The NIS2 Directive is not a paper exercise. It is a management responsibility with operational consequences. Many organizations are now “working on NIS2,” but the real question is: are you demonstrably on your way or mostly just talking?
In this blog, you will find a practical quick scan that allows you to determine where you stand in 10 minutes.
The quick scan: five questions that reveal a lot
Answer the questions below honestly with yes or no. The goal is not to achieve a perfect score, but to gain insight into where the organization stands.
1. Is the board aware of its formal responsibility?
One of the most significant changes in NIS2 is that directors become explicitly responsible for cyber risks. This means that cybersecurity must be a permanent part of governance and decision-making.
In practical terms, this means that cyber risks are structurally on the board agenda, that responsibilities are formally established, and that periodic reporting takes place regarding digital risks and incidents. If the board is not actively involved, NIS2 almost automatically becomes a paper-based process without real impact.
2. Does the organization have an up-to-date risk analysis?
The NIS2 directive obliges organizations to take measures based on risks. This means it must first be clear which processes and systems are truly critical to the organization.
In a proper risk analysis, the most important business processes—often referred to as the “crown jewels”—are identified. Subsequently, threats and vulnerabilities are mapped out, and it is determined which risks have priority. Without this analysis, it becomes difficult to justify security measures or explain why certain choices were made.
3. Can a serious incident be reported within 24 hours?
Another important part of NIS2 is the obligation to report serious cyber incidents. Organizations must be able to provide an initial warning to the competent authority within 24 hours and deliver a more detailed report within 72 hours.
This requires clear detection and escalation processes. Employees must know when an incident is reportable, who is responsible for the notification, and how the procedure works. Organizations that do not practice these processes in advance often discover during a crisis that the reporting obligation is difficult to execute.
4. Are critical suppliers actively monitored?
Digital dependencies on suppliers constitute one of the greatest risks in modern organizations. Software vendors, cloud providers, and IT service providers are often directly connected to critical processes.
The NIS2 directive therefore explicitly calls for attention to supply chain security: the security of digital chains. This means that organizations must have insight into their critical suppliers, that these suppliers are assessed for risk, and that security requirements are contractually established.
Many organizations appear to be reasonably mature internally regarding cybersecurity but have limited visibility into the risks at their suppliers.
5. Can the organization demonstrate what is happening?
NIS2 requires not only measures but also demonstrability. Regulators expect organizations to be able to show what decisions were made, which risks were assessed, and which measures were implemented.
This means that policies must be documented, decisions must be recorded, and incidents must be registered. In a legal sense, a simple rule often applies: what is not demonstrable is considered as if it does not exist.
Score and interpretation
The outcome of the quick scan provides an indication of the organization’s maturity.
- 5x yes → You are likely on track, but a formal gap analysis remains advisable.
- 3–4x yes → You have started, but there are still clear risks.
- 0–2x yes → NIS2 is likely not yet sufficiently embedded.
It is important to emphasize that NIS2 does not demand perfection. The directive focuses on demonstrable, proportionate, and structural management of cyber risks.
What does this mean concretely for organizations?
The quick scan can be a valuable tool to initiate internal dialogue. By discussing the questions together with the board, CISO, and risk management, clarity often quickly emerges regarding where the largest gaps lie.
Many organizations use such a scan as a starting point for a formal NIS2 gap analysis, a board discussion on cyber risks, or an evaluation of the digital supply chain. In other cases, it helps to determine priorities for improvement measures.
The biggest mistake organizations can make is waiting until oversight, regulation, or an incident forces them to take action. By then, the pressure is often greater and the room for maneuver smaller.
The role of supply chain monitoring
One of the most difficult parts of NIS2 is gaining insight into the digital chain. Modern organizations work with dozens to hundreds of external IT service providers, software vendors, and cloud platforms. Each of these parties can form a potential entry point for cyber risks.
Therefore, there is growing attention for solutions that continuously monitor supplier risk. Platforms such as RiskStudio focus specifically on this issue. RiskStudio was developed to provide organizations with insight into digital dependencies and cyber risks at external parties.
The platform maps out critical suppliers, monitors the digital footprint of these parties, and identifies potential vulnerabilities or incidents at an early stage. This is done according to a so-called outside-in approach: a method where risks are assessed based on publicly observable digital signals, without being dependent on questionnaires or the cooperation of suppliers.
For organizations falling under NIS2, this can help make supply chain risks more visible and demonstrable.
Conclusion
The NIS2 directive explicitly makes cybersecurity a boardroom topic. It is no longer just about technical measures, but about structural risk management throughout the entire organization.
With a simple quick scan, it can be quickly determined whether the organization is actually on its way toward NIS2 compliance. It often turns out that the biggest steps are not technical, but lie in governance, responsibility, and insight into the digital chain.
Organizations that start now with the structural implementation of these processes are not only building toward compliance but, above all, toward a more resilient digital organization. In doing so, they prevent cyber risks from only becoming visible when it is already too late.
Frequently Asked Questions
Does every organization fall under NIS2?
No. The directive applies to specific sectors and size criteria. However, many organizations will deal with NIS2 indirectly through customers or suppliers.
Is ISO 27001 sufficient for NIS2?
Not automatically. ISO helps, but NIS2 sets additional requirements, especially regarding governance, incident reporting, and the supply chain.
How often should you monitor suppliers?
NIS2 requires appropriate and proportionate measures. In practice, this means continuous or periodic monitoring, depending on criticality.
What is the first step if we haven’t done anything yet?
Start with management awareness and a formal risk analysis. Without that foundation, everything remains ad hoc.
