The 90-Day NIS2 Compliance Plan for SMEs: Week-by-Week Deliverables, No Consultant Required
NIS2 enforcement across the EU is live. Since 18 October 2024, national competent authorities have had full supervisory powers: binding instructions, mandatory security audits, and fines reaching €10 million or 2% of global annual turnover for essential entities [1]. Under Article 20, management is personally accountable — and Article 32(6) allows authorities to temporarily ban individuals from exercising management functions if significant failings are found.
If your organisation qualifies as a medium or large entity in a covered sector, the question is no longer whether to comply — it is how to get there without a six-month consulting engagement and a five-figure bill. This 90-day roadmap gives you a week-by-week plan of specific deliverables, mapped to the NIS2 template bundle, with realistic effort estimates for an internal team.
A word on scope: “90-day compliance” means a defensible compliance position — documented risk management, core security policies, incident handling in place, and an evidence trail showing management treats NIS2 as a managed obligation. Full compliance — tested business continuity plans, completed penetration testing, comprehensive supply chain assessments — takes 12–18 months. This roadmap builds the foundation that makes the rest possible.
Does This Roadmap Apply to Your Organisation?
NIS2 applies when two conditions are met simultaneously: your organisation operates in a covered sector and meets the size thresholds. The entry point is the “medium enterprise” classification — 50 or more employees, or annual turnover exceeding €10 million, in a sector listed in Annex I or II of the Directive [1].
| Category | Headcount | Annual Turnover | Balance Sheet | NIS2 Status |
|---|---|---|---|---|
| Micro | <10 | <€2M | <€2M | Generally exempt |
| Small | <50 | <€10M | <€10M | Generally exempt |
| Medium | <250 | <€50M | <€43M | In scope (Important Entity) |
| Large | 250+ | €50M+ | €43M+ | In scope (Essential or Important) |
The consolidation trap most SMEs miss: your NIS2 classification is not based solely on your entity’s own figures. If you are part of a corporate group, you must consolidate headcount and financial data from “partner enterprises” (non-majority holdings above 25%) and “linked enterprises” (majority-ownership holdings) [2]. A 30-person subsidiary wholly owned by a large manufacturing group may qualify as an “important entity” based on group-wide metrics, even if it looks like a small business on its own balance sheet. Check your corporate structure before concluding you are out of scope.
The 18 covered sectors split into two tiers:
- Annex I — Essential Entities: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space
- Annex II — Important Entities: postal and courier services, waste management, manufacture of critical products (chemicals, food, medical devices, motor vehicles), digital providers, research organisations
If you are not in any of these sectors, NIS2 does not apply to you directly. You may still face indirect compliance pressure: in-scope customers are required under Art. 21(2)(d) to assess their suppliers’ security posture, and that pressure flows downstream regardless of your own legal status.
Why 90 Days? Setting Realistic Expectations
National competent authorities began enforcement on 18 October 2024 [5]. Demonstrating a structured, progressing compliance programme — even one still in progress — shifts the regulatory risk conversation considerably compared to having nothing documented at all.
The management liability dimension is what motivates internal buy-in. Article 32(6) permits supervisory authorities to temporarily prohibit natural persons responsible for management-level tasks from exercising management functions in the event of significant violations [5]. The penalties framework is not merely a corporate fine — it reaches individuals. Review our management liability guide for how to present this risk to your board.
The 90-day plan achieves three things that matter in an audit:
- A documented risk assessment process — satisfying Art. 21(1)’s “appropriate and proportionate” standard with evidence
- Core security policies and incident handling procedures — demonstrating the 10 Article 21 measures are addressed
- A management oversight trail — showing Art. 20’s accountability requirement is actively met
What 90 days does not achieve: tested business continuity plans, completed penetration testing, full supply chain audits, or quarterly risk reviews. Those belong to months 4–18. The sequencing below puts audit-critical deliverables first.
Your 90-Day NIS2 Plan at a Glance
| Phase | Weeks | Focus | Key Deliverables |
|---|---|---|---|
| Month 1: Foundation | 1–4 | Governance + risk | NIS2 Officer appointed, scope document, asset register, risk assessment, Information Security Policy |
| Month 2: Controls | 5–10 | Core security measures | Incident handling procedures, access control and MFA, supply chain assessment |
| Month 3: Evidence | 11–13 | Verification and audit readiness | Remaining policies, audit evidence pack, management review meeting |
Month 1: Governance and Risk Foundation (Weeks 1–4)
Month 1 builds the structural foundation that makes every downstream activity defensible. These four weeks produce five documents; every later policy and control references them.
Week 1: Appoint Your NIS2 Officer and Define Your Scope (6–8 hours)
Two decisions unblock everything else in Week 1.
Who is your NIS2 Officer? Article 20 places responsibility for cybersecurity risk management directly on the management body — not the IT department. You need a named person with management-level authority who owns the compliance programme. In an SME, this is typically the CEO, COO, or IT Director. The appointment should be documented in writing.
Are you Essential or Important? The classification determines your penalty exposure (€10M / 2% of global turnover for Essential entities vs. €7M / 1.4% for Important entities) and the supervisory intensity you can expect. Use the sector classification in Art. 3 of the Directive combined with the size thresholds above. If your sector appears in Annex I and you meet the thresholds, you are provisionally an Essential Entity — confirm with your legal team if any ambiguity exists.
Deliverables: A one-page governance memo naming the NIS2 Officer, confirming entity classification, and carrying management sign-off. The NIS2 Quick-Start Bundle includes a structured welcome document and implementation guide that walk through this step.
Week 2: Build Your Asset Register (10–14 hours)
Risk assessment requires a list of what you are protecting. The Asset Register is the foundation of every downstream compliance activity — and frequently the first document an auditor requests.
Capture four categories:
- IT systems: servers, endpoints, cloud services, SaaS subscriptions
- Data assets: customer data, operational data, financial records
- Network components: firewalls, routers, remote access infrastructure, cloud interconnects
- Critical service dependencies: APIs, cloud providers, ISPs, payment processors
SME shortcut: Start with services, not individual machines. A 60-person manufacturer typically has 8–15 critical services (ERP, email, cloud storage, VPN, production systems, payment gateway). Map those first; individual endpoint inventory follows in Month 2.
Four columns are sufficient for your initial register: asset name, type, named owner, and criticality (High / Medium / Low). High-criticality assets are those whose failure or compromise would constitute a “significant incident” under Art. 23.
Week 3: Conduct Your Risk Assessment (14–18 hours)
This is the most intellectually demanding week of Month 1 — and the most important. Article 21(1) requires measures to be “appropriate and proportionate” to your actual risk exposure, taking into account “the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents” [1]. Without a documented risk assessment, “proportionate” has no evidence base.
Use a 5×5 likelihood–impact matrix. Score each risk from 1–5 on each axis; the product is your risk score.
| Score | Likelihood | Impact Example |
|---|---|---|
| 1 | Rare — once per decade | Negligible disruption, no data loss |
| 2 | Unlikely — once per 5 years | Minor outage (<1 day), fully recoverable |
| 3 | Possible — once per year | Moderate outage (1 week), some data exposure |
| 4 | Likely — several times per year | Major disruption (>1 week), significant data loss |
| 5 | Almost certain — monthly | Service collapse, notifiable breach, cross-border impact |
Risk score = Likelihood × Impact. Risks scoring 12 or above need treatment plans; scores of 15–25 are your immediate priorities. Aim for at least 20 identified risks covering all 10 Art. 21 domains — this ensures your assessment is comprehensive enough to satisfy the “all-hazards approach” the Directive requires [3].
Deliverables: Risk Assessment Methodology, Risk Assessment Table, and Risk Treatment Table. The Risk Management Pack contains all three as pre-structured DOCX files. Our NIS2 risk assessment guide covers the full methodology.
For healthcare, energy, and critical digital infrastructure, a qualified ISMS professional review of your risk treatment plan before sign-off is proportionate to the regulatory exposure in those sectors.
Week 4: Write Your Information Security Policy (8–10 hours)
The Information Security Policy is the capstone document of Month 1. It satisfies Art. 21(2)(a)’s requirement for “policies on risk analysis and information system security,” and it is the document an auditor reaches for first when assessing governance maturity.
At 3–5 pages, it must cover: scope and objectives, a management commitment statement signed by the named NIS2 Officer, reference to your risk assessment methodology, roles and responsibilities, applicable compliance obligations, and a policy review cycle (annual minimum). Use a template that maps explicitly to Art. 21 — the Quick-Start Bundle includes an Information Security Policy pre-structured to NIS2 requirements.
Before closing Week 4, obtain management sign-off on both the policy and the residual risks from your risk treatment plan. This sign-off is your earliest documented evidence of Art. 20 management oversight. See our full guide to NIS2 requirements for how each Art. 21 measure maps to specific documentation.
Month 2: Implement Core Controls (Weeks 5–10)
Month 2 moves from governance to operational security. The three clusters below — incident handling, access controls, and supply chain — are sequenced by audit criticality. Incident handling comes first because Art. 23’s reporting clock runs from the moment a significant incident occurs, regardless of your implementation status.
Weeks 5–6: Set Up Incident Handling Procedures (14–18 hours total)
Art. 23 imposes three hard notification deadlines: a 24-hour early warning to your national CSIRT or competent authority, a 72-hour incident notification with a preliminary impact assessment, and a one-month final report with root cause and recovery details [5]. These clocks cannot be paused while you build your procedures.
A “significant incident” under Art. 23(3) includes incidents that cause severe operational disruption, affect more than 500,000 users, or have cross-border impact. The practical test for most SMEs: would this incident make it impossible to deliver your in-scope services for more than 24 hours?
Your first task in Week 5: identify your national CSIRT contact and reporting portal. Most EU member states now operate an online portal. Save the URL in a dedicated Incident Response folder — this bookmark may need to be found under pressure.
Deliverables: Incident Handling Policy (who is responsible, escalation paths, severity thresholds), an Incident Classification Matrix, an Incident Log (running record of security events), and three notification form templates — one per reporting stage. The Incident Response Pack contains all five documents. See our incident reporting guide for the full timeline and reporting requirements.
Test before Week 6 ends: run a 30-minute tabletop exercise — read a ransomware scenario aloud with your NIS2 Officer and IT lead, and trace it through your new classification matrix and notification forms. The gaps you find in a tabletop are far cheaper to fix than the same gaps discovered during a real incident.
Weeks 7–8: Deploy Access Controls and MFA (18–22 hours)
Art. 21(2)(j) requires “multi-factor authentication or continuous authentication solutions” for in-scope network and information systems. MFA on admin and remote-access accounts is the single highest return-on-investment security action in the entire compliance programme — it directly blocks credential stuffing, phishing, and remote access exploitation, which together account for the majority of NIS2-notifiable incidents.
Deploy in priority order:
- MFA on all administrator accounts (Active Directory, cloud admin portals, DNS management)
- MFA on all remote access (VPN, RDP, cloud portals)
- Least-privilege audit: verify every user account holds only the access it needs
- Privileged access separation: admin credentials distinct from daily-use accounts
For SMEs without enterprise identity budgets, MFA deployment cost is effectively zero: Microsoft Authenticator is included in Microsoft 365 Business Basic; Google Workspace 2-Step Verification is included in all tiers; Duo Security has a free tier for up to 10 users; open-source TOTP apps (Aegis, Authy) work with any TOTP-compatible service. Policy writing from a template takes approximately 4 hours; MFA rollout across 50 users takes a competent IT person roughly one working day.
Deliverables: Access Control Policy, Authentication Policy (MFA requirements and password standards), and a Joiners-Movers-Leavers checklist for access provisioning and revocation. These are included in the Quick-Start Bundle. See our access control and MFA requirements guides for implementation detail.
Weeks 9–10: Assess and Secure Your Supply Chain (14–16 hours)
Art. 21(2)(d) requires assessment and management of “security risks in supply chains.” For most SMEs, this means three actions: identify your critical suppliers, assess their basic security posture, and update contracts to include security obligations.
Not all suppliers carry equal risk. Rank by impact of failure on your in-scope services: cloud providers, payment processors, managed IT service providers, and industrial control system vendors come first. A stationery supplier does not require a security assessment.
For your top five to ten critical suppliers, a security questionnaire of 15–20 questions — covering patching cadence, incident notification commitments, data handling, and access controls — is sufficient for an initial assessment. You are creating a documented record that you evaluated supplier risk and made proportionate decisions, not conducting a full security audit.
Deliverables: Supplier Security Policy, Supplier Security Assessment Questionnaire, a Security Clauses template for inclusion in new or renewed contracts, and a Supplier Directory with criticality ratings. The Supply Chain Pack contains all six documents. Our supply chain security guide covers the full Art. 21(2)(d) requirements. For supplier contracts above €100K or data processor agreements, a one-hour legal review of the security addendum is proportionate.
Month 3: Evidence, Verification, and Registration (Weeks 11–13)
By Week 11, the highest-criticality NIS2 obligations are documented. Month 3 completes the remaining Article 21 measures, assembles your audit evidence, and closes with the formal management review that demonstrates Art. 20 oversight.
Week 11: Complete the Remaining Policy Batch (18–24 hours)
Six remaining Art. 21 measures can be addressed in Week 11 as a coordinated batch. None is as complex as the risk assessment or MFA rollout — the goal is a documented policy plus at least one piece of operational evidence per measure.
| Policy | Art. 21 Measure | Effort Estimate |
|---|---|---|
| Business Continuity Plan outline + backup policy | (c) Continuity | 4–6 hours |
| Cryptography and Encryption Policy | (h) Cryptography | 1–2 hours |
| Cybersecurity Training Plan + deliver one session | (g) Training | 3–4 hours |
| HR Security Policy / Joiners-Movers-Leavers procedure | (i) HR Security | 2 hours |
| Vulnerability Patching Policy + patch log | (e) System maintenance | 2–3 hours |
| Effectiveness Measurement — define 3–5 KPIs and record baseline | (f) Effectiveness | 1–2 hours |
The Business Continuity Plan outline is the most time-intensive item here. At this stage you need a documented plan structure — not a fully exercised BCP. Confirm your backup status (location, frequency, recovery time objective), identify your five most critical services and their recovery priority, and document a basic crisis management escalation path. Testing the plan is a Month 4–6 activity. See our business continuity guide for the full Art. 21(2)(c) requirements.
For training: a 45-minute cybersecurity awareness session with an attendance record satisfies the Art. 21(2)(g) baseline. Our training requirements guide covers the agenda structure and management training obligations under Art. 20(2). Detailed cryptography implementation guidance is in our cryptography requirements article.
Week 12: Assemble Your Audit Evidence Pack (10–14 hours)
An Audit Evidence Pack is a single folder — SharePoint library, Google Drive folder, or a physical binder — containing one evidence item per Article 21 measure. This is what you provide to an auditor, and it demonstrates that your policies are operational rather than decorative.
| Art. 21 Measure | Evidence Item | Status |
|---|---|---|
| (a) Risk analysis + security policy | Risk Assessment Table + Information Security Policy (signed) | Complete |
| (b) Incident handling | Incident Handling Policy + tabletop exercise record | Complete |
| (c) Business continuity | BCP outline + backup verification record | Complete |
| (d) Supply chain | Supplier Directory + 3 completed questionnaires | Complete |
| (e) System acquisition / maintenance | Vulnerability Patching Policy + patch log excerpt | Complete |
| (f) Effectiveness assessment | Defined KPIs + baseline measurement record | In progress |
| (g) Cyber hygiene + training | Training Plan + staff attendance record | Complete |
| (h) Cryptography | Cryptography and Encryption Policy | Complete |
| (i) HR security + access control | Access Control Policy + JML log (last 3 months) | Complete |
| (j) MFA + secure comms | Authentication Policy + MFA deployment screenshot | Complete |
“In progress” entries are acceptable provided they carry a documented completion date. An auditor is assessing whether compliance is managed as a process — not whether it is perfect. See our audit preparation guide for what national competent authorities look for during a first supervisory visit.
Week 13: Management Review and Registration Check (6–8 hours)
Two tasks close your 90-day sprint.
Management Review Meeting (mandatory under Art. 20): Schedule a formal review with your NIS2 Officer and at least one director. Agenda: summary of completed compliance activities, outstanding risks and residual gaps with treatment timelines, approval of the Audit Evidence Pack, and sign-off authorising the compliance programme to continue into its ongoing phase. A signed one-page meeting record is sufficient — it is your primary evidence of Art. 20 management oversight.
Entity Registration: Article 27 requires in-scope entities to register with their national competent authority, providing contact details, sector classification, and primary service information. Most EU member states were still finalising their registration portals as of early 2026. Check your national authority’s website for current requirements. Our entity registration guide covers the required fields and tracks country-by-country portal status.
The 90-Day Deliverables Table
| Week | Deliverable | Art. 21 Measure | Effort | DIY? |
|---|---|---|---|---|
| 1 | Governance memo + NIS2 Officer appointment | Art. 20 | 6–8 hrs | Yes |
| 2 | Asset Register (services + systems) | (a), (i) | 10–14 hrs | Yes |
| 3 | Risk Assessment Methodology, Table, Treatment Plan | (a) | 14–18 hrs | Yes* |
| 4 | Information Security Policy (signed) | (a) | 8–10 hrs | Yes |
| 5–6 | Incident Handling Policy, Log, Notification Forms (3 stages) | (b) | 14–18 hrs | Yes |
| 7–8 | Access Control Policy, Authentication Policy, MFA deployment | (i), (j) | 18–22 hrs | Yes |
| 9–10 | Supplier Security Policy, Clauses, Directory, 5 assessments | (d) | 14–16 hrs | Yes† |
| 11 | BCP outline, Cryptography Policy, Training Plan + session, HR Security, Patching Policy | (c),(e),(g),(h),(i) | 18–24 hrs | Yes |
| 12 | Audit Evidence Pack — one item per Art. 21 measure | All | 10–14 hrs | Yes |
| 13 | Management Review meeting record, entity registration check | Art. 20, Art. 27 | 6–8 hrs | Yes |
*External review recommended for healthcare, energy, and critical digital infrastructure. †Legal review recommended for supplier contracts above €100K.
DIY vs. Professional Help: Where the Line Is
The 90-day plan is designed for internal delivery. Specific tasks, however, justify external expertise.
| Task | DIY? | Get professional help when… |
|---|---|---|
| NIS2 Officer designation | Yes | — |
| Scope and entity classification | Yes | Complex corporate group structure |
| Asset register | Yes | OT or industrial control systems present |
| Risk assessment | Yes | Healthcare, energy, or critical infrastructure sectors |
| Information Security Policy | Yes — use template | Rarely justified for a standard SME |
| Incident handling procedures | Yes | SCADA / OT environments with production systems |
| MFA deployment | Yes | Legacy systems or large-scale rollout (>250 users) |
| Supply chain security clauses | Yes | Contract value >€100K or data processor agreement |
| Business continuity plan (full BIA) | Partial | Full BIA and DR testing benefit from specialist facilitation |
| Penetration testing | No | Always requires a qualified external tester (CREST, OSCP) |
| Management training | Yes | Board-level executive sessions benefit from external delivery |
| Audit readiness review | Yes | Under active supervisory scrutiny |
The general rule: legal contracts, OT/ICS systems, and active security testing warrant external expertise. Governance, policy writing, and documentation you can handle internally with well-structured templates.
What the 90-Day Plan Actually Costs an SME
Published NIS2 cost estimates typically reflect large-enterprise programmes. A healthcare essential entity first-year budget of €200,000–€500,000 [4] does not translate to a 70-person food manufacturer. The proportionality provision in Art. 21(1) exists precisely for this: “appropriate and proportionate” means controls match your risk exposure and capacity — not those of the most complex entity in your sector.
| Phase | Internal Hours | External Costs (indicative) | Notes |
|---|---|---|---|
| Month 1: Foundation | 38–50 hrs | €0 | Template bundle replaces consultant drafting time |
| Month 2: Controls | 46–56 hrs | €0–€2,000 | MFA tools mostly free; minor tooling if needed |
| Month 3: Evidence | 34–46 hrs | €0 | Pure internal effort |
| Legal review (supplier contracts) | 0 hrs internal | €800–€2,500 | Only for high-value contracts |
| Penetration test (Month 4+) | 0 hrs internal | €3,000–€8,000 | Outside 90-day scope — budget for Year 1 |
| 90-Day Total | ~130–150 hrs | €800–€4,500 | Plus internal staff time at cost |
The template bundle cost is a one-time purchase that replaces 20–40 hours of consultant drafting time per document set. For an SME without a dedicated compliance officer, spreading the 90-day plan across an IT manager and a senior administrator at 10–12 hours per week each is a realistic allocation.
Frequently Asked Questions
Does NIS2 apply to microenterprises with fewer than 10 employees?
Generally no. Microenterprises are excluded from the general scope of NIS2. Exceptions apply to DNS providers, top-level domain name registries, and trust service providers regardless of size. Some member states may also apply NIS2 to microenterprises providing services critical to public security or public order [2].
What happens if we miss the 24-hour incident reporting deadline?
Missing the 24-hour early warning can be treated as a separate compliance breach from the underlying incident. Under Art. 32(4), supervisory authorities can issue binding instructions, require security audits at the entity’s expense, and impose administrative fines independently of the incident itself [5]. Build your notification workflow in Week 5 before you need it.
Can we achieve NIS2 compliance without ISO 27001?
Yes. NIS2 requires the outcomes — documented risk management, appropriate controls, incident handling — not a specific management system standard. If you already hold ISO 27001, the overlap with Art. 21 is substantial and significantly reduces your implementation effort. See our NIS2 vs ISO 27001 comparison for the delta requirements.
Does this 90-day plan cover the NIS2 Implementing Regulation (CIR 2024/2690)?
The CIR applies specifically to DNS providers, TLD registries, cloud computing providers, data centres, CDN providers, managed service providers, managed security service providers, and trust service providers. If you are in one of these sectors, the CIR adds more granular technical requirements on top of the Directive’s Article 21 measures. See our implementing regulation guide and the full compliance checklist for the combined requirements.
Our subsidiary is in scope, but our parent company has ISO 27001 — can we inherit their compliance?
Partially. Group-level ISO 27001 certification does not automatically satisfy NIS2 obligations at entity level. You still need entity-specific incident notification procedures mapped to your national CSIRT, an entity-specific scope statement, and evidence that group policies and controls apply to your specific network and information systems. Management accountability under Art. 20 sits with the management body of the in-scope entity regardless of group structure.
This article provides general information only and does not constitute legal or regulatory advice. NIS2 requirements are transposed differently across EU member states, and obligations may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- NIS 2 Directive. Article 21: Cybersecurity Risk-Management Measures. NIS-2-Directive.com
- Arthur Cox LLP. NIS2 & SME Guidelines: How Do They Apply and Thresholds. arthurcox.com
- ENISA. NIS2 Technical Implementation Guidance. enisa.europa.eu. June 2025
- Kiteworks. How Much Does NIS2 Compliance Really Cost? Complete Budget Guide. kiteworks.com
- Kymatio. NIS2 Timeline & Obligations: A CISO Compliance Roadmap. kymatio.com
- European Commission. NIS2 Directive: Securing Network and Information Systems. digital-strategy.ec.europa.eu
