Establishing scope, readiness, and programme direction in five days.
Accountability for compliance with NIS2 sits with the management body. Before an organisation can structure a programme to meet those obligations, it needs a clear picture of where it stands: whether it is in scope, whether the governance conditions exist, and what the programme ahead actually requires.
The NIS2 Diagnostic Framework is a five-day structured engagement that produces that picture, expressed in terms that are operationally understandable and legally grounded.
The right starting point before a programme commitment.
Uncertain whether you are in scope
The diagnostic establishes the entity, service and jurisdictional scope picture to the level of confidence the available information allows, and identifies what legal advice is needed to confirm it.
In scope but unsure where to begin
The diagnostic maps the controls landscape, governance readiness and incident capability across all five areas, and presents a prioritised view of where a programme needs to focus.
Making a programme investment decision
The diagnostic produces the information a leadership team needs before committing: scope, governance conditions, scale of gap, and what the programme that follows needs to look like.
How the five days work.
The days are sequenced so that each builds on the one before. Scope determines what governance must cover. The controls review works within the boundaries scope establishes. Day 5 draws the full picture together and presents it to senior leadership with the programme decisions it requires.
Scope and Legal Position
Establishes which legal entities are in scope, which services fall within the NIS2 sectors, which jurisdictions apply, and how each entity is likely to be classified. Where the organisation appears out of scope, the diagnostic closes here with a written assessment.
Governance and Sponsorship
Assesses whether the governance conditions for a programme exist: whether there is a sponsor with genuine authority, whether the management body is prepared for its Article 20 obligations, and whether accountability for sustained compliance has been considered beyond the programme itself.
Security Controls Landscape
Produces a domain-level maturity map across the ten Article 21(2) obligation areas: where credible arrangements are in place, where they are partial, and where material gaps exist. This is the clearest single output of the diagnostic for the executive audience.
Incident and Supply Chain Readiness
Examines the two areas carrying the highest immediate risk: whether the organisation could meet the Article 23 notification deadlines today, and whether the most significant supplier relationships have adequate security provisions in place.
Synthesis and Programme Decision
The diagnostic team synthesises findings from Days 1 to 4 and presents them to senior leadership. The session closes with the governance decisions a programme requires: confirmed scope, a committed sponsor, and clarity on what the programme needs to look like and where it begins.
The engagement does not pull key people from their roles for extended periods. A small facilitating team runs each day's work through structured interviews and document review. The demand on the organisation's leadership is concentrated and specific.
What the diagnostic produces.
Five structured outputs emerge from the five days. Together they form the information base for starting a full NIS2 programme. Each output maps directly to a programme deliverable or decision.
Provisional scope statement
A structured document recording which entities appear to be in scope, which services they provide within the NIS2 sectors, which jurisdictions apply, and how each entity is likely to be classified. Scope uncertainties are recorded explicitly. The programme's first task is to convert this statement into a confirmed scope document through qualified legal advice in each relevant jurisdiction.
Governance readiness assessment
A clear statement of whether the governance conditions for a programme are in place: whether there is a sponsor with the authority the role requires, whether the board is prepared for its obligations under NIS2, and whether accountability for compliance after the programme closes has been considered. Where conditions are insufficient, the assessment identifies specifically what needs to change before the programme can be governed adequately.
Controls and obligations map
A clear picture of where the organisation stands across each area of the NIS2 controls framework, identifying where credible arrangements are in place, where they are partial, and where material gaps exist. This is the input that determines which areas the programme addresses first and where the most significant work lies.
Incident readiness assessment
An honest assessment of whether the organisation could meet the regulatory notification deadlines if a significant incident occurred today. Where material gaps exist, the assessment identifies specifically what needs to change. Gaps serious enough to address before the programme formally begins are called out directly.
Supply chain exposure map
A structured view of the most significant supplier relationships and their current contractual security position, identifying where the most material gaps are. Supply chain work has the longest external timeline of any area of the programme; the map allows it to begin from the first day, before other areas are ready.
The diagnostic is the start, not the answer.
The provisional scope statement becomes a confirmed scope document once legal advice has resolved its uncertainties. The governance assessment drives the programme governance structure. The controls and obligations map determines which areas the programme addresses first. The incident and supply chain assessments identify the areas where work needs to begin ahead of the broader programme.
The full work still lies ahead: qualified legal advice on scope, a detailed controls assessment, programme design and delivery, and a final validation phase before a functioning compliance capability is handed to those responsible for sustaining it. The diagnostic does not replace that work. It gives the organisation the information to commission it with confidence.