NIS2 Implementation in 5 Steps

Implementing NIS2 compliance can feel overwhelming, but it doesn't have to be. This practical guide breaks down NIS2 implementation into 5 clear steps that any Belgian organization can follow. By the end, you'll have a clear path from "where do I start?" to "we're compliant."

Lighthouse at twilight - a beacon of guidance for NIS2 implementation
A clear path through the complexity of cybersecurity compliance

What You'll Achieve

By following this guide, you'll understand exactly where your organization stands regarding NIS2, have a clear action plan, and know how to maintain compliance over time. This isn't about perfection—it's about systematic progress.

Before You Start

  • Basic understanding of your organization's IT infrastructure
  • Access to documentation about your current security measures
  • Management support (NIS2 requires leadership involvement)
  • 2-4 hours for the initial assessment
1

Assess Your Scope

Are you actually in scope for NIS2?

Not every organization needs to comply with NIS2. Before doing anything else, determine if the directive applies to you.

Actions:

  • Check if you operate in an essential or important sector
  • Verify your size: 50+ employees OR €10M+ annual turnover
  • Identify if you provide critical services (some apply regardless of size)
  • Document your determination for audit purposes

Outcome: You'll know definitively whether NIS2 applies to you and at what level (essential or important).

2

Gap Analysis

Where do you stand today?

Compare your current security measures against NIS2 requirements. This reveals exactly what you need to implement.

Actions:

  • List all current security policies and procedures
  • Map existing controls to CyberFundamentals requirements
  • Identify gaps between current state and target level
  • Assess the effort required to close each gap
  • Document existing evidence and practices

Outcome: A clear list of what you already have and what's missing, prioritized by risk and effort.

3

Create Implementation Roadmap

Plan your path to compliance

Transform your gap analysis into an actionable plan with timelines, responsibilities, and milestones.

Actions:

  • Prioritize gaps by risk level and implementation effort
  • Set realistic timelines (quick wins first)
  • Assign clear ownership for each action item
  • Define measurable milestones and checkpoints
  • Budget for tools, training, and potential external help
  • Get management sign-off on the roadmap

Outcome: A documented roadmap that everyone understands, with clear deadlines and responsibilities.

4

Implement CyberFundamentals

Execute your plan systematically

The CCB's CyberFundamentals framework provides the controls you need to implement. Work through them methodically.

Actions:

  • Begin with Small level (7 controls) as your baseline
  • Implement one control category at a time
  • Document everything as you go (policies, procedures, evidence)
  • Test controls after implementation
  • Train staff on new procedures
  • Progress to higher levels based on your sector requirements

Outcome: Implemented security controls with documentation and evidence ready for audit.

5

Document and Maintain

Compliance is ongoing, not one-time

NIS2 compliance isn't a destination—it's a continuous journey. Set up processes for ongoing maintenance.

Actions:

  • Establish a regular review cycle (quarterly recommended)
  • Keep all evidence organized and accessible
  • Monitor for new threats and update controls accordingly
  • Report incidents within 24 hours (NIS2 requirement)
  • Conduct annual internal audits
  • Stay informed about regulatory updates

Outcome: A sustainable compliance program that evolves with your organization and the threat landscape.

5-step compliance journey illustration
The 5 steps to NIS2 compliance

CyberFundamentals Levels

Choose your target level based on your sector classification:

CyberFundamentals assurance levels and typical implementation timelines
LevelControlsRecommended ForTypical Timeline
Small 7 All organizations (baseline) 2-4 weeks
Basic 34 Standard security needs 2-3 months
Important 117 "Important" sector entities 3-4 months
Essential 140 "Essential" sector entities 4-6 months

What Success Looks Like

  • Clear documentation of your security posture
  • Implemented controls matching your required level
  • Evidence ready for regulatory audits
  • Trained staff who understand their responsibilities
  • Processes for incident reporting (24-hour requirement)
  • Regular review cycle to maintain compliance

Common Challenges & Solutions

No budget for implementation

Start with the free Small level. Many controls are procedural (policies, training) rather than requiring expensive tools. Build the business case as you go.

Lack of internal expertise

Partner with your IT provider or use a guided compliance platform. You don't need to be a security expert—you need clear guidance.

Management doesn't prioritize it

Present the risks: €10M fines, personal liability for management, reputational damage. NIS2 is law, not optional.

Too many controls, don't know where to start

Start with CyberFundamentals Small (7 controls). Focus on one category at a time. Progress, not perfection.

Ready to Start Your NIS2 Implementation?

Easy Cyber Protection guides you through NIS2 compliance one task at a time. Start with our free Small tier and progress at your own pace.

Frequently Asked Questions

How long does NIS2 implementation take?

For basic compliance (Small level), 2-4 weeks. For full compliance at higher levels, typically 3-6 months depending on your starting point and resources. The key is to start now and progress systematically.

Do I need to hire a consultant?

Not necessarily. With a clear framework like CyberFundamentals and a good compliance tool, many SMEs can achieve compliance internally. However, for complex organizations or Essential level requirements, external expertise can accelerate the process.

What if I miss the deadline?

NIS2 is already in effect (October 2024). If you haven't started, begin immediately. Regulators typically consider demonstrated effort and progress when assessing non-compliance. Being in the process of becoming compliant is better than ignoring it.

Can I use existing ISO 27001 certification?

Yes! ISO 27001 maps well to CyberFundamentals. If you're already certified, you likely meet many requirements. Run a gap analysis to identify any differences and document the mapping.

What happens during an audit?

Auditors review your documentation, policies, and evidence of implemented controls. They may interview staff and test controls. Having organized evidence and documented procedures makes audits straightforward.

Related Articles

Sources

  1. NIS2 Directive (EU) 2022/2555 — Official Journal of the European Union
  2. CyberFundamentals Framework — Centre for Cybersecurity Belgium (CCB)
  3. NIS2 Directive Overview — European Commission Digital Strategy
  4. NIS Directive Implementation — European Union Agency for Cybersecurity (ENISA)