If NIS2 applies to you and you have not started, you are not alone — but you are exposed. The Directive has been transposed into national law across EU member states and enforcement is active. The question now is not whether to comply but how to get the most coverage in the least time with the resources you actually have.
This is the triage plan I run when I engage with a company that has done nothing. Thirty days. Real priorities. No theatre.
First: Confirm You're Actually in Scope
Before anything else, spend two hours confirming your scope. NIS2 applies to two categories: essential entities and important entities, defined by sector and size.
Essential entities include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (IXPs, DNS, TLD registries, data centres, CDNs, trust service providers, public electronic communications networks), and public administration. Important entities cover postal and courier services, waste management, manufacture of certain critical products, food, chemicals, digital providers (online marketplaces, online search engines, social networks), and manufacturing of medical devices, electronics, machinery, motor vehicles.
The size threshold matters: for most sectors, entities with 250 or more employees or annual turnover above €50M qualify as essential or important. Smaller organisations below these thresholds are generally out of scope — but check your member state's transposition, as several (Germany, the Netherlands) have extended scope beyond the Directive's minimum.
If you are in scope, the obligations are real and the enforcement machinery is running.
The 30-Day Triage
This is not a full NIS2 compliance programme. A full programme takes 6–9 months. This is the sequence that gets you from zero to defensible fastest — the moves that reduce your biggest exposures in the shortest time.
Days 1–3: Establish a Named Responsible Person and Register
NIS2 Article 20 requires that management bodies approve and oversee cybersecurity risk management measures. In practice, this means you need a named individual with documented authority over security matters, board-level visibility, and accountability for the obligations below.
Do this on Day 1. It does not need to be a CISO — it can be a CTO, a VP Engineering, or an interim with explicit delegation. What it cannot be is ambiguous. Regulators in enforcement actions will ask who is responsible. "The team" is not an answer.
Simultaneously: check whether your member state requires you to register with the competent national authority. Several countries (Germany, the Netherlands, Austria) require active registration. Failing to register is itself a violation. Check the national authority website and submit registration if required.
Days 4–7: Asset Inventory — Know What You Are Defending
You cannot protect what you have not listed. In four days, produce a working inventory of:
- All systems that process personal data or business-critical data
- All externally accessible services (APIs, web applications, portals, VPNs, remote access)
- All critical third-party dependencies (cloud providers, SaaS tools you cannot operate without, key technology vendors)
- All privileged access accounts
This does not need to be a CMDB. A well-maintained spreadsheet with ownership, classification, and last-reviewed date is sufficient to start. The goal is to know what exists before you try to secure it.
Shadow IT is a compliance liability
The systems you don't know about are the ones that will generate your incident. In every engagement where I've run a discovery exercise, the asset inventory produced by the team underestimates reality by 20–40%. Ask each team lead to list every SaaS tool and cloud service their team uses. Cross-reference against your identity provider's OAuth grants and your finance team's SaaS spend. The delta is your blind spot.
Days 8–14: Incident Response — You Need a Plan Before the Incident
NIS2 Article 21 requires incident handling capabilities. Article 23 imposes hard notification deadlines: 24 hours for an early warning, 72 hours for a full incident report, and one month for a final report. These deadlines run from the moment you become "aware" of a significant incident.
"Aware" is not defined as "investigated and confirmed." It means the moment a significant security event comes to your attention. If you discover a breach at 9am Monday, your 24-hour early warning to the competent authority is due by 9am Tuesday — whether or not you have completed your investigation.
In days 8–14, build the minimum viable incident response process:
- A definition of "significant incident" for your context — what events trigger the notification obligation
- A named notification owner — the person who calls the competent authority and sends the report
- The competent authority contact details — bookmarked, not requiring a Google search at 2am
- An incident log template — capturing timestamp, description, affected systems, initial impact estimate, and actions taken
- An emergency contact list — key internal contacts, your IT provider, your legal counsel, your cyber insurer (if you have one)
That's it for the first 30 days. A full playbook with detailed runbooks for each attack type comes later. Right now you need the skeleton that allows you to hit a 24-hour notification window.
Days 15–21: Access Control and MFA — The Highest-ROI Security Measure
NIS2 Article 21(2)(j) requires that entities implement multi-factor authentication or continuous authentication solutions wherever appropriate. This is the single highest-return security investment for the time it takes to implement.
In this week, enforce MFA on:
- All administrative accounts (cloud consoles, identity providers, infrastructure management)
- All email accounts — every one of them, not just IT
- All VPN and remote access entry points
- All business-critical SaaS applications
If you have an identity provider (Entra ID, Okta, Google Workspace), MFA enforcement is a policy change, not an engineering project. It takes hours, not weeks. The gap is almost always organisational — someone will push back because MFA is inconvenient. That pushback is not a valid compliance consideration.
| Account Type | MFA Priority | Typical Time to Enforce |
|---|---|---|
| Cloud infrastructure consoles (Azure, AWS, GCP) | Critical — Day 1 | Hours (policy configuration) |
| Identity provider admin accounts | Critical — Day 1 | Hours |
| All email accounts | High — Week 1 | 1–3 days (user comms + rollout) |
| VPN / remote access | High — Week 1 | 1–2 days |
| Business-critical SaaS (Salesforce, ERP, billing) | High — Week 2 | 2–5 days (varies by tool) |
| All other SaaS | Medium — Week 3–4 | Ongoing |
Simultaneously this week: review privileged access. Any account with administrative rights that is not actively needed should have those rights removed. Stale admin accounts — former employees, old service accounts, vendor access that was never revoked — are a disproportionate share of breach entry points.
Days 22–26: Supply Chain — Identify Your Critical Vendors
NIS2 Article 21(2)(d) explicitly requires that entities address security in the supply chain, including security aspects of the relationships between each entity and its direct suppliers or service providers.
In the context of a 30-day triage, this means identifying your critical third parties — the vendors whose compromise or failure would directly impact your ability to operate — and completing a basic security assessment of each.
For each critical vendor, document: whether they have a relevant security certification (ISO 27001, SOC 2 Type II); whether they have a contractual obligation to notify you of incidents within 24 hours; whether your contract includes the right to audit; and whether you have a plan for what to do if they have an outage or breach.
In 30 days you cannot complete a full supply chain security programme. You can complete a tiered list that identifies your top 10 critical dependencies and confirms whether you have minimum contractual coverage and notification rights. That documentation will matter in an enforcement conversation.
Your cloud provider is not your compliance
A common misunderstanding: if we are on Azure or AWS, they handle the security. They handle the security of the cloud infrastructure. Everything you build on top of it — your configurations, your access controls, your data handling, your logging — is your responsibility. The shared responsibility model does not transfer your NIS2 obligations to your cloud provider. It clarifies that some of the infrastructure layer is theirs. The rest is yours.
Days 27–30: Document What You've Done and Set the 90-Day Roadmap
The final three days are documentation and roadmap. This is not bureaucratic padding — in an enforcement action, the ability to demonstrate what you have done and when you did it is the difference between a corrective order and a fine.
Produce a one-page summary document that covers: the date you confirmed scope; the name and role of the responsible person; the status of your asset inventory; the incident response process you have put in place; the MFA rollout status; and the critical vendor list and assessment status.
Then build the 90-day roadmap that takes you from triage to programme. A structured NIS2 programme covers: formal risk assessment; network security monitoring; vulnerability management; business continuity and disaster recovery testing; security awareness training; formal policy documentation; and a full supply chain security review. None of that is 30-day work. All of it is 90-day achievable.
What the First 30 Days Actually Gets You
Let me be direct about what this plan does and does not achieve.
| What the 30-Day Triage Achieves | What It Does Not Achieve |
|---|---|
| Named accountability at management level | Full Article 21 risk management programme |
| Ability to meet 24h/72h incident notification deadlines | Documented formal risk assessment |
| MFA on all critical access points | Network security monitoring |
| Awareness of critical third-party dependencies | Business continuity testing |
| Documented baseline — visible in enforcement review | ISO 27001 or equivalent certification |
| Registered with competent authority (where required) | Complete supply chain security programme |
The triage gets you to a place where, if an incident occurs, you can notify correctly and demonstrate that you had a responsible person and a response process. It does not make you fully compliant. Full compliance is a 6–9 month programme. What the triage does is close the gap between "done nothing" and "can evidence reasonable effort."
In enforcement, "reasonable effort and rapid action once we understood the obligation" lands very differently from "we were aware and did nothing." The 30-day triage is evidence of the former.
The Mistake I See Most Often
Companies that have done nothing on NIS2 almost always know they should have started. The delay is not ignorance — it's paralysis. The scope feels large, the requirements feel technical, and there's always a quarterly priority that displaced it.
The paralysis is more expensive than the programme. Every week of inaction is a week of full exposure — legally, operationally, and reputationally. The 24-hour notification window does not care whether you had a busy quarter.
Start with Day 1. Get a name against the accountability. That single action — a named responsible person with documented authority — changes your legal posture immediately and gives the rest of the programme somewhere to land.
If NIS2 applies to your organisation and you need to move from zero to structured programme quickly, let's talk — book a 30-minute discovery call and I can scope a triage engagement tailored to your sector, size, and current state.