Scoping a NIS2 Programme

Regulatory scope and programme scope must be answered separately. Regulatory scope establishes which entities are in scope, which services qualify, and whether the organisation is classified as essential or important under NIS2. Programme scope is a different question: what does the programme actually need to do, at what scale, over what timeline, given the current security position.

Most organisations answer the first and assume the second follows from it. The regulatory determination confirms what obligations apply. Establishing the gap between current security maturity and those obligations, how many separate entities require treatment, and what a proportionate programme looks like given the enforcement timeline are all separate questions that a gap assessment must answer.

Three inputs shape the size and structure of a NIS2 programme. The first is the gap between current security maturity and what NIS2 requires. A mature organisation with established controls across most areas will have a narrower programme than one building from a lower baseline. The gap assessment is the document the scope decision rests on.

The second input is the number of in-scope entities and whether they share a security baseline. An organisation with multiple legal entities in scope may run a single programme or may need separate treatment for entities with materially different risk profiles, operating environments or applicable national implementations.

The third is the enforcement timeline in the relevant Member States. NIS2 is transposed and in force in a growing number of jurisdictions. A programme that runs for eighteen months may be adequate where transposition is recent. In jurisdictions where supervisory authorities are already active, it may be too slow.

The most common workstream design mistake is organising work around the organisation's internal structure: IT, legal, HR, operations. That approach produces activity in each function without producing an integrated compliance position. The connection between work done and the obligation it addresses remains unclear, and the programme cannot demonstrate where it has closed a gap.

Each workstream should produce three things: a defined set of controls addressing a specific obligation area, the evidence that those controls are in place, and a named owner who carries accountability for maintaining them. A workstream that produces activity without those outputs does not advance the compliance position.

The gap register carries the mapping between workstream outputs and NIS2's obligation areas. Workstreams are organised around operational ownership: who in the organisation is best placed to build and sustain each area. The gap register provides the legal traceability and gives the management body a view of where the programme has produced a defensible position and where gaps remain open.