Completing a gap analysis is the first milestone in your NIS 2 compliance journey — but it's only the beginning. The gap analysis tells you where you stand. The real work is closing those gaps systematically and building the evidence trail that proves it.
Phase 1: Prioritize by Risk (Weeks 1–2)
Not all gaps are equal. Prioritize based on:
- Regulatory risk: Which gaps relate to mandatory NIS 2 requirements vs. best practices?
- Operational risk: Which gaps expose you to the highest likelihood/impact scenarios?
- Quick wins: Which gaps can be closed with policy documentation alone?
Create a risk-ranked remediation plan with owners, deadlines, and success criteria for each gap.
Phase 2: Build Policies and Procedures (Weeks 3–6)
Most NIS 2 gaps boil down to missing or insufficient documentation. For each gap:
- Draft the required policy or procedure
- Get management approval (Article 20 requirement)
- Communicate to affected staff
- Implement technical controls where needed
Don't aim for perfection. Aim for policies that are proportionate to your organization's size and risk profile. A 3-page incident response plan that people actually follow is better than a 50-page document nobody reads.
Phase 3: Evidence Collection (Weeks 7–10)
Compliance isn't about having policies — it's about proving they work. For each control:
- Document how the control operates
- Collect evidence of implementation (screenshots, logs, meeting minutes)
- Record training completion
- Track supplier assessments
Phase 4: Internal Audit (Weeks 11–12)
Before any external audit or NCA assessment, run an internal audit. This doesn't need to be elaborate — it needs to be honest. Test a sample of controls, document findings, create corrective actions for anything that isn't working.
The Benchmark
A mid-size company (50–250 employees) can typically go from gap analysis to audit readiness in 10–14 weeks with dedicated effort. The key is consistency: a little progress every week beats a compliance sprint before an audit.