Strategic Resilience

Know exactly where you stand with NIS2.

Clear gap analysis, prioritised roadmap and board-level substantiation. Deadline July 1, 2025.

Get in touch 24/7 Incident Hotline

What is a NIS2 Readiness Assessment?

A NIS2 Readiness Assessment tests your organisation against the requirements of the NIS2 directive and shows where you stand. You receive a gap analysis per NIS2 domain, a risk classification per finding and a prioritised roadmap to demonstrably comply before the July 1, 2025 deadline. Directors face personal liability for negligence; this assessment gives the board substantiation for that conversation.

About this service

NIS2 makes cybersecurity a board-level responsibility

NIS2 sets requirements for risk management, incident reporting, supply chain security and governance. It is not an abstract compliance checklist. It is a practical assessment of what you already have, what is missing and how to close the gaps efficiently.

The team assesses your security level against the NIS2 requirements across all relevant domains. NIS2 covers not only technical measures but also governance, incident response, supply chain management and awareness. Each domain is assessed and each gap receives a risk classification.

Directors receive a clear summary: what are the risks of non-compliance, where do we stand and what is the plan? After the assessment the team can also support implementation and demonstrating compliance to regulators.

The Problem

You know NIS2 requires urgency

Many organisations do not know whether they fall under NIS2, let alone what still needs to be done. The July 1, 2025 deadline is approaching and regulators are beginning enforcement.

  • You are unsure whether your organisation is classified as essential or important, while the consequences of a wrong assessment are significant.
  • Directors can be held personally liable for demonstrable negligence, yet have no objective view of the current state of affairs.
  • Without a prioritised roadmap you do not know where to begin and investments become fragmented across measures that do not deliver the highest risk reduction.
Scope

What the assessment covers

  • Applicability assessment: does your organisation fall under NIS2?
  • Governance and board-level responsibility
  • Risk management and risk assessment
  • Technical security measures
  • Incident response and reporting obligations
  • Supply chain security
  • Business continuity
  • Security awareness and training
  • Documentation and demonstrability
Our Approach

How DEFION conducts a NIS2 assessment

01

Applicability assessment

Determining whether your organisation is classified as essential or important and which NIS2 articles apply.

02

Current state review

Assessment of existing measures against NIS2 requirements via document review and structured stakeholder interviews.

03

Gap analysis

Identification of missing or insufficient measures per domain. Each gap receives a risk classification.

04

Risk prioritisation

Determining which gaps pose the greatest risk and must be addressed first.

05

Roadmap development

Prioritised implementation plan with timeline, quick wins and long-term measures.

06

Board presentation

Presentation of results and roadmap to the board with executive summary for management reporting.

What You Receive

Deliverables

  • NIS2 applicability assessment (essential or important)
  • Gap analysis report per NIS2 domain
  • Compliance maturity score per domain
  • Prioritised implementation roadmap with quick wins
  • Executive summary for board reporting
  • Detailed technical report for your security team
  • Recommendations for supplier and supply chain risk management
For Whom

Suitable for

  • Organisations that must comply with NIS2 (essential and important entities)
  • Directors who want to understand and substantiate their personal liability
  • Companies unsure whether NIS2 applies to them
  • Organisations wanting to demonstrate compliance to regulators
  • Organisations combining NIS2 with an ISO 27001 or DORA programme
Frequently Asked Questions

FAQ

When do we need to be NIS2 compliant?
The NIS2 deadline for the Netherlands is July 1, 2025. Supervisors are starting enforcement and directors face personal liability for demonstrable negligence. Starting an assessment now gives you time to close gaps before the deadline.
Does NIS2 apply to our organisation?
NIS2 distinguishes essential entities (energy, transport, water, healthcare) and important entities (postal, waste management, digital infrastructure). Operating in one of these sectors with more than 50 employees or revenue above EUR 10 million? You likely fall under NIS2. DEFION determines applicability together with you during the intake.
Are directors really personally liable?
Yes. NIS2 holds management bodies responsible for approving and overseeing cybersecurity measures. With demonstrable negligence, directors can be held personally liable and required to follow training. A timely assessment gives the board demonstrable evidence of due diligence.
What if we are already ISO 27001 certified?
ISO 27001 covers a large part of the NIS2 requirements. The assessment maps which additional measures are needed, particularly around incident reporting, supply chain security and governance. The gap is typically limited but not zero.
Do you also help with implementation after the assessment?
Yes. After the assessment the team can support implementation of measures, establishing processes and preparing for audits and regulatory inspections. The engagement does not end with the report.
DORA Readiness Assessment

More information →
ISO 27001 Readiness Assessment

More information →
CISO as a Service

More information →

Ready to map your NIS2 position?

Tell us what you need. We scope the right approach and start within days.

Get in touch 24/7 Incident Hotline

Learn more about NIS2: NIS2 Explained: Everything Organizations Need to Know