NIS2 readiness without the panic

The situation

NIS2 catches far more Dutch SMBs than expected in 2024: mid-sized suppliers to essential sectors (health, energy, transport, finance) and a long tail of service providers in the chain. The rule asks for concrete measures, a policy, a designated responsible person, and evidence that it actually runs.

Many organisations start too late, buy an expensive compliance tool nobody operates, or pay a consultant for a report that ends up in a drawer. This client wanted none of those three.

What we did

Quickscan in two weeks. We mapped which measures were already covered by existing systems (often more than clients think), what was missing, and what counted as acceptable risk.

The gaps were manageable: MFA missing on a handful of systems, incident logging not meeting the notification duty, and no written-down responsible person. Implementation took six weeks: MFA across the board, a log pipeline producing structural evidence, and a one-page document the board signs.

No separate compliance tool purchased, existing systems were enough.

What it delivered

After the quickscan and implementation:

- Quickscan completed in 11 working days, clear view of gaps and what was acceptable. - Implementation in six weeks, within the original quote. - A one-page summary for the board, plus the underlying technical documentation an inspector can ask for. - Monthly monitoring that kept running after the quickscan, otherwise "ready" is a single point in time. - No extra software license bought.

The board had first feared this would be a big project. It became one with an end date.

What this wasn't

Not 200 pages of report. Not a mandatory six-figure compliance platform. Not a "you are fully NIS2 compliant" stamp, that doesn't exist and we don't issue it. What it was: a defendable file an inspection can be walked through.