The Executable NIS-2 Roadmap: Better Than the Most Beautiful Presentation

The most beautiful NIS-2 roadmap is the one nobody implements. I say this directly because it is a real problem in consulting practice: elaborate documents that end up in a drawer after the results presentation.

This is not a failure of the people reading them. It is a failure of the roadmaps themselves.

What Makes Roadmaps Hard to Implement

Roadmaps fail on three structural weaknesses.

First: too many measures without a clear sequence. When everything needs to happen simultaneously, nothing happens. The team has no orientation on which task should come next, and starts a little bit everywhere - which means nowhere properly.

Second: measures without ownership. A list of tasks without assigned owners is a wish list. It will be ignored until someone follows up.

Third: effort that doesn't fit daily operations. Many roadmaps implicitly assume that NIS-2 is a focused project receiving 20-30% of the team's capacity. In the reality of mid-sized companies, this is rarely possible. Not accounting for this means planning past reality.

What Makes a Roadmap Executable

A roadmap that is actually used has three characteristics:

Clear Temporal Sequencing

30-60-90 days. What happens in month 1? Month 2? After that? This sequencing forces prioritization and creates orientation.

The first 30 days are critical: they must demonstrate that movement is possible. Early wins maintain momentum.

Ownership Per Measure

Every measure has a name attached. Not "IT" or "compliance," but a person who is accountable in a status meeting.

This is uncomfortable. It is nevertheless necessary. A measure without an owner is a measure nobody prioritizes.

Realistic Capacity Planning

How much time does each measure require? How much internal capacity is available? What gets external support?

These questions must be answered in the assessment, not during implementation. Discovering insufficient capacity only during implementation costs time and momentum.

The 30-60-90 Day Rhythm in Practice

The first step for most companies is clarifying responsibilities and checking which NIS-2 requirements are already met. This is realistically achievable in 30 days.

In the next 30 days, work begins on the critical gaps - those with the highest risk or greatest evidence requirements. In parallel, a first version of the incident notification process is created.

In month three, results are consolidated, evidence structures are built, and the roadmap for ongoing operations is prepared.

What a Good Assessment Delivers

A structured assessment produces a roadmap that meets exactly these requirements. Prioritized measures, clear ownership, realistic effort - and a results presentation that management can actually act on.

The goal is not a beautiful document. The goal is that someone starts implementation the Monday after the presentation.

Conclusion

The best roadmap is not the most comprehensive. It is the one that is executable. This means: prioritized, with ownership, with realistic capacity planning - and clear enough that nobody needs to guess what to do next.