The NIS2 Gap Assessment evaluates your organisation's cybersecurity maturity against the ten security measure categories defined in Article 21(2) of the NIS2 Directive. Each category is represented as an assessment pillar containing targeted questions that measure your implementation maturity on a 0–4 scale.

The 10 Assessment Pillars

Each pillar maps directly to a requirement in Article 21(2)(a) through (j). The assessment covers every aspect that national competent authorities may evaluate during supervision.

Pillar 1: Risk Analysis and Information System Security Policies — Art. 21(2)(a)

This pillar assesses whether your organisation has established and maintains comprehensive risk analysis processes and information system security policies. Questions cover:

  • Formal risk assessment methodology documented and approved by management
  • Regular risk assessments performed (at least annually or upon significant change)
  • Risk treatment plans with assigned owners and deadlines
  • Information security policy approved by management body
  • Policy review cycle and version control
  • Risk appetite and acceptance criteria formally defined
  • Asset inventory and classification scheme

Pillar 2: Incident Handling — Art. 21(2)(b)

Evaluates your incident detection, response, and reporting capabilities:

  • Incident response plan documented and tested
  • Detection capabilities (SIEM, IDS/IPS, EDR, log monitoring)
  • Incident classification and severity matrix
  • Escalation procedures and communication plans
  • Post-incident review and lessons-learned process
  • NIS2 notification procedures (24h/72h/30-day compliance)
  • Evidence preservation and forensic readiness

Pillar 3: Business Continuity and Crisis Management — Art. 21(2)(c)

Assesses resilience planning and crisis management capabilities:

  • Business impact analysis (BIA) performed and current
  • Business continuity plans for critical functions
  • Disaster recovery plans with defined RTOs and RPOs
  • Backup strategy and regular restoration testing
  • Crisis management team and communication protocols
  • Regular BCP/DRP testing (tabletop and live exercises)
  • Alternative processing arrangements

Pillar 4: Supply Chain Security — Art. 21(2)(d)

Reviews how your organisation manages security risks in the supply chain:

  • Supplier security assessment process
  • Contractual security requirements for suppliers
  • Ongoing monitoring of supplier security posture
  • Critical supplier identification and dependency mapping
  • Incident notification clauses in supplier contracts
  • Supply chain risk assessment and mitigation
  • Supplier access management and segmentation

Pillar 5: Network and Information Systems Security — Art. 21(2)(e)

Evaluates technical security of network and information systems:

  • Network segmentation and architecture security
  • Vulnerability management and patching process
  • Secure configuration baselines (hardening)
  • Security monitoring and logging
  • Acquisition, development, and maintenance security
  • Vulnerability disclosure and handling procedures
  • Penetration testing programme

Pillar 6: Policies and Procedures for Assessing Effectiveness — Art. 21(2)(f)

Assesses how your organisation measures and evaluates its security programme:

  • Security KPIs and metrics programme
  • Regular security assessments and audits
  • Management review of security effectiveness
  • Compliance monitoring processes
  • Continuous improvement framework
  • Benchmarking against industry standards

Pillar 7: Basic Cyber Hygiene and Training — Art. 21(2)(g)

Reviews fundamental cybersecurity practices and awareness programmes:

  • Security awareness training programme for all staff
  • Management body cybersecurity training (Art. 20 requirement)
  • Phishing simulation and testing
  • Acceptable use policies
  • Password/authentication policies
  • Removable media controls
  • Clean desk and clear screen policies

Pillar 8: Cryptography and Encryption — Art. 21(2)(h)

Evaluates the use of cryptographic controls:

  • Cryptography policy and approved algorithms
  • Encryption of data at rest and in transit
  • Key management procedures (generation, storage, rotation, destruction)
  • Certificate management
  • End-to-end encryption for sensitive communications
  • Crypto agility and migration readiness

Pillar 9: Human Resources Security and Access Control — Art. 21(2)(i)

Assesses people-related security controls and access management:

  • Pre-employment screening and vetting
  • Security responsibilities in job descriptions
  • Joiner/mover/leaver processes
  • Access control policy (need-to-know, least privilege)
  • Privileged access management
  • Regular access reviews and recertification
  • Identity and access management (IAM) system

Pillar 10: Multi-Factor Authentication and Continuous Monitoring — Art. 21(2)(j)

Reviews advanced authentication and monitoring capabilities:

  • MFA deployed for all remote access and privileged accounts
  • MFA for critical application access
  • Continuous authentication mechanisms
  • Secured voice, video, and text communications
  • Secured emergency communication systems
  • Real-time security monitoring and alerting
  • Security operations centre (SOC) or equivalent capability

Maturity Scoring Scale

Each question in the assessment is scored on the following 0–4 maturity scale:

ScoreLevelDescription
0Not ImplementedNo controls, processes, or documentation exist for this area. The organisation has not addressed this requirement.
1InitialAd-hoc or reactive measures exist. Some awareness of the requirement but no formal processes. Efforts are inconsistent and undocumented.
2DevelopingBasic processes are being established. Some documentation exists but practices are not yet consistently applied across the organisation.
3DefinedFormal, documented processes are in place and consistently followed. Policies are approved and communicated. Regular reviews occur.
4OptimisedMature, continuously improving processes. Metrics-driven management. Regular testing, review, and enhancement. Industry best practices adopted.

How to Complete the Assessment

Step 1: Select a Pillar

Navigate to the Gap Assessment page from the NIS2 module. Use the pillar navigation panel on the left to select the pillar you want to assess. Pillars are labelled (a) through (j) matching the Article 21(2) references. A progress indicator shows completion status for each pillar.

Step 2: Answer Each Question

For each question within the selected pillar, select a maturity score from 0 to 4 using the radio buttons or score selector. Read the question carefully and consider the full description of each maturity level before selecting your score.

Step 3: Add Evidence and Notes

For each question, you can optionally add notes or evidence references to support your chosen score. This is strongly recommended for scores of 3 or 4, as you may need to demonstrate these claims during an audit or supervisory review.

Step 4: Auto-Save

Your responses are automatically saved as you progress through the assessment. You do not need to click a save button. You can leave and return to the assessment at any time without losing progress.

Step 5: Navigate Between Pillars

Use the pillar navigation panel to move between pillars. Complete all 10 pillars for a full assessment. The navigation shows which pillars are complete, in progress, or not started.

Step 6: Review Results

Once all pillars are complete, navigate to the Results page to see your overall compliance score and detailed breakdown.

💡
You do not need to complete all pillars in one session. The auto-save feature preserves your progress. Consider assigning different pillars to subject matter experts within your organisation for more accurate scoring.

Scoring Formula

The overall NIS2 compliance score is calculated using a weighted average:

  • Each pillar's score is the average of all question scores within that pillar (0–4 scale)
  • Pillar scores are converted to percentages: (pillar average / 4) x 100
  • The overall score is the weighted average of all pillar percentages
  • By default, all pillars are equally weighted (10% each)

Results Page

The results page provides a comprehensive view of your assessment outcome:

Overall Score Ring

A large ring chart displays your aggregate NIS2 compliance score. The ring is colour-coded using the same thresholds as the dashboard (red/orange/yellow/green).

Pillar Score Bars

Horizontal bar charts show the score for each of the 10 pillars, allowing quick visual comparison. Bars are colour-coded by maturity level. Hover over a bar to see the exact score and question count.

Detailed Breakdown

Expand any pillar to see individual question scores, your notes, and evidence references. This view helps identify specific areas needing improvement.

Remediation Roadmap

The system automatically generates a remediation roadmap for any questions or pillars scoring below 3 (Defined). The roadmap includes:

  • Priority ranking — items scored 0 (Not Implemented) are flagged as critical priority, followed by scores of 1 (high) and 2 (medium)
  • Recommended actions — specific steps to improve maturity for each low-scoring area
  • Target dates — suggested timelines based on priority level
  • Responsible party — assign an owner for each remediation action
  • Status tracking — mark items as Not Started, In Progress, or Complete
⚠️
The remediation roadmap is generated based on your self-assessment scores. Ensure scores are honest and evidence-based. Inflating scores will result in an inaccurate roadmap and potential gaps during supervisory reviews.
ℹ️
Re-running the gap assessment after completing remediation actions will update your compliance score and regenerate the roadmap. It is recommended to reassess at least quarterly or after significant remediation efforts.