ISMS Copilot
ISMS Copilot

NIS 2 gap analysis with ISMS Copilot

Settle essential-versus-important scoping, then run an Article 21 measure-by-measure delta.

Start Free TrialSee it in action

Scoping + Art. 21 gap analysis for NIS 2

Most NIS 2 confusion is a scoping problem before it is a controls problem. ISMS Copilot first determines whether the Directive applies and whether you are an essential or important entity, since that drives supervisory regime and penalty exposure. It then runs a delta against the ten risk-management measures in Article 21(2) — risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, security in acquisition and development, policies to assess effectiveness, basic cyber hygiene and training, cryptography, human resources and access control, and multi-factor authentication. It separately checks the Article 23 incident-reporting obligations: the 24-hour early warning, 72-hour incident notification, and one-month final report. Output is a measure-by-measure remediation plan plus a cross-map to ISO 27001 controls so existing work counts.

NIS 2 framework details →

Why teams use ISMS Copilot for NIS 2 gap analysis

  • Resolve essential-versus-important entity classification before scoping controls
  • Get a delta against each of the ten Article 21(2) risk-management measures
  • Map the Article 23 reporting clock — 24-hour, 72-hour, one-month — to your incident process
  • Reuse existing ISO 27001 evidence through a control cross-map

Free interactive NIS 2 applicability checker

Since NIS 2 is a scoping problem first, settle it before the gap work: the free NIS 2 Applicability Checker runs the Article 2/3 essential-versus-important classification deterministically, with national-transposition data, in a few questions — the precursor to the Article 21 delta above.

Open the free NIS 2 Applicability Checker →

Frequently Asked Questions

How does it decide if I am an essential or important entity?

ISMS Copilot asks about your sector (Annex I versus Annex II), size, and the role you play in critical supply, then applies the Directive's classification logic. National transposition can vary, so it flags where to confirm with your competent authority.

Does it cover the Article 23 reporting deadlines?

Yes. The gap analysis checks whether your incident process can meet the 24-hour early warning, 72-hour notification, and one-month final report obligations to the CSIRT or competent authority.

Can I reuse my ISO 27001 work?

Yes. Article 21 measures map heavily onto ISO 27001 Annex A controls. ISMS Copilot cross-maps your existing ISMS so you only remediate genuine NIS 2 gaps.

Ready to streamline your compliance work?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0