You're NIS2-Affected — Now What? The Operational Gaps Beyond Your ISMS
You've checked whether your organization falls under NIS2. The answer is yes. You have an ISMS. And now you're discovering: between what your ISMS covers and what NIS2 operationally requires, there's a gap. This article shows where it lies – and how to close it.
You're NIS2-Affected — Now What? The Operational Gaps Beyond Your ISMS
The applicability check is done – through a regulatory self-assessment, internal analysis, or with advisory support. Your organization qualifies as an essential or important entity. You've registered with the relevant national authority or are in the process. So what now?
Most organizations at this point have an ISMS, a registration, and an open question: What do we actually still need to do? The answer isn't more documentation. It's operational capabilities that an ISMS alone can't deliver.
Jump to:
- The gap nobody expected
- Six operational requirements your ISMS doesn't cover
- The roadmap: From ISMS to NIS2 compliance
The Typical State of Affairs
When organizations confirm their NIS2 applicability, the sequence is usually the same:
Step 1: The self-assessment confirms that the organization falls within scope – as an essential or important entity. Industry estimates suggest that roughly 80% of affected organizations either don't know yet or have only recently started engaging with the question.
Step 2: The organization recognizes it already has an ISMS – often ISO 27001-certified, embedded in a GRC tool. First wave of relief: "We already have much of what NIS2 requires."
Step 3: A gap analysis shows that ISO 27001 indeed covers roughly 70% of NIS2 requirements – particularly the governance aspects from Article 20 and large parts of Article 21.
Step 4: Then comes the uncomfortable realization: the remaining 30% aren't simply "more documentation." They're operational capabilities that the ISMS doesn't model and wasn't designed to.
This is precisely where many organizations stall. Not out of negligence, but because the next step isn't obvious. The ISMS provides a map – but not a vehicle.
The Gap Nobody Expected {#the-gap}
The gap between an ISMS and NIS2 compliance is not a documentation gap. It's a capability gap.
An ISMS answers the question: "Do we have a process for X?" NIS2 asks a different question: "Can we operationally execute X under time pressure, against external parties, with verifiable evidence?"
This distinction runs through the entire directive. Three areas are particularly affected:
Incident reporting: An ISMS has an incident response plan. NIS2 requires the ability to deliver a coordinated early warning to authorities within 24 hours – while the incident is ongoing. That's not a documentation difference. It's an operating model difference.
Supply chain security: An ISMS has a vendor assessment process. NIS2 requires continuous monitoring of direct suppliers' security posture – with event-triggered re-assessments and evidence available on demand. An annual questionnaire doesn't qualify.
Proof of effectiveness: An ISMS prepares for audits. NIS2 gives supervisory authorities the power to request evidence at any time. Evidence must be continuously available, not assembled when the request arrives.
The good news: the ISMS remains the foundation. It doesn't need to be replaced. But it needs to be supplemented – with an operational layer that executes what the ISMS documents.
Six Operational Requirements Your ISMS Doesn't Cover {#six-requirements}
1. Incident Management Under Time Pressure
What NIS2 requires: Early warning within 24 hours, qualified notification within 72 hours, final report within one month (Art. 23). Parallel management with GDPR reporting obligations and contractual notification requirements.
What the ISMS provides: An incident response plan with roles, escalation paths, and process descriptions.
What's missing: The operational infrastructure for real-time coordination between Security, Legal, Communications, and executive management. Versioned documentation during the incident. Templates for regulatory reports. A system that works under pressure – not just a plan describing how it should work.
→ Deep dive: NIS2 Incident Reporting: How to Actually Meet the 24-Hour Deadline
2. Continuous Vendor Oversight
What NIS2 requires: Supply chain security including the specific vulnerabilities of each direct supplier. Consideration of the overall quality of cybersecurity practices. Ongoing risk assessment, not point-in-time snapshots (Art. 21(2)(d)).
What the ISMS provides: Supplier categorization, annual assessment cycles, documented evaluation results.
What's missing: Ongoing monitoring (certificates, vulnerabilities, supplier incidents). Trigger-based re-assessments when things change. An integrated overview of the current security status of all relevant suppliers. Structured communication with suppliers when conditions evolve.
→ Deep dive: NIS2 Supply Chain Security: Why Annual Vendor Assessments Are No Longer Enough
3. Evidence on Demand
What NIS2 requires: Procedures to evaluate the effectiveness of measures (Art. 21(2)(f)). Authorities can request evidence at any time, conduct on-site inspections, and perform audits.
What the ISMS provides: Audit preparation in planned cycles. Documentation of measures and controls.
What's missing: Artifacts with metadata retrievable at any time (version status, validity, owners, change history). Integrated evidence management linking controls, vendor assessments, and incident reports. Evidence as continuous output, not audit preparation.
→ Deep dive: NIS2 Audit Readiness: From Documentation to Continuous Evidence
4. Operationalizing Executive Responsibility
What NIS2 requires: Executive management must approve risk management measures, oversee their implementation, and bears personal liability for violations. Waivers of claims against management are legally void (Art. 20). Management must undergo regular training.
What the ISMS provides: Role and responsibility definitions. Management reviews. Training policies.
What's missing: A verifiable information flow from operational security topics to executive management. The ability for management to access processed, current situational information during an incident. Documentation proving that management actually exercised its oversight duty – not just that it signed a policy.
5. External Incident Communication
What NIS2 requires: Affected entities must inform the recipients of their services without undue delay about significant incidents that could affect service provision – including possible countermeasures (Art. 23(1)).
What the ISMS provides: Internal communication plans. Possibly a PR escalation policy.
What's missing: A structured process for external incident communication – toward customers, partners, and potentially the public. Aligned messaging between Legal, Communications, and executive management. Versioned, traceable communication through a defined channel.
6. Coordinated Engagement With Authorities
What NIS2 requires: Cooperation with the relevant CSIRT and supervisory authority. Authorities can request information at any time, issue binding instructions, and conduct audits. Cross-border incidents may involve multiple national authorities.
What the ISMS provides: A named contact person. Possibly a contact list.
What's missing: An established communication channel with authorities that goes beyond initial registration. The ability to respond to information requests quickly and in a structured manner. Preparation for on-site inspections that may not be announced in advance.
The Roadmap: From ISMS to NIS2 Compliance {#the-roadmap}
Closing the gap isn't a complete rebuild. It's a systematic extension of what's already in place. Five phases:
Phase 1: Gap Analysis (Week 1–2)
Map your existing ISMS against the operational NIS2 requirements – not against the governance requirements, those are covered. The six points above are the framework. For each one: Can we operationally execute this today? If not: What specifically is missing?
Phase 2: Risk-Based Prioritization (Week 2–3)
Not all gaps are equally critical. Incident reporting has the highest regulatory urgency – it applies now and has fixed deadlines. Supply chain security has the highest operational complexity. Proof of effectiveness becomes a problem at the first authority request. Prioritize accordingly.
Phase 3: Build Operational Systems (Month 1–3)
For incident reporting: set up an incident management system, define roles, prepare templates, run the first tabletop exercise. For supply chain: upgrade the supplier registry to NIS2 requirements, build monitoring capability, review contractual foundations. For evidence: shift from "filing" to "retrieval."
Phase 4: Connect ISMS and Operational Systems (Month 2–4)
The ISMS remains the control instrument. The operational systems supplement it with the capabilities NIS2 additionally requires. The connection must work in both directions: the ISMS informs operational execution (policies, risk classifications). The operational systems feed evidence back into the ISMS (current assessments, incident reports, proof of effectiveness).
An ISMS for internal governance. A Trust Center for external communication and evidence. Two sides of the same coin.
Phase 5: Test and Iterate (Ongoing)
Tabletop exercises for the reporting regime. Review cycles for vendor oversight. Trial retrievals of evidence. NIS2 compliance isn't a project with an end date – it's an operational model.
The Most Common Mistakes at This Point
"We'll do another gap analysis." Gap analyses against ISO 27001 or against NIS2's governance requirements always yield the same result: "looks good." The gap isn't in governance. It's in operational execution. A gap analysis that only checks whether processes exist won't find it.
"We'll extend our GRC tool." GRC tools are designed for governance, risk, and compliance – for the control layer. NIS2 additionally demands operational capabilities: real-time communication, ongoing monitoring, evidence available on demand. A GRC tool typically can't deliver this – it wasn't built for it.
"We'll wait for ENISA certification." Article 46 of the NIS2 Directive envisions a European certification framework. But the requirements apply now. Certification comes later. Organizations that wait are non-compliant in the meantime.
"The CISO handles it." NIS2 makes executive management personally liable. The CISO can manage implementation, but responsibility lies with the board. This isn't a formality – it's a personal liability question.
Sources
- Directive (EU) 2022/2555 (NIS2 Directive) – Full Text – Articles 20, 21, and 23 on governance, risk management, and reporting obligations.
- BSI – NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) – Germany's implementing legislation on risk management, reporting, executive liability, and supervisory powers.
- BSI – NIS-2-Betroffenheitsprüfung – BSI's self-assessment tool for NIS2 applicability.
- BSI – NIS-2: What to Do? – BSI's step-by-step guidance for NIS2 implementation.
- ENISA – Implementing Guidance on NIS2 Security Measures – Implementation guidance for the risk management measures under Article 21.