ISMSJan Kahmen3 min read

GAP Analysis According to NIS2

A GAP analysis is a structured process for comparing the current status of IT security and compliance measures with the NIS2 Directive.

Objective

A GAP analysis has three main objectives:

  1. Determine compliance status
    ➜ Identify whether the company meets all NIS2 requirements.
  2. Uncover security and governance gaps
    ➜ Identify technical and organizational weaknesses.
  3. Prioritize measures
    ➜ Develop risk- and deadline-based action plans.

Procedure – Step by Step

Step 1 – Define Target Requirements

  • Analyze the legal basis:
    • EU NIS2 Directive (2022/2555)
    • National implementation laws (e.g., NIS2UmsuCG in Germany)
  • Derive a catalog of requirements, e.g.:
    • Risk management measures
    • Technical and organizational protective measures
    • Incident reporting and response times
    • Business continuity & disaster recovery
    • Supply chain security
    • Security training
    • Verification and documentation requirements
    • Responsibilities of management

Step 2 – Assess the Current Situation

  • Interviews with IT, security, compliance, and management
  • Document review (policies, process descriptions, audit reports)
  • Technical inventory (monitoring systems, backup concepts, network architecture)
  • Document review (e.g., evidence of incident reports, training records)

Step 3 – Compare Target and Actual Status

  • Classification per requirement:
    • ✅ Fulfilled
    • ⚠️ Partially fulfilled
    • ❌ Not fulfilled
  • Assessment of the severity of the gap:
    • Compliance risk (legal violation?)
    • Business risk (operational risk?)
    • Impact on customers/partners

Step 4 – Develop an Action Plan

  • Immediate measures (e.g., define incident reporting process)
  • Medium-term measures (e.g., introduce supplier audits)
  • Long-term measures (e.g., modernize security architecture)
  • Clearly define responsibilities and deadlines

Tools & Best Practices

  • Frameworks: ISO 27001, NIST CSF, BSI basic protection (high overlap with NIS2 requirements)
  • Use maturity models:
    • 0 = not available
    • 5 = best practice / fully integrated
  • Schedule external audits:
    • Avoid “operational blindness”
  • Ensure documentation:
    • “Not documented” often counts as “not available” in audits

Typical Challenges

  • Room for interpretation: NIS2 is sometimes abstract – national implementation texts are more precise.
  • Cross-functional responsibilities: IT, purchasing, HR, legal, and management must work together.
  • Supply chain security: Often the biggest risk, but difficult to implement.
  • Reporting processes within 24 hours: Requires clear communication and on-call service.

Conclusion

A NIS2 GAP analysis is not a one-time mandatory exercise, but the starting point for sustainable security and compliance management.
When done well, it offers:

  • Legal certainty
  • Improved security situation
  • Clear roadmap for implementation

Key takeaway: “What cannot be proven does not exist.” – Under NIS2, it's not just what you do that counts, but also what you can prove.

Our Services

ISMS Consulting