JDA Advisory

NIS-2 Implementation Directive

NIS-2 Implementation Directive – Discover your advantage through effective NIS-2 implementation.

Explore the key benefits and unique value of our comprehensive NIS-2 implementation services – NIS-2 Implementation directive.

NIS-2 Implementation Directive – Comprehensive analysis of regulatory requirements.

We thoroughly assess your organization’s needs to precisely tailor the implementation process and ensure full compliance with NIS-2.

NIS-2 Implementation Directive – Strategic cybersecurity support.

We provide professional consulting and practical solutions that strengthen IT system protection and minimize the risk of incidents.

Training and team awareness building.

We organize dedicated training sessions that help employees understand NIS-2 requirements and effectively implement security best practices.

How NIS-2 Implementation Works

A step-by-step guide to the NIS-2 implementation process, helping you understand the requirements and the effective steps to achieve compliance.

Step One: Analysis and Preparation

Description of the initial phase, including assessment of the current security posture and planning the actions necessary to meet NIS-2 requirements.

Step Two: Implementation of Measures

Detailed description of the stage involving the introduction of new solutions and procedures that ensure effective system protection in line with NIS-2.

Step Three: Monitoring and Support

Overview of continuous supervision and support methods that ensure ongoing compliance and protection against cyber threats.

Explore the key elements of NIS-2 implementation.

This section presents the most important aspects of the NIS-2 regulation, explaining how it supports digital security and the benefits of its implementation.

Risk Analysis and Compliance Assessment

We conduct a detailed risk analysis to align actions with NIS-2 requirements.

Support in Developing Security Policies

We assist in developing effective policies compliant with NIS-2 regulations.

Training and Awareness Raising

We organize training sessions to enhance the team’s knowledge of security requirements.

Incident Monitoring and Reporting

We provide tools for effective detection and reporting of cyber threats.

Client Testimonials and References

We present authentic client testimonials highlighting the effectiveness and professionalism of our solutions.

“Cooperation with the JDA Advisory team was crucial for the smooth implementation of NIS-2 in our company.”

Anna Kowalska

IT Security Director

“JDA Advisory demonstrated full professionalism and reliability, ensuring our complete regulatory compliance.”

Marcin Nowak

Cybersecurity Project Manager

“Thanks to JDA Advisory’s support, the NIS-2 implementation process ran smoothly and without unnecessary complications.”

Ewa Wiśniewska

Compliance Specialist

NIS-2 Act

Start your NIS-2 implementation with us today.

We invite you to explore the details of NIS-2 implementation and benefit from JDA Advisory’s professional support, helping your company meet cybersecurity requirements.

Learn more

Complete, consulting‑grade methodology for implementing NIS‑2, aligned with Directive (EU) 2022/2555, the expected Implementing Acts, and the 12 NIS‑2 risk‑management domains.

NIS‑2 Implementation Methodology (End‑to‑End)

Aligned with Articles 20–23 and Annex I & II of NIS‑2

Implementation follows six major phases, each with clear deliverables and milestones.

PHASE 1 — Initiation & Governance Setup

Objectives
  • Establish governance for NIS‑2 implementation.
  • Define scope, entity classification, and regulatory obligations.
  • Identify critical services, assets, and dependencies.
Key Activities
  • Appoint NIS‑2 Programme Lead and Steering Committee.
  • Determine entity type (Essential vs Important).
  • Define scope (services, ICT/OT systems, locations).
  • Identify internal/external stakeholders.
  • Approve project plan and communication plan.
Deliverables
  • NIS‑2 Programme Charter
  • Governance & RACI Matrix
  • Scope Statement
  • Stakeholder Register
Milestone

M1: NIS‑2 implementation formally launched

PHASE 2 — Gap Assessment & Regulatory Mapping

Objectives
  • Assess current maturity vs NIS‑2 Articles and 12 security domains.
  • Identify gaps in governance, risk management, incident handling, and supply chain security.
Key Activities
  • Perform NIS‑2 gap analysis across:
    • Governance & accountability
    • Risk management
    • Incident handling
    • Business continuity
    • Supply chain security
    • ICT/OT security controls
    • Logging & monitoring
    • Cryptography & data protection
  • Map existing controls to NIS‑2 requirements.
  • Identify sector‑specific obligations (energy, finance, digital services, etc.).
Deliverables
  • Gap Assessment Report
  • Regulatory Mapping Matrix
  • Prioritised Remediation Roadmap
Milestone

M2: Gap analysis completed and roadmap approved

PHASE 3 — Risk Management Framework & Core Controls

Objectives
  • Build or enhance the NIS‑2‑aligned risk management framework.
  • Implement mandatory policies, processes, and governance.
Key Activities
  • Develop/upgrade:
    • Cybersecurity Policy
    • Risk Management Methodology
    • Asset Inventory (IT/OT)
    • Change Management
    • Access Control & Identity Management
    • Logging & Monitoring Framework
    • Network & System Security Controls
    • Cryptography & Data Protection
  • Define KPIs, KRIs, and reporting dashboards.
Deliverables
  • Cybersecurity Risk Management Framework
  • Asset Inventory
  • Updated Policies & Procedures
  • Risk Assessment Methodology
Milestone

M3: Core NIS‑2 risk management framework implemented

PHASE 4 — Incident Management & Reporting

Objectives
  • Implement NIS‑2‑compliant incident classification and reporting.
  • Ensure readiness for:
    • 24h early warning
    • 72h incident notification
    • 1‑month final report
Key Activities
  • Implement:
    • Incident Management Policy
    • Incident classification (significant vs non‑significant)
    • Incident register
    • Reporting templates
    • Escalation matrix
  • Conduct incident response exercises.
Deliverables
  • Incident Management Procedure
  • Incident Classification Matrix
  • Reporting Templates
  • Exercise Reports
Milestone

M4: Incident management & reporting fully operational

PHASE 5 — Business Continuity, Crisis Management & Supply Chain Security

Objectives
  • Implement continuity and resilience controls required by NIS‑2.
  • Strengthen supply chain cybersecurity.
Key Activities
  • Develop or update:
    • Business Continuity Plans (BCP)
    • Disaster Recovery Plans (DRP)
    • Crisis Management Plan
    • Supplier risk assessment process
    • Contractual security requirements
  • Conduct continuity and crisis exercises.
Deliverables
  • BCP & DRP
  • Crisis Management Plan
  • Supplier Risk Assessment Framework
  • Updated Contract Templates
Milestone

M5: Continuity, crisis management & supply chain controls implemented

PHASE 6 — Monitoring, Audit, Training & Supervisory Readiness

Objectives
  • Ensure organisation is fully compliant and audit‑ready.
  • Train staff and management.
Key Activities
  • Implement monitoring and measurement.
  • Conduct internal NIS‑2 audit.
  • Conduct management review.
  • Prepare evidence package for supervisory authorities.
  • Deliver training for:
    • ICT teams
    • Incident responders
    • Management
    • Procurement
Deliverables
  • Internal Audit Report
  • Management Review Minutes
  • Evidence Package
  • Training Records
Milestone

M6: NIS‑2 compliance achieved

Typical NIS‑2 Implementation Schedule (4–8 Months)

MonthPhaseKey Milestones
1Phase 1Governance & scope defined
1–2Phase 2Gap analysis + roadmap
2–4Phase 3Risk management framework
3–5Phase 4Incident management & reporting
4–6Phase 5Continuity & supply chain controls
6–8Phase 6Audit, training, supervisory readiness

Small entities: 3–4 months Mid‑sized entities: 4–8 months Large/complex entities: 8–14 months

NIS‑2 Implementation Checklist (Comprehensive)

Aligned with Article 21 (Risk Management Measures) and Article 23 (Incident Reporting).

1. Governance & Accountability

  • [ ] Cybersecurity governance structure defined
  • [ ] Roles and responsibilities documented
  • [ ] Management oversight documented
  • [ ] Policies reviewed annually

2. Cybersecurity Policies & Procedures

  • [ ] Information security policy
  • [ ] Acceptable use policy
  • [ ] Change management procedure
  • [ ] Secure development practices
  • [ ] OT/ICS security policies (if applicable)

3. Risk Management

  • [ ] Risk management methodology defined
  • [ ] Risk assessment performed
  • [ ] Risk register maintained
  • [ ] Mitigation measures implemented

4. Incident Handling

  • [ ] Incident response plan documented
  • [ ] Incident classification defined
  • [ ] Incident register maintained
  • [ ] 24h early warning capability
  • [ ] 72h notification capability
  • [ ] Final report capability
  • [ ] Post‑incident reviews performed

5. Business Continuity & Disaster Recovery

  • [ ] BCP and DRP documented
  • [ ] RTO/RPO defined
  • [ ] Backup policy implemented
  • [ ] Restore tests performed
  • [ ] Crisis communication plan exists

6. Supply Chain Security

  • [ ] Supplier inventory maintained
  • [ ] Supplier risk assessments performed
  • [ ] Security requirements included in contracts
  • [ ] Sub‑outsourcing controls defined
  • [ ] Monitoring of critical suppliers performed

7. Network & Information System Security

  • [ ] Network segmentation implemented
  • [ ] Firewalls and filtering in place
  • [ ] Secure configuration baselines defined
  • [ ] OT/ICS network separation (if applicable)
  • [ ] Remote access secured

8. Access Control & Identity Management

  • [ ] MFA enforced
  • [ ] Least privilege principle applied
  • [ ] Joiner/mover/leaver process implemented
  • [ ] Privileged access management in place
  • [ ] Periodic access reviews performed

9. Cryptography & Data Protection

  • [ ] Encryption in transit
  • [ ] Encryption at rest
  • [ ] Key management procedures defined
  • [ ] Data classification implemented
  • [ ] GDPR alignment verified

10. Vulnerability & Patch Management

  • [ ] Vulnerability scanning performed
  • [ ] Patch management process defined
  • [ ] Critical patches applied within SLA
  • [ ] Asset inventory maintained
  • [ ] Secure configuration monitoring in place

11. Monitoring, Logging & Detection

  • [ ] Logging policy defined
  • [ ] SIEM or log aggregation in place
  • [ ] Log retention meets regulatory requirements
  • [ ] Alerting and monitoring procedures defined
  • [ ] Detection capabilities tested

12. Human Resources Security

  • [ ] Security awareness training conducted
  • [ ] Role‑based training for privileged users
  • [ ] Background checks performed (where appropriate)

13. Physical Security

  • [ ] Access to critical areas controlled
  • [ ] CCTV or monitoring in place
  • [ ] Visitor logs maintained
  • [ ] Environmental controls implemented

14. Documentation & Evidence

  • [ ] Supervisory reporting prepared
  • [ ] Policies and procedures documented
  • [ ] Evidence of control operation retained
  • [ ] Audit trails maintained