Starting a NIS2 Programme Without Knowing Your Position

Article 20 of NIS2 places accountability for cybersecurity risk management measures with the management body. That accountability does not begin when the programme closes and hands over a compliance position. It applies from the point the obligation exists. A management body that approves a programme without understanding the scope, governance conditions and scale of work it is approving has not discharged that responsibility adequately.

Supervisory authorities conducting inspections, particularly following an incident, will examine what the management body knew, when it knew it, and what decisions it made on that basis. An organisation that proceeded without establishing its position has a weaker answer to those questions than one that took a structured approach from the outset.

A five-day diagnostic covers the five areas an organisation must understand before committing to a programme.

Scope

Which entities are in scope, which services fall within the NIS2 sectors, which jurisdictions apply, and how each entity is likely to be classified. Where the organisation appears out of scope, the diagnostic closes with a written assessment rather than committing to work that is not required.

Governance

Whether a sponsor with genuine authority exists, whether the management body understands its Article 20 obligations, and whether accountability for sustained compliance beyond the programme has been considered. A programme without adequate governance will not deliver an adequate outcome.

Controls

A domain-level view across the ten Article 21(2) obligation areas: where credible arrangements are in place, where they are partial, and where material gaps exist. This is the input that determines where the programme focuses and what it will cost.

Incident readiness

Whether the organisation could meet the Article 23 notification deadlines today. Gaps in this area carry immediate risk regardless of where the broader programme is in its timeline.

Supply chain

The current contractual security position of the most significant supplier relationships. Supply chain remediation has the longest external timeline of any area; identifying the gaps early allows that work to begin before other areas are ready.

Three types of organisation benefit most from a diagnostic before committing to a programme. The first is an organisation uncertain whether it is in scope: the diagnostic establishes the entity, service and jurisdictional picture to the level of confidence the available information allows, and identifies what legal advice is needed to confirm it.

The second is an organisation that knows it is in scope but has not yet examined what the obligation requires of it in practice. The controls review, governance assessment and incident readiness work produce a clear, honest picture of where the programme needs to focus and what the investment required looks like.

The third is a leadership team that needs a clear, evidenced picture before making a programme investment decision. The diagnostic produces the five structured outputs that decision requires: provisional scope, governance readiness, controls position, incident capability and supply chain exposure.