How to run a NIS2 gap analysis: the 5-step assessment framework

A NIS2 gap analysis turns regulatory pressure into a working plan. It shows which cybersecurity measures already exist, which ones are missing, which gaps create the highest risk, and what evidence the company needs to produce.

For EU companies preparing for NIS2, the goal is not to create another policy document. The goal is to know where the organisation stands against Article 21 cybersecurity risk-management measures, then build a remediation plan that management can approve and teams can execute.

This article explains a 5-step framework for running a NIS2 gap analysis. It also shows where external support can improve scoring objectivity, evidence quality, and board-ready reporting.

TL;DR

A NIS2 gap analysis is a structured assessment of current cybersecurity controls against NIS2 Article 21. It does not prove compliance; it shows which controls exist, which gaps lack evidence, which risks should be fixed first, and what management needs to approve. The output should be a RAG-rated gap report, a risk-ranked register, and a 12–16 week remediation roadmap.

The 5 steps are:

1. Confirm scope and entity classification — output: scope statement and Essential/Important classification.
2. Build a baseline inventory — output: current controls mapped to Article 21.
3. Score gaps with RAG ratings — output: RED, AMBER, GREEN rating per measure.
4. Prioritise gaps by risk and effort — output: ranked gap register.
5. Build the remediation roadmap — output: 12–16 week action plan with owners and evidence targets.

For a lighter self-assessment, use the nis2 compliance checklist. If you are not sure whether NIS2 applies to your organisation, start with confirming nis2 scope before gap analysis.

What a NIS2 gap analysis is — and what it is not

A NIS2 gap analysis is a structured assessment of your current cybersecurity measures against NIS2 requirements. For most companies, the assessment should map current practices, policies, controls, and evidence against the 10 cybersecurity risk-management areas listed in Article 21.

A completed gap analysis should answer four questions:

• Which NIS2 Article 21 measures already have controls in place?
• Which controls exist but lack documented evidence?
• Which gaps create the highest enforcement, operational, or incident risk?
• What needs to be fixed first, by whom, and by when?

A gap analysis does not prove that the company is compliant. It is preparation work before formal audit, supervision, buyer due diligence, or board approval. A gap analysis also produces a formal assessment report with ratings, findings, evidence status, and remediation priorities.

NIS2 readiness changes when your systems, suppliers, teams, and incident processes change. A gap analysis should become part of a recurring governance cycle, not a document that sits in a folder.

The 5-step NIS2 gap analysis framework

The framework below follows the sequence most companies should use: confirm scope, collect the baseline, score the gaps, rank the work, and turn the result into a remediation plan.

The assessment should map to NIS2 Article 21, which covers cybersecurity risk-management measures such as risk analysis, incident handling, business continuity, supply chain security, vulnerability handling, cyber hygiene, cryptography, access control, asset management, and multi-factor authentication.

Step 1: Confirm your NIS2 scope and entity classification

Start by confirming whether NIS2 applies to your organisation and how the entity should be classified.

This step matters because scope affects the rest of the assessment. An Essential entity and an Important entity may face different supervisory models, reporting expectations, and enforcement risk. Sector, size, business activity, and role in the supply chain all matter.

Your team should document three things:

1. Sector classification
   Identify whether the company falls under an Annex I or Annex II sector. Examples include energy, transport, health, digital infrastructure, ICT service management, food, manufacturing, postal and courier services, and public administration.
2. Size threshold
   Check whether the organisation meets the employee, turnover, or balance sheet thresholds that usually bring entities into scope. Some entities can be covered regardless of size because of their sector or service role.
3. Supply chain role
   Check whether the company provides services to an Essential or Important entity. Managed service providers, software vendors, cloud-related providers, and security service suppliers may face NIS2-related expectations even when the law applies indirectly through contracts.

Gap analysis deliverable: Confirmed scope statement, entity classification, applicable sector, relevant business units, in-scope systems, and known competent authority assumptions.

If the scope is not confirmed yet, use nis2 scope before running the full framework.

Step 2: Baseline inventory — map what you currently have

The baseline inventory captures what security measures already exist. Do not start by asking whether the company is compliant. Start by asking what is already in place, where it is applied, and whether evidence exists.

For each Article 21 area, ask four questions:

• Does a policy or procedure exist?
• Is it implemented in the systems and teams it applies to?
• Is there evidence that it is followed?
• Is it reviewed on a defined cadence?

Many companies already have security practices that are real but undocumented. For example, IT may review access manually, engineering may patch high-risk vulnerabilities quickly, or operations may have backup processes. The gap is not always “nothing exists.” Often, the gap is that the company cannot prove the control works.

That distinction matters. A missing control and an undocumented control require different remediation work.

Article 21 area	Current measure exists?	Implemented?	Evidence available?	Owner	Notes
Risk analysis and information system security	Yes / Partial / No	Yes / Partial / No	Yes / Partial / No	CISO / IT / Ops
Incident handling	Yes / Partial / No	Yes / Partial / No	Yes / Partial / No
Business continuity and crisis management	Yes / Partial / No	Yes / Partial / No	Yes / Partial / No
Supply chain security	Yes / Partial / No	Yes / Partial / No	Yes / Partial / No
Secure acquisition, development, maintenance, vulnerability handling	Yes / Partial / No	Yes / Partial / No	Yes / Partial / No
Effectiveness assessment	Yes / Partial / No	Yes / Partial / No	Yes / Partial / No
Cyber hygiene and cybersecurity training	Yes / Partial / No	Yes / Partial / No	Yes / Partial / No
Cryptography and encryption	Yes / Partial / No	Yes / Partial / No	Yes / Partial / No
HR security, access control, asset management	Yes / Partial / No	Yes / Partial / No	Yes / Partial / No
MFA, secured communications, emergency communications	Yes / Partial / No	Yes / Partial / No	Yes / Partial / No

Gap analysis deliverable Article 21 baseline inventory showing policy status, implementation status, evidence availability, control owner, and notes per measure.

Step 3: Gap assessment — RAG rating per Article 21 measure

The gap assessment turns the baseline inventory into a clear readiness view. Each Article 21 measure receives a RAG rating: RED, AMBER, or GREEN.

The rating should be based on evidence, not confidence. If a control exists but no one can show the policy, ticket history, audit trail, training record, or review log, it should not be rated GREEN.

Rating	What it means	Example	Remediation priority
RED	The measure is absent or not evidenced	No incident reporting process exists	High
AMBER	The measure exists partly or evidence is incomplete	MFA is active for admin tools but not all in-scope systems	Medium to high
GREEN	The measure is implemented, evidenced, and reviewed	Quarterly access reviews have records, owners, and follow-up actions	Maintain and monitor

A useful RAG score should produce action. “AMBER because documentation is weak” is better than “partial compliance.” The first statement tells the team what to fix. The second only labels the problem.

The RAG view should also separate legal, operational, and evidence gaps. A missing incident reporting process creates direct NIS2 exposure. A supplier review process with incomplete records may create evidence risk. Weak asset ownership may create operational risk because no one knows who is responsible during an incident.

NIS2 Article 20 requires management bodies of Essential and Important entities to approve cybersecurity risk-management measures and oversee implementation, so the gap analysis should produce a board-readable view of the findings.

Gap analysis deliverable: RAG-rated Article 21 gap assessment report showing current state, rating, evidence status, finding summary, and recommended remediation action per measure.

You can run the first three steps internally. The difficult part is often objectivity: teams may rate controls higher because they know informal practices exist. Sunbytes can support the assessment as a compliance readiness specialist by reviewing the baseline inventory, validating RAG scoring, identifying missing evidence, and turning the findings into a board-ready remediation plan. Contact Sunbytes about NIS2 readiness.

Step 4: Prioritise gaps by enforcement risk and remediation effort

Not every gap should be fixed in the order it appears in the report. Some gaps create immediate exposure. Others are important but need phased work.

Start with RED gaps that affect incident reporting, access control, business continuity, and supplier risk. These areas can create problems fast because they affect how the company responds when something goes wrong.

Then identify RED or AMBER gaps that need more time to close. Supply chain security is a good example. A company cannot fix supplier risk in one afternoon if contracts, supplier classification, security questionnaires, and review cadence are missing.

After that, look for quick closures. Some AMBER findings can be fixed with a policy update, evidence record, system export, or review log. These actions do not replace deeper remediation, but they help the organisation move from “we do this informally” to “we can demonstrate this.”

A simple prioritisation method is:

Priority	Gap type	Why it comes first
1	RED gaps with incident or reporting exposure	They affect response under pressure
2	RED gaps with long remediation time	They need early ownership
3	AMBER gaps with weak evidence	They may be closeable with documentation and review records
4	GREEN areas with maintenance needs	They need cadence, not major remediation

Gap analysis deliverable: Risk-prioritised gap register listing all RED and AMBER findings, enforcement risk, operational risk, remediation effort, owner, and target date.

Step 5: Build the NIS2 remediation roadmap

The final step converts the gap register into work the company can execute. A remediation roadmap should show who owns each action, what evidence will prove completion, and which board-level decision is needed.

For most EU SMEs and mid-market companies, a 12–16 week roadmap is a practical starting point. The exact timeline depends on scope, number of in-scope systems, supplier count, evidence maturity, and internal ownership.

A useful roadmap contains five fields:

Roadmap field	What to include
Roadmap field	What to include
Finding	The RED or AMBER gap from the assessment
Action	The remediation task needed
Owner	The team or role accountable
Deadline	Target completion date
Evidence target	The document, export, ticket, policy, log, or record that proves completion

The board summary should sit above the roadmap. It should show the overall RAG posture, the top three RED gaps, the remediation timeline, and decisions needed from management. This connects the gap analysis to Article 20 governance. Management cannot approve cybersecurity risk-management measures properly if the findings, risks, and remediation plan are not documented.

The evidence target list from this step becomes the starting point for the [nis2 evidence pack].

Gap analysis deliverable: NIS2 remediation roadmap, board RAG summary, evidence target list per Article 21 measure, and owner-based action plan.

What a completed NIS2 gap analysis produces

A completed NIS2 gap analysis should produce three core documents.

1. Gap assessment report

This is the main assessment document. It shows the current state of each Article 21 measure, the RAG rating, evidence status, and finding details.The report should be written for both technical and management readers. Technical teams need enough detail to fix gaps. Management needs a clear view of exposure and decision points.

2. Risk-prioritised gap register

This is the working remediation list. It ranks RED and AMBER findings by risk and effort. A good gap register prevents the team from treating every issue as equal. It shows what needs action this week, what needs a project owner, and what can be scheduled after higher-risk gaps are closed.

3. Remediation roadmap

This is the execution plan. It turns the findings into a 12–16 week sequence with owners, deadlines, and evidence targets. The roadmap should also show which evidence will be needed later. That makes the next step easier: building the NIS2 evidence pack.

How long does a NIS2 gap analysis take?

A NIS2 gap analysis usually takes between 2 and 8 weeks, depending on scope, internal availability, and evidence maturity.

Assessment type	Typical timeline	Best fit
Internal self-assessment	2–4 weeks	Teams with strong internal ownership and clear system scope
Facilitated assessment	3–6 weeks	Teams that want external structure but can provide evidence internally
Full external assessment	4–8 weeks	Teams needing board-ready output, independent scoring, and stronger evidence review

Internal assessments often take longer than expected because evidence collection depends on busy teams. Facilitated assessments reduce that delay by giving the company a clear request list, interview structure, scoring method, and output format. A full external assessment is useful when the organisation expects buyer due diligence, board review, investor questions, or supervisory attention.

Dutch context: NIS2 nulmeting, Cyberbeveiligingswet, and Wbni transition

For Dutch companies, a NIS2 gap analysis is often described as a NIS2 nulmeting or NIS2 gap analyse. The Dutch term matters because it frames the work as a baseline assessment: where do we stand today, and what needs to change before we can demonstrate readiness?

As of 19 May 2026, the Dutch Cyberbeveiligingswet proposal had been accepted by the Tweede Kamer on 15 April 2026 and was still in the Eerste Kamer process, with committee input scheduled for 19 May 2026. The current Dutch Wbni remains relevant until it is replaced; NCTV states that the Wbni will eventually be replaced by the Cyberbeveiligingswet, which implements the European NIS2 Directive in the Netherlands.

For publication on 20 May 2026, the safest legal framing is: Dutch organisations should prepare for NIS2 through the Cyberbeveiligingswet framework, while tracking the final entry-into-force date and any sector-specific guidance from Dutch authorities.

A Dutch NIS2 nulmeting should therefore include:

• scope and sector classification under the Dutch implementation route;
• current control mapping against Article 21;
• evidence status per measure;
• board-ready RAG summary;
• remediation roadmap with named owners;
• registration, reporting, and authority assumptions where applicable.

Do not wait for every detail of national implementation before starting the baseline. The gap analysis identifies work that companies will need in any case: incident handling, access control, business continuity, supplier security, vulnerability handling, training, encryption, and evidence management.

Common mistakes when running a NIS2 gap analysis

Mistake 1: Starting with tools instead of scope

A tool inventory is useful, but it does not tell you whether the organisation is in scope, which systems matter, or which Article 21 measures need assessment. Start with scope and entity classification.

Mistake 2: Treating informal practices as compliance

A team may be doing the right thing without evidence. For NIS2 readiness, that is still a gap. The assessment should separate “control missing” from “control exists but evidence is weak.”

Mistake 3: Rating everything AMBER

If every measure is AMBER, the assessment has not made enough decisions. Some gaps are RED because there is no control. Some are GREEN because the control is implemented and evidenced. A useful RAG score forces prioritisation.

Mistake 4: Building a roadmap without owners

A remediation roadmap without owners is a list, not a plan. Every action should have an accountable role, target date, and evidence target.

Mistake 5: Leaving management out until the end

Article 20 brings cybersecurity governance into the management body. Management does not need every technical detail, but it does need the risk posture, top findings, remediation timeline, and decisions required.

How Sunbytes supports NIS2 gap analysis and Compliance Readiness

Sunbytes helps EU companies turn NIS2 requirements into an assessment, evidence view, and remediation plan that teams can execute.

Our Compliance Readiness support can include:

• NIS2 gap assessment report mapped to Article 21;
• RAG scoring per cybersecurity risk-management measure;
• risk-prioritised gap register;
• remediation roadmap with owners and deadlines;
• board RAG summary for management review;
• evidence target list for the next readiness phase.

The goal is not to replace your internal ownership. Your team still knows the systems, suppliers, and operational constraints best. Sunbytes adds structure, independent scoring, evidence review, and a delivery plan that reduces ambiguity.

Why Sunbytes?

Sunbytes is a Dutch technology company headquartered in the Netherlands, with a delivery hub in Vietnam. For 15 years, we have helped clients worldwide Transform · Secure · Accelerate by connecting strategy with reliable delivery and security built into the process.

• CyberSecurity Solutions is the primary pillar for NIS2 readiness. Sunbytes is ISO 27001 certified, and engagements can operate under a signed DPA with documented audit trails. For NIS2 gap analysis, this means we can support Article 21 control mapping, RAG scoring, evidence review, remediation planning, and board-ready reporting through our Compliance Readiness work.
• Digital Transformation Solutions supports the implementation phase after the gap analysis. If the roadmap identifies gaps in secure development, QA, access control, vulnerability handling, or technical documentation, Sunbytes can help translate those actions into delivery work with senior engineering teams.
• Accelerate Workforce Solutions supports companies that need extra capacity to execute the remediation roadmap. When internal teams are already handling daily delivery, Sunbytes can help scale capability through recruitment and workforce support, so remediation tasks have the right people, ownership, and continuity behind them.

Need a clear next step after your NIS2 gap analysis? Contact Sunbytes to turn your findings into a board-ready remediation plan. 

Let’s start with Sunbytes

Let us know your requirements for the team and we will contact you right away.

Name(Required)

First Last

Company(Required)

Email(Required)

How can we help you(Required)

How can we help you?Custom Software developmentDedicated Tech servicesHR services (Vietnam)Cybersecurity servicesOthers

How did you hear about us?(Required)

How did you hear about us?LinkedInClutchNewsletterSearch engine (Google, Bing, Yahoo,…)EmailReferralOthers

Message

untitled(Required)

I allow Sunbytes to contact me via email and phone

Untitled(Required)

I agree to the general terms & conditions

Captcha

Name

This field is for validation purposes and should be left unchanged.

Δ