The 6-Week NIS-2 Sprint: How to Move the Needle
The 6-Week NIS-2 Sprint: How to Move the Needle
The Wrong Starting Question
Most organisations begin their NIS-2 journey with the wrong question. They ask which tool to buy, which framework to adopt, which consultant to hire. All of these come too early.
The right question is simpler: Where do we actually stand, and what are our three most critical gaps?
Without an honest answer to that question, organisations end up in an 18-month project that delivers a 200-page document nobody reads. And then they face a board meeting where the CISO has to explain why, after a full year, nothing measurable has been delivered.
Six Weeks to Boardroom Clarity
The sprint approach turns that cycle into a six-week loop with a clear output.
Weeks 1-2: Gap Analysis Without PowerPoint
No slides. No predetermined answers. Instead: structured interviews with the people who carry operational responsibility. The IT lead, the data protection officer, operations management.
The goal is a real picture of the current security posture, not the aspirational version from the last audit report. Documents describe how things should work. People describe how they actually work.
Week 3: Prioritisation with a Framework
Not every item on the NIS-2 checklist carries equal weight. The formula is straightforward: Risk multiplied by implementation effort. That produces a Top-5 list of gaps with the highest leverage.
Three implemented controls beat twenty that are in progress.
Weeks 4-5: First Measures, First Evidence
Implementation starts before the concept is final. Roles are clarified: who owns which control, who produces evidence, who escalates.
Initial documentation is created. Not perfect. But solid enough to withstand an audit.
Week 6: Board Report in Two Pages
No 60-page presentation. Two pages in plain language: what was the starting point, what was achieved, what are the next steps.
Boards have limited time and low tolerance for technical jargon. Two pages land. Sixty pages get filed.
The Real Breakthrough: Visibility
NIS-2 compliance is not purely an IT project. It is a governance issue. And governance issues fail when they remain invisible.
The sprint approach delivers more than the measures that get implemented. It delivers the moment when a board, for the first time, genuinely understands where the organisation stands, what the gaps are, and what comes next.
Visibility creates trust. Trust creates budget. Budget enables execution.
Where to Start
The sprint model works when three conditions are in place:
- Clear mandate from the top. Without backing from senior leadership, every sprint stalls in week three.
- Experienced facilitation. The quality of the gap analysis depends entirely on the quality of the questions asked.
- Willingness to prioritise. Organisations that try to do everything simultaneously rarely finish week six.
The first step costs nothing: an honest conversation with the three people who know most about the organisation's actual security posture. No workshop. No template. Just the conversation.