into a clear, manageable process. Our advanced platform automates the complex task of mapping your operations against NIS2 requirements, quickly identifying gaps, assigning clear ownership, and streamlining documentation—all within familiar platforms like Slack or Teams.

With the strategic support of our fractional CISO services, CyberUpgrade helps you maintain a living risk register and continuously track compliance efforts. You’ll clearly see responsibilities, resources, and progress, significantly reducing your internal workload by up to 80%, and ensuring audit readiness.

Ready to turn compliance assessments into actionable insights and operational resilience? Let CyberUpgrade guide your NIS2 impact assessment, making your digital operations stronger, safer, and fully compliant.

Building resilience from insight, not fear

One thing became clear as we wrapped up our assessment: NIS2 isn’t just about compliance. It’s about digital trust. It forces you to get honest about your operational weaknesses and finally address the risk debt that’s easy to ignore in quieter quarters.

Yes, the penalties are steep. Yes, there are many obligations. But the directive is also an opportunity to mature. If you approach the impact assessment not just as a requirement but as a blueprint for resilience, the return on effort is well worth it.

If you’re still staring at a blank impact assessment document, start with this: understand your classification, map your risks, assign your champions, and make the risks visible. The rest will follow.

Automate Your Cybersecurity and Compliance

It's like an in-house cybersecurity & compliance team for a monthly subscription! No prior cybersecurity or compliance experience needed.

Share this article

Post on Linkedin
Post on Facebook
Post on X

How useful was this post?

0 / 5. 0

General Counsel

He is regulatory compliance strategist with over a decade of experience guiding fintech and financial services firms through complex EU legislation. He specializes in operational resilience, cybersecurity frameworks, and third-party risk management. Nojus writes about emerging compliance trends and helps companies turn regulatory challenges into strategic advantages.
  • DORA compliance
  • EU regulations
  • Cybersecurity risk management
  • Non-compliance penalties
  • Third-party risk oversight
  • Incident reporting requirements
  • Financial services compliance

Explore further