What is a GAP Analysis?
A GAP analysis is a systematic comparison between where your organisation is today (current state) and where it needs to be (target state) — in this case, NIS2 requirements. The result shows which “gaps” exist and need to be addressed.
It’s the first step towards NIS2 compliance: before you can plan the journey, you need to know where you’re starting from.
The Value: A well-executed GAP analysis gives management a clear picture of the scope, helps prioritise efforts, and creates a foundation for budget and resource planning.
Before You Begin
Preparations:
-
Secure management buy-in — The GAP analysis takes time and requires participation from multiple stakeholders. Secure mandate first.
-
Define scope — Which parts of the organisation are covered by NIS2? Which systems and processes?
-
Gather documentation — Existing policies, procedures, risk assessments, incident reports, etc.
-
Identify stakeholders — Who needs to be involved? IT, security, legal, operations, management.
-
Choose methodology — Self-assessment, workshops, interviews, or a combination?
The 6-Step Process
- Map NIS2 Requirements Start by understanding what NIS2 actually requires. Article 21 lists 10 main areas: risk management, incident handling, business continuity, supply chain security, network security, vulnerability policies, effectiveness assessment, cryptography, human resources security, and access control and asset management.
- Document Current State For each requirement area: What do we have today? Are there documented processes? Implemented technical controls? How mature are we? Use a scale (e.g. 0-4) to assess maturity level.
- Identify GAPs Compare current state with requirements. Where are the gaps? Categorise: Completely missing, Partially implemented, Exists but not documented, Exists and documented. Prioritise based on risk and complexity.
- Prioritise Actions Not all gaps are equally critical. Prioritise based on: Risk level (what are the consequences?), Complexity (how difficult is it to address?), Dependencies (does something else need to be completed first?), Resource requirements (what's needed?).
- Create Action Plan Transform the GAP analysis into concrete activities. Define: What needs to be done, Who is responsible, When should it be completed, What resources are needed, How do we follow up.
- Monitor and Report The GAP analysis is not a one-time project. Follow up regularly, update status, report to management. Use as a foundation for continuous improvement.
NIS2 Article 21 — Requirement Areas
Here are the 10 areas from NIS2 Article 21 that your GAP analysis should cover:
| # | Area | What it means |
|---|---|---|
| 1 | Risk Management | Policies and procedures for risk assessment |
| 2 | Incident Handling | Processes for handling security incidents |
| 3 | Business Continuity | Backup, disaster recovery, crisis management |
| 4 | Supply Chain Security | Security in the supply chain |
| 5 | Network Security | Security in acquisition, development, maintenance |
| 6 | Vulnerability Management | Policies for handling vulnerabilities |
| 7 | Effectiveness Assessment | Processes for evaluating security measures |
| 8 | Cryptography | Policies for encryption |
| 9 | Human Resources | HR security, awareness, training |
| 10 | Access Control | Asset management, authentication |
Maturity Scale
Use a maturity scale to assess current state per requirement area:
Nothing is in place. The area is not addressed.
Ad hoc activities exist. No structure or documentation.
Processes are documented but not consistently followed.
Processes are implemented and followed consistently.
Level 4: Optimised — Processes are measured, continuously improved, and integrated into operations.
Target level for NIS2: At least level 3 across all requirement areas.
GAP Analysis Template
| Requirement Area | Current State (0-4) | Current State Description | Gap | Priority | Action |
|---|---|---|---|---|---|
| Risk Management | 2 | Policies exist, risk register missing | Implement risk register | High | Q1 2026 |
| Incident Handling | 1 | Ad hoc process, no documentation | Document process, create templates | Critical | Immediate |
| Business Continuity | 3 | Plan exists, tested in last year | Minor gaps | Medium | Q2 2026 |
| … | … | … | … | … | … |
Example Gaps by Area
Risk Management — Typical Gaps
- No documented risk methodology
- Risk register missing or outdated
- Risk assessments not conducted regularly
- Management not involved in risk acceptance
Incident Handling — Typical Gaps
- No definition of “significant incident”
- Contact paths to national CSIRT missing
- Reporting templates missing
- On-call arrangements missing
- Processes have not been tested
Supply Chain Security — Typical Gaps
- Critical suppliers not identified
- Security requirements not included in contracts
- No regular follow-up
- Sub-suppliers not controlled
From GAP to Action
Action Plan Contents:
For each identified gap, define:
- Action: What specifically needs to be done?
- Owner: Who owns the activity?
- Deadline: When should it be completed?
- Resources: What’s needed (time, money, expertise)?
- Dependencies: Does something else need to be completed first?
- Status: Not started, in progress, completed
- Verification: How do we know it’s done?
Common Mistakes
Just ticking "yes/no" without understanding maturity level. Depth matters.
Conducting analysis without management support. Results become shelf-ware.
Doing the GAP analysis once and not following up. It's a continuous process.
Identifying gaps without securing resources to address them.
How Securapilot Can Help
Securapilot’s GAP analysis module automates and streamlines the process:
- Built-in Requirement Frameworks — All NIS2 requirements pre-configured
- Guided Assessment — Step-by-step through all areas
- Automatic Prioritisation — Based on risk and complexity
- Action Plan Generator — From gaps to activities automatically
- Dashboards — Visualisation of current state and progress
- Export Function — Reports for management and audit
Book a demo and see how we can help you conduct an effective GAP analysis.
Frequently asked questions
How long does a GAP analysis take?
A basic GAP analysis can be completed in 2-4 weeks depending on the organisation's size and complexity. A deeper analysis with interviews and document reviews takes longer.
Can we conduct the GAP analysis ourselves?
Yes, smaller organisations with internal expertise can conduct the analysis themselves. Larger organisations or those lacking internal expertise often benefit from external assistance to ensure objectivity and completeness.
What does a GAP analysis cost?
Costs vary significantly. Internal analysis primarily costs staff time. External consultants typically charge £40-150k depending on scope. Automated tools like Securapilot can reduce both cost and time.
How often should the GAP analysis be updated?
Conduct an initial GAP analysis and then update annually or following major changes in operations, IT environment, or regulations. Use the results for continuous improvement.
