A NIS2 implementation roadmap should turn the directive into a sequence your management board, IT team, compliance lead, and suppliers can execute. For most EU SMEs, the work does not fail because Article 21 is unknown. It fails because scope, risk assessment, remediation, evidence, and board approval happen in the wrong order.
This 12-week plan gives EU SMEs a practical sequence for moving from NIS2 uncertainty to an audit-ready baseline. It assumes your organisation already knows it is likely in scope, or is close enough to scope that preparation makes business sense.
The roadmap follows four phases: confirm scope, run the gap analysis, remediate the highest-risk gaps, collect evidence, validate the programme, and archive the proof your team needs for audits, customer questionnaires, and management review.
TL;DR
A NIS2 implementation roadmap is a sequenced plan that turns NIS2 obligations into owners, controls, evidence, board decisions, and review dates. For EU SMEs, the roadmap should start with scope confirmation, Article 21 gap analysis, risk ranking, and management visibility before remediation work begins.
A 12-week NIS2 implementation roadmap helps EU SMEs sequence compliance work across four phases: Foundation, Risk and controls, Build and evidence, and Validation. The goal is an audit-ready baseline: confirmed scope, risk-ranked gaps, priority controls in motion, Tier 1 evidence organised, and board approval documented.
This roadmap assumes you have run a gap analysis and know your RED and AMBER gaps. If not, start with a nis2 gap analysis before using this plan as your implementation sequence.
| Phase | Weeks | Main output |
|---|---|---|
| Phase 1: Foundation | Weeks 1–3 | Scope confirmed, gap analysis completed, board briefed |
| Phase 2: Risk and controls | Weeks 4–6 | Risk assessment completed, RED gaps start remediation |
| Phase 3: Build and evidence | Weeks 7–10 | Controls implemented, Tier 1 evidence collected |
| Phase 4: Validation | Weeks 11–12 | Board approval, residual risk record, evidence archive |
Why the roadmap starts with a gap analysis — not with controls implementation
The first mistake in NIS2 implementation is starting with tools, policies, or training before the organisation knows what its actual gaps are.
A NIS2 roadmap should not begin with “buy MFA,” “write a policy,” or “train everyone.” Those actions may be needed, but the order matters. Week 1–3 should confirm scope, classify the entity, and run a gap analysis against Article 21 measures. Only after that can the team prioritise the right work.
A gap analysis acts like a structural survey before renovation. It tells the team which controls are missing, which are informal, which are operating but not evidenced, and which require management decisions.
This roadmap uses the following RAG language:
| Rating | Meaning | Roadmap implication |
|---|---|---|
| RED | Control is missing, weak, or not evidenced | Remediate first in Weeks 4–10 |
| AMBER | Control exists but needs stronger process, ownership, or proof | Plan and evidence in Weeks 7–12 |
| GREEN | Control exists, operates, and has usable evidence | Store in evidence pack and review cadence |
The 12-week NIS2 implementation roadmap: overview
The table below covers all 12 weeks across four phases, with the focus, tasks, and deliverables for each week. Adapt the timeline for your entity type using the Essential/Important adjustments later in this article.
| Week | Phase | Focus | Key tasks | Deliverable |
|---|---|---|---|---|
| 1 | Phase 1: Foundation | Scope + classify | Confirm entity classification as Essential or Important. Identify the national competent authority. Confirm national registration status or registration obligation. Schedule Phase 1 interviews and Week 12 board approval meeting. | Entity classification statement. Competent authority identified. Week 12 board meeting in calendar. |
| 2 | Phase 1: Foundation | Gap analysis kickoff | Start the Article 21 gap analysis framework. Interview IT, HR, operations, compliance, and management. Build baseline inventory against Article 21 measure areas. | Gap analysis in progress. Baseline inventory draft. |
| 3 | Phase 1: Foundation | Gap assessment + RAG | Complete RAG ratings. Risk-prioritise gaps. Present findings to management. Map RED and AMBER gaps to owners. | Gap assessment report. Prioritised gap register. Board review of findings. |
| 4 | Phase 2: Risk and controls | Risk assessment | Formalise risk assessment under Article 21(2)(a). Identify threats, vulnerabilities, business impact, and initial risk treatment actions. | Risk assessment results. Risk treatment plan draft. |
| 5 | Phase 2: Risk and controls | RED gap remediation start | Start RED gap remediation. Prioritise Article 23 incident reporting procedure and MFA deployment under Article 21(2)(j), where appropriate. | Incident response procedure drafted. MFA implementation underway. Access control review initiated. |
| 6 | Phase 2: Risk and controls | Policies + supply chain | Draft or update information security policies. Start supply chain security assessment for critical suppliers under Article 21(2)(d). | Signed information security policy. At least one critical supplier assessment completed. |
| 7 | Phase 3: Build and evidence | Controls implementation | Continue RED gap remediation. Start AMBER gap remediation. Design or schedule security awareness training. | Security controls implementation on track. Training programme confirmed. |
| 8 | Phase 3: Build and evidence | Training + evidence collection | Deliver security awareness training to staff. Complete management board training under Article 20(2). Start collecting Tier 1 evidence. | Staff and management training records. Evidence collection 50% complete. |
| 9 | Phase 3: Build and evidence | Evidence collection continues | Continue Tier 1 evidence collection. Draft or review business continuity plan. Complete access reviews. | Evidence pack 80% complete. Business continuity plan drafted. Access review records completed. |
| 10 | Phase 3: Build and evidence | Evidence pack completion | Complete Tier 1 evidence for all ten Article 21 measure areas. Organise evidence folder structure. Finalise MFA rollout or document residual rollout plan. | NIS2 evidence pack complete to Tier 1. Folder structure organised. |
| 11 | Phase 4: Validation | Internal review | Review evidence pack against Article 21 measures. Present board RAG summary. Record residual gaps and risk acceptance. | Internal review report. Residual risk acceptance record. Board RAG summary approved. |
| 12 | Phase 4: Validation | Readiness confirmation | Board formally approves the Article 21 security programme under Article 20(1). Confirm competent authority registration evidence is stored. Archive evidence pack with access control. | Board minutes approving Article 21 programme. Registration evidence stored. Evidence pack archived. |
Phase 1: Foundation (Weeks 1-3) — scope, gap analysis, and board briefing
Phase 1 creates the factual base for the rest of the roadmap. The team confirms whether the organisation is an Essential or Important entity, identifies the relevant competent authority, checks national registration obligations, and runs the gap analysis.
Week 1: Scope confirmation and entity classification
Week 1 should produce one short document: the entity classification statement.
This should record the sector, entity type, size threshold, country or countries of operation, national competent authority, and registration status. For cross-border SMEs, the statement should also name which Member State rules are most relevant to each service line.
The second Week 1 action is calendar control. Schedule all stakeholder interviews for Weeks 1–2 and put the Week 12 board approval meeting in the calendar immediately.
Deliverable: Entity classification statement. Competent authority identified. Week 12 board meeting scheduled.
If the organisation is still unsure whether NIS2 applies, the first step is to run a plain-English scope test before assigning remediation owners
Week 2: Gap analysis in progress
Week 2 is interview-heavy. The gap analysis needs input from IT, HR, operations, compliance, procurement, and management. Each team owns part of the control environment.
IT can explain access control, asset inventory, logging, patching, and incident handling. HR can explain onboarding, offboarding, training, and role-based access. Procurement can explain supplier due diligence. Management can explain governance, risk appetite, and approval cadence.
Deliverable: Baseline inventory draft mapped to Article 21 measure areas.
Week 3: Gap assessment, RAG rating, and board briefing
By the end of Week 3, the gap analysis should be complete enough to support management decisions. Each gap should have a RAG rating, owner, risk note, remediation action, and evidence target.
The board should not wait until Week 12 to see the first NIS2 update. Article 20 places governance responsibility on management bodies. That means management needs visibility before remediation starts.
Management checkpoint (Article 20) — Week 3
Management board briefed on gap analysis findings. Article 20 oversight starts here. The briefing should be documented in board meeting notes or an equivalent record. The board is now on notice of the organisation’s NIS2 gaps.
Common delay risk — Weeks 2–3
Stakeholder availability is the first stall point. Gap analysis requires time from IT, HR, operations, compliance, procurement, and management. If those interviews are not scheduled in Week 1, the whole roadmap shifts. Mitigation: send all Phase 1 calendar invites before the gap analysis begins.
Phase 2: Risk and controls (Weeks 4-6) — risk assessment and RED gap remediation
Phase 2 turns the gap register into remediation work. The priority is not to fix everything at once. The priority is to address the gaps that create the highest compliance and operational exposure.
For many SMEs, the first two RED gaps are incident reporting and access control. Incident reporting matters because an incident can happen during the roadmap. Access control matters because accounts, privileges, and MFA are visible in audits, questionnaires, and incident reviews.
Week 4: Risk assessment and treatment plan
Week 4 converts the gap register into a risk treatment plan. Under Article 21(2)(a), covered entities need policies on risk analysis and information system security. In practice, this means the organisation needs a repeatable way to identify risk, rank it, assign owners, and decide treatment.
Each RED or AMBER gap should be assessed by business impact, likelihood, system exposure, data sensitivity, and dependency on suppliers.
Deliverable: Risk assessment results and risk treatment plan draft.
Once the risk assessment is drafted, use a NIS2 compliance checklist to check whether the main Article 21 control areas are covered before remediation begins.
Week 5: RED gap remediation starts
Week 5 should start with the controls that cannot wait.
The first is Article 23 incident reporting. NIS2 reporting requires early warning, incident notification, and final reporting for significant incidents. The practical output is an incident response procedure with named roles, classification criteria, escalation path, and reporting timeline.
The second priority is MFA or secure authentication under Article 21(2)(j), where appropriate. The evidence is not just a screenshot showing MFA exists. The evidence should show scope, rollout status, exceptions, owner, and review date.
Deliverable: Incident response procedure drafted. MFA implementation underway. Access control review started.
Week 6: Policies and supply chain
Week 6 turns risk treatment into management-approved policy. The information security policy should reference Article 21 measures directly. Generic “cybersecurity policy” wording is weaker because it does not show that management approved the NIS2 security programme.
Supply chain assessment also starts in Week 6. Under Article 21(2)(d), entities must address supply chain security, including supplier relationships. For a 12-week roadmap, do not try to assess every supplier at once. Start with the top three critical suppliers: those with the most system access, data access, or operational dependency.
Deliverable: Signed information security policy. At least one critical supplier assessment completed.
Management checkpoint (Article 20) — Week 6
Information security policy submitted for management signature. This is one of the first Article 20 evidence documents. The policy should reference Article 21 measures specifically, not only “cybersecurity”.
Common delay risk — Weeks 5–6
Supply chain scope can grow too quickly. “Assess all suppliers” is not a Week 6 task. Mitigation: assess the top three critical suppliers first and move lower-risk suppliers into a 90-day post-roadmap plan.
Running behind on your NIS2 implementation — or not sure where your team should start? Sunbytes can step in at the phase you are currently facing. If the gap analysis is not started, we support Phase 1. If RED gaps are known but remediation has stalled, we help turn Phase 2 into controlled delivery work. If your evidence exists across folders, tickets, and meeting notes, we help structure Phase 3 into an evidence pack your team can use. Talk to Sunbytes about your NIS2 roadmap.
Phase 3: Build and evidence (Weeks 7-10) — controls implementation and evidence collection
Phase 3 is the longest part of the roadmap because it turns plans into operating controls and proof. A policy without evidence will not answer an audit request. A control without ownership will not survive the next access review. A remediation ticket without closure evidence will not prove the risk was reduced.
Week 7: Continue RED gaps and start AMBER gaps
Week 7 keeps RED gap remediation moving and starts AMBER gaps that need process or evidence improvement.
Typical Week 7 work includes access review clean-up, MFA rollout completion, incident response role confirmation, supplier evidence collection, secure development process updates, and business continuity ownership.
Training should also be designed or scheduled this week. Article 20(2) requires management bodies to follow training, and encourages similar training for employees. The training record becomes governance evidence, not only awareness evidence.
Deliverable: Security controls implementation on track. Training programme confirmed.
Week 8: Training and evidence collection
Week 8 should produce training records for both staff and management. The record should include date, participants, training topic, trainer or source, attendance status, and follow-up actions.
This is also when the evidence pack starts becoming visible. Evidence should be collected in a consistent folder structure, not scattered across systems.
Deliverable: Staff and management training records. Evidence collection 50% complete.
At this point, the team should start building the NIS2 evidence pack, so every control has a clear owner, proof record, and review status.
Management checkpoint (Article 20) — Week 8
Management board training completion records are Article 20(2) evidence. These records should be stored in the evidence pack, not only in HR or learning systems.
Week 9: Evidence collection continues
Week 9 is where the evidence pack usually gets tested. The team should ask one question for each Article 21 measure area: can we prove this control exists and operates?
For example:
| Control area | Weak evidence | Better evidence |
|---|---|---|
| Access control | Screenshot of users | Access policy, approval record, quarterly review, exception list |
| Incident response | Policy PDF only | Procedure, role matrix, incident classification flow, reporting timeline |
| Supplier security | Supplier list | Critical supplier register, questionnaire, risk rating, follow-up owner |
| Business continuity | Backup statement | BCP, recovery owner, test record, open actions |
| Training | Slide deck | Attendance record, topic list, board training record |
Deliverable: Evidence pack 80% complete. Business continuity plan drafted or reviewed. Access review records completed.
Week 10: Evidence pack completion
By Week 10, Tier 1 evidence should exist for all ten Article 21 measure areas. Tier 1 means the minimum evidence needed to show the control exists, has an owner, and can be reviewed. Tier 2 evidence can follow later where the organisation needs stronger audit depth.
The folder structure matters. Evidence should be easy to navigate by control area, owner, date, and status. A regulator, auditor, buyer, or board member should not need to interpret project history to understand what was done.
Deliverable: Tier 1 NIS2 evidence pack completed. MFA finalised or residual rollout documented. Folder structure organised.
Common delay risk — Weeks 8–9
Evidence often exists but is not readable or accessible. Screenshots sit in tickets, policies sit in shared drives, and approvals sit in meeting notes. Mitigation: nominate one evidence coordinator in Week 1 who tracks evidence ownership from the start.
Phase 4: Validation and readiness (Weeks 11-12) — review, board approval, and archive
Phase 4 checks whether the organisation can explain what it did, what remains open, who accepted residual risk, and where the evidence is stored.
This phase should not introduce major new controls. It should validate the baseline, close evidence gaps, document residual risk, and get the management body to approve the Article 21 security programme.
Week 11: Internal review
Week 11 is an internal review against the ten Article 21 measure areas. The team should confirm that each area has an owner, control status, evidence record, and next action if needed.
Residual gaps should be documented. For AMBER gaps, this means owner, target date, business impact, and interim control. For RED gaps that remain open, management needs to understand the risk and make a recorded decision.
Deliverable: Internal review report. Residual risk acceptance record. Board RAG summary approved.
Week 12: Readiness confirmation
Week 12 is the board approval point. The management body should formally approve the Article 21 security programme and record that approval in minutes.
The board minutes should name what was presented, who attended, what was approved, what residual gaps remain, and what next review cadence applies. The minutes should reference the Article 21 programme specifically. “Cybersecurity update approved” is too vague.
Competent authority registration should not be treated as a new Week 12 task. By Week 12, the organisation should confirm that registration evidence or registration status is stored in the evidence pack. If registration is still incomplete, that is a readiness gap, not a validation task.
Deliverable: Board minutes approving Article 21 programme. Competent authority registration evidence stored. Evidence pack archived and access-controlled.
Management checkpoint (Article 20) — Week 12
Board approval in meeting minutes is the single most important Article 20 compliance document in this roadmap. It should reference the Article 21 security programme specifically, name the attendees, record the approval date, and list any residual risk accepted by management.
Common delay risk — Week 12
Board approval slips when the meeting is not scheduled early. For SMEs, board calendars can be full four to six weeks ahead. Mitigation: schedule the Week 12 board meeting on the first working day of Week 1. The Week 12 board approval should be documented as management accountability evidence, not treated as a general cybersecurity update.
Adapting the roadmap for Essential vs Important entities
Essential and Important entities can use the same 12-week structure, but the timing and evidence depth differ. Essential entities usually need stronger readiness earlier because supervisory expectations are higher.
| Aspect | Essential entity | Important entity |
|---|---|---|
| Supervisory model | Expect more proactive supervisory scrutiny. Evidence should be ready for review from Week 12. | Supervision is more likely to be reactive, for example after an incident or complaint. Evidence should still be organised by Week 12. |
| Supply chain assessment priority | Higher. Critical suppliers should be assessed early, with a stronger follow-up plan. | Start with critical suppliers by Week 6. Lower-risk suppliers can move into the 90-day plan. |
| Management governance urgency | Board visibility should happen early. A Week 3 board briefing is not optional. | Board briefing in Week 3 and formal approval in Week 12 is usually workable for the roadmap. |
| Registration status | Confirm before Week 1 where national rules require registration. If not complete, registration becomes the first readiness action. | Confirm in Week 1 and store evidence. If not complete, record it as a readiness gap and assign an owner. |
| Evidence standard | Tier 1 evidence plus selected Tier 2 evidence recommended by Week 12. | Tier 1 evidence for all ten Article 21 measure areas by Week 12. Tier 2 can move into the improvement cycle. |
Dutch Wbni and RDI context
For Dutch organisations, NIS2 is being implemented through the Cyberbeveiligingswet (Cbw). The Dutch House of Representatives approved the Cbw and Wwke in April 2026, but organisations should still verify the latest entry-into-force date and sector guidance through official Dutch government and RDI sources before relying on implementation wording.
For Dutch entities, registration should be treated as a prerequisite or Week 1 confirmation task, not a Week 12 deliverable. If your organisation is subject to registration and has not completed it, do that before treating the 12-week roadmap as an implementation sequence.
For digital infrastructure, managed services, telecom, finance, and healthcare organisations, check the competent authority and sector-specific expectations before using a generic roadmap. The sequence still helps, but sector rules may affect timelines, evidence depth, and reporting channels.
The three most common NIS2 implementation delays — and how to prevent them
The 12-week roadmap fails when three dependencies are treated as admin tasks instead of delivery risks.
1. Stakeholder availability in Weeks 2–3
Gap analysis requires interviews with IT, HR, operations, compliance, procurement, and management. If those people are not available, the gap analysis stalls.
Prevention: schedule interviews in Week 1. Name one owner for the interview plan. Do not start the gap analysis without calendar slots confirmed.
2. Supply chain assessment in Weeks 5–6
Supplier reviews expand quickly when the team tries to cover every supplier at once. That makes the roadmap too heavy for a 12-week baseline.
Prevention: start with the top three critical suppliers. Use data access, system access, and operational dependency as the selection criteria. Move the full supplier list into a 90-day plan.
3. Board meeting scheduling in Week 12
The Week 12 board approval is a compliance deliverable, not a formality. If the meeting is not booked early, approval can slip by several weeks.
Prevention: schedule the Week 12 meeting in Week 1. Send the board a short roadmap note at the same time, so they know what decision will be required.
What “audit-ready at Week 12” actually means
Audit-ready at Week 12 does not mean every security issue is closed. It means the organisation can show what was assessed, what was fixed, what remains open, who owns each gap, and what evidence supports the programme.
What it means
By Week 12, the organisation should have:
- Tier 1 evidence for all ten Article 21 measure areas.
- A management-approved Article 21 security programme.
- Board minutes that record approval under Article 20 governance.
- Competent authority registration evidence or status stored in the evidence pack.
- Remaining AMBER gaps documented with owners, dates, and interim controls.
- A 90-day improvement plan for work that cannot be completed inside the 12-week baseline.
What it does not mean
Audit-ready does not mean perfect compliance. Some AMBER gaps may still be open with documented remediation timelines.
It does not mean the end of the compliance programme. NIS2 readiness needs review cycles, access reviews, supplier reassessments, training updates, incident tests, and management reporting.
It also does not protect the organisation from a significant incident during the roadmap. Article 23 readiness must start in Week 5 because incidents can happen before Week 12.
How Sunbytes delivers the NIS2 implementation roadmap for Dutch organisations
Sunbytes structures NIS2 implementation support around the same operational sequence: scope, gap analysis, risk-ranked remediation, evidence pack assembly, and board-ready documentation.
For Dutch and EU SMEs, the practical target is not a generic compliance statement. The target is a set of documents and controls that a CTO, compliance officer, or management body can use before the next audit, customer security questionnaire, or remediation review.
Why Sunbytes?
Sunbytes is a Dutch technology company headquartered in the Netherlands, with a delivery hub in Vietnam. For 15 years, we have helped clients worldwide Transform · Secure · Accelerate — turning strategy into delivery work with security built in. Sunbytes is ISO 27001 certified, and engagements can operate under a signed DPA with documented audit trail.
- CyberSecurity Solutions: For NIS2 readiness, Sunbytes helps reduce risk without slowing delivery through practical security services and compliance readiness support. That includes gap analysis, Article 21 control mapping, remediation planning, evidence pack structure, and board-ready reporting for Article 20 governance.
- Digital Transformation Solutions: For NIS2 remediation work that touches software delivery, technical documentation, QA, maintenance, or system modernisation, Sunbytes helps translate security actions into practical engineering tasks. This is where RED and AMBER gaps become backlog items, delivery plans, and evidence your team can track.
- Accelerate Workforce Solutions: When internal capacity becomes the bottleneck, Sunbytes helps scale capability through recruitment and workforce support. This can help teams add the right technical, QA, security, or documentation capacity when the 12-week roadmap needs more hands to keep remediation moving.
For EU SMEs preparing for NIS2, the practical goal is clear: move from scattered actions to an evidence-based roadmap your management body can approve and your teams can execute. Start your 12-week NIS2 implementation roadmap with Sunbytes
FAQs
Yes, but only when the organisation already has strong documentation and working controls. ISO 27001-certified organisations may compress parts of Phase 1 and Phase 2 because asset inventory, risk assessment, access control, and policy records may already exist. The parts that usually cannot be compressed much are stakeholder interviews, board scheduling, and evidence clean-up.
Do not wait until Week 12 to build the incident reporting process. Article 23 readiness starts in Week 5 because an incident can happen at any point during implementation. The incident response procedure should include classification criteria, named roles, escalation path, and the reporting timeline for significant incidents.
Usually, yes. ISO 27001 can reduce effort because many controls, policies, access records, and risk processes may already exist. It does not remove NIS2-specific work such as Article 23 reporting timeline documentation, entity classification, national registration requirements, and Article 20 board approval evidence.
After Week 12, the organisation should move into a 90-day improvement cycle. That cycle should close remaining AMBER gaps, extend supplier assessment beyond the top three critical suppliers, run periodic access reviews, update the risk register, and prepare the next board report. NIS2 readiness is maintained through review cadence, not a one-off project.
One person can coordinate the roadmap, but they cannot execute it alone. A 50–250 employee SME usually needs one internal coordinator, one executive sponsor, IT ownership, HR input, procurement input, and management availability. Evidence collection can be distributed, but ownership must be centralised.
Finish the critical supplier assessment first. For most SMEs, that means the top three suppliers by system access, data access, or operational dependency. Lower-risk suppliers can move into the 90-day post-roadmap plan, provided the decision is documented and approved.
No. Week 12 means the organisation has an audit-ready baseline. The evidence pack should show what has been assessed, what has been remediated, what remains open, and who owns each next action. Full maturity may take longer, especially for Essential entities or organisations starting from a weak baseline.
Let’s start with Sunbytes
Let us know your requirements for the team and we will contact you right away.
