EU Directive 2022/2555 — Governance & Compliance

NIS2 Governance Roadmap

A focused 12-week governance programme to achieve NIS2 compliance readiness. One senior consultant reviewing your existing global framework against local NIS2 requirements, conducting stakeholder interviews, building compliance documentation, and delivering a prioritised implementation roadmap — all mapped to Article 21.

12
Weeks to delivery
4
Focused phases
10
Art. 21 domains
1
Senior consultant

Engagement Approach

Pragmatic, governance-focused delivery

This is a single-consultant engagement focused on the governance and compliance layer of NIS2. Most multi-country organisations already have a global IT security framework in place — the challenge is understanding where it meets local NIS2 requirements and where the gaps are. This programme starts with your existing framework, analyses it against all 10 Article 21 domains, and builds the local compliance documentation and roadmap your team needs.

No large team. No scope creep into technical implementation. Just structured programme management applied to NIS2 compliance — framework analysis, stakeholder interviews, gap documentation in your existing tools, and a roadmap you can act on.

Analyse
Global framework vs. local NIS2 requirements
Assess
Interviews & gap analysis across 10 domains
Deliver
Compliance documentation & roadmap

Programme Timeline

W1
2
W3
4
5
6
W7
8
9
10
W11
12
Phase 1: Framework & Planning
Stakeholder mapping
Global framework analysis
Interview schedule & scope
Phase 2: Interviews & Assessment
Stakeholder interviews
Gap assessment (10 domains)
Current-state maturity scoring
Risk register & prioritisation
Phase 3: Compliance Documentation
Governance policy framework
Roles, responsibilities & RACI
Incident response framework
Board reporting template
Phase 4: Roadmap & Handover
Prioritised implementation roadmap
Executive presentation
Handover & knowledge transfer

Phase Details & Deliverables

Click any phase to expand deliverables and effort details.

1

Framework Analysis & Planning

Weeks 1–2  |  Foundation
Review existing global IT security framework against local NIS2 requirements. Map stakeholders across jurisdictions, assess current documentation baseline, and build the structured interview schedule for the assessment phase.
Show deliverables ↓
  • Global framework gap analysis (existing vs. NIS2 requirements)
  • Stakeholder map with RACI matrix
  • Interview schedule (structured across 10 Art. 21 domains)
  • Programme charter & scope agreement
  • Communication plan
FOCUSED — 10 days
2

Interviews & Current-State Assessment

Weeks 3–6  |  Core Assessment
Conduct structured interviews with key stakeholders across all 10 NIS2 Article 21 domains. Score current maturity, identify gaps, and build a prioritised risk register. This is the analytical core of the engagement.
Show deliverables ↓
  • Structured interviews across all 10 Art. 21 domains
  • Gap assessment report with maturity scores per domain
  • Risk register with severity ratings and ownership
  • Current-state heatmap (visual maturity overview)
  • Interim findings presentation to management
HIGH EFFORT — 20 days
3

Compliance Documentation & Policy Framework

Weeks 7–10  |  Governance Build
Translate assessment findings into actionable compliance documentation within your existing documentation platform. Build the local policy framework, define roles and responsibilities, draft incident response procedures, and establish board reporting structures.
Show deliverables ↓
  • NIS2-aligned governance policy framework
  • Roles & responsibilities matrix (including Art. 20 board accountability)
  • Incident response framework (24h/72h/30-day reporting structure)
  • Board reporting template (quarterly compliance status)
  • Training requirements specification
  • Supply chain security assessment criteria
MEDIUM EFFORT — 20 days
4

Implementation Roadmap & Handover

Weeks 11–12  |  Delivery
Consolidate all findings into a prioritised implementation roadmap with clear timelines, resource requirements, and cost estimates. Present to executive team and hand over to internal programme management.
Show deliverables ↓
  • Prioritised implementation roadmap (next 12 months)
  • Resource and budget estimates per workstream
  • Board-ready executive presentation
  • Compliance programme calendar
  • Knowledge transfer & handover documentation
FOCUSED — 10 days

NIS2 Article Mapping

Art. 20

Governance & Management Accountability

Board must approve cybersecurity measures and undergo training. Personal liability for management.

Phase 1Phase 2Phase 3
Art. 21(2)(a)

Risk Analysis & IS Policies

Comprehensive risk assessment and information security policy development across all domains.

Phase 2Phase 3
Art. 21(2)(b)

Incident Handling

24-hour early warning, 72-hour notification, 30-day final report to national CSIRTs.

Phase 3
Art. 21(2)(c)

Business Continuity & Crisis Management

Backup management, disaster recovery planning, and business continuity procedures.

Phase 2Phase 3
Art. 21(2)(d)

Supply Chain Security

Assessment criteria for suppliers and service providers. Contract requirements and risk classification.

Phase 2Phase 3
Art. 21(2)(e)

Acquisition & Development Security

Secure development lifecycle requirements for systems and network development.

Phase 2Phase 4
Art. 21(2)(f)

Vulnerability Handling & Disclosure

Vulnerability management processes and responsible disclosure policies.

Phase 2Phase 3
Art. 23

Notification Obligations

Multi-jurisdiction reporting procedures and escalation framework for national authorities.

Phase 3Phase 4

Key Programme Risks

MEDIUM

Multi-Jurisdiction Complexity

Multiple Nordic jurisdictions with different transposition timelines and sector-specific authorities.

Mitigation: Unified compliance framework with country-specific addenda
MEDIUM

Stakeholder Availability

Key subject matter experts may be stretched across compliance work and BAU operations.

Mitigation: Structured interview schedule agreed upfront with management commitment
MEDIUM

Global Framework Alignment

Existing group-level IT security framework may cover some NIS2 requirements. Critical to identify overlaps and gaps early to avoid duplication.

Mitigation: Phase 1 dedicated to analysing global framework against local NIS2 requirements
MEDIUM

Documentation Gaps

Existing policies may be informal or outdated. Limited baseline documentation increases assessment effort.

Mitigation: Phase 1 document review identifies gaps early, adjusts interview depth
MEDIUM

Supply Chain Depth

Global supply chain with varying digital maturity. Tier-2+ supplier visibility may be limited.

Mitigation: Risk-based tiering, focus assessment criteria on critical suppliers first
LOW

Transposition Delays

National transposition timelines may shift, affecting specific requirements.

Mitigation: Build to EU Directive baseline, adapt when national law finalised

Ready to start your NIS2 governance programme?

18+ years of programme management in regulated environments. Let's build a compliance roadmap tailored to your organisation.

Book a Session
Steven S. Wensley
Senior Programme & Transition Manager — NIS2 | EU AI Act | Cyber Governance
stevenwensley.com  |  +45 5388 6061
March 2026