Building compliance capability across twelve to twenty-four months.
A NIS2 programme is the structured, governed body of work that builds the compliance capability an organisation in scope is legally required to maintain. It spans legal, compliance, risk, IT, operations, HR, and procurement, and runs from mobilisation through to a formal handover to those who will sustain what the programme has built.
A completed programme leaves the organisation with a functioning compliance capability: cybersecurity risk managed through a defined process, incidents detectable and notifiable within the required timelines, suppliers assessed, the management body properly informed and having approved the security measures it is accountable for, and documentation that supports supervisory scrutiny.
How the programme is structured.
The first two phases establish the conditions and the evidence base on which everything downstream depends. Each subsequent phase builds directly on the one before. The programme cannot be resequenced without undermining the work that follows.
Mobilisation
Secures sponsorship with genuine authority, confirms scope across every relevant entity, service and jurisdiction, and produces a programme mandate approved at management body level. Without a mandate, the programme cannot govern itself across twelve to twenty-four months of organisational pressure.
Assessment
Maps the organisation's current position against the applicable obligations in each relevant jurisdiction and produces the gap register that drives all subsequent delivery decisions. The gap register is the document on which programme scope, phasing and resource decisions rest.
Design
Takes the gap findings and specifies the target state: the controls, governance arrangements, and evidence processes each workstream will build. The target operating model produced in this phase is what the management body approves and what the assurance phase measures against.
Delivery
Runs eight functional workstreams in parallel, each with a named lead, specific deliverables drawn from the target operating model, and evidence generated as a product of the processes themselves rather than assembled retrospectively.
Assurance and Close
Validates what has been built, tests the incident notification capability through a tabletop exercise, and hands a functioning compliance operating model to those who will sustain it. Each workstream closes only when its deliverables are built, evidenced, and confirmed as ready for named BAU owners.
The programme typically runs for twelve to twenty-four months. The demand on the organisation's leadership is structured and specific to each phase rather than sustained at a high level throughout.
What the programme produces.
Five structured outputs constitute the programme's core deliverables. Together they are the compliance capability the organisation needs to meet its NIS2 obligations and demonstrate that position under supervisory scrutiny.
Programme mandate and governance structure
A formally documented record of who is accountable for what, what authority the programme holds, how the governance forums operate, and what the key decision rights are, approved at management body level. Governance that exists only in conversation does not survive twelve to twenty-four months of organisational pressure.
Gap register
A structured, obligation-mapped assessment of the current position across the full NIS2 reference framework, incorporating applicable national transposition in each relevant jurisdiction. Each finding identifies the specific gap, the evidence basis, the legal obligation it relates to, and a severity rating. The gap register drives delivery decisions throughout the programme and carries into BAU as the ongoing compliance status record.
Target operating model
The functional design of the target compliance state, approved by the management body. For each control and governance arrangement, the target operating model specifies what it looks like, who owns it in BAU, and how it is evidenced and periodically reviewed. It is the blueprint delivery builds to and the standard the assurance phase measures against.
Eight delivered workstreams
The compliance capability built through the delivery phase across all eight functional domains: governance, risk management, identity and access management, infrastructure and system security, operational resilience, incident management, supply chain, and awareness and culture. Each workstream closes only when its deliverables are built, evidenced, and confirmed as ready for named BAU owners to take over.
Programme closure and handover record
A structured account of what the programme has built: workstream close confirmations, the incident notification tabletop exercise record, the audit readiness findings and their resolution, and the programme closure report presented to the management body. The sustained compliance owner is confirmed in post and the handover is formally documented. Formally accepted residual risks carry named owners and committed remediation timelines into BAU.
The obligations do not end when the programme does.
The programme closes when a functioning compliance capability has been handed to those who will sustain it. The obligations continue without pause. NIS2 is a permanent regulatory commitment; the controls, governance, and evidence the programme has built require active maintenance, periodic review, and board oversight on an ongoing basis.
The BAU compliance operating model is the structure that makes that maintenance possible. It is a programme deliverable, scoped and designed in parallel with the remediation workstreams, not assembled at close. The management body that approves the programme plan should satisfy itself that the operating model is in scope from the outset.