Let's cut it
The NIS 2 Directive transposition deadline was October 2024. Most EU member states have either transposed it into national law or are in the final stages of doing so. Enforcement mechanisms are being set up. Regulatory bodies are staffing up. Supervisory frameworks are going live.
And yet, when I talk to CISOs, compliance leads, and IT managers across Europe, the conversation almost always sounds the same:
“We know NIS 2 applies to us. We’ve read the directive. But we haven’t actually started implementing.”
If that’s you, this article is your wake-up call. And your solution.
The gap nobody talks about
Here’s the thing about NIS 2: it’s a directive, not a manual.
It tells you WHAT you need to achieve. It does NOT tell you HOW to get there. And “how” is where most organisations are completely stuck.
You’ve got 50+ pages of legal text. You understand the scope, the sectors, the reporting obligations. But when Monday morning comes and you need to actually build a governance framework, run a risk assessment that satisfies Article 21, set up incident response with 24-hour early warning and 72-hour notification timelines, and document your supply chain security measures…
Where do you start?
That gap, between understanding the directive and implementing it, is exactly where professionals get stuck for months. And months is time you don’t have.
What makes NIS 2 different from everything else you’ve done
If you’ve worked with ISO 27001, GDPR, or other security frameworks, you might think NIS 2 is just another compliance checkbox. It’s not. Here’s why:
- Personal liability for management. NIS 2 holds senior management personally accountable. Not the organisation. You. If you’re the CISO or the compliance lead, the finger points at you when things go wrong.
- Mandatory incident reporting with hard timelines. 24 hours for an early warning. 72 hours for a full notification. No flexibility, no “we’ll get back to you next week.”
- Supply chain security is not optional. You can’t just say “we trust our vendors.” You need documented assessments, contractual obligations, and monitoring.
- Fines that hurt. Up to €10 million or 2% of global annual turnover for essential entities. And your organisation can be publicly named.
- Cross-border obligations. If you operate across EU member states, you’re dealing with multiple national implementations of the same directive. Complexity multiplied.
ISO 27001 is a great foundation. But it doesn’t cover NIS 2’s mandatory reporting timelines, its sector-specific requirements, or its management accountability provisions. You need the NIS 2-specific playbook.
The 5 questions your regulator will ask
When your national authority comes knocking, and they will, here’s what they’ll want to see:
- Governance: Do you have a cybersecurity governance framework with clear roles, responsibilities, and management oversight? Can you prove that senior management is actively involved?
- Risk management: Have you conducted a formal risk assessment? Is it documented? Is it linked to specific controls? Can you show how you prioritised?
- Incident response: Do you have a tested incident response plan? Does it meet the 24h/72h reporting obligations? Have you actually drilled it?
- Supply chain: How do you assess and manage cybersecurity risks in your supply chain? What contracts, controls, and monitoring do you have in place?
- Continuous improvement: How do you measure your cybersecurity posture? What metrics do you report? How do you test and improve over time?
If you can’t answer all five with evidence, documentation, and confidence, you have a compliance gap. And that gap has a price tag.
May 4–8: Close the gap in 5 days
This is where our NIS 2 Directive Lead Implementer course comes in.
From May 4 to 8, we’re running a live online cohort, in English, that takes you through the complete NIS 2 implementation process. Not the theory. Not the normative text. The actual methodology.
Here’s what the week looks like:
DayFocusMon, May 4NIS 2 foundations, requirements, scoping your organisation, initiating the implementation projectTue, May 5Governance structure, roles & responsibilities, asset management, risk management methodologyWed, May 6Cybersecurity controls, supply chain security, incident management, crisis management frameworksThu, May 7Business continuity, awareness & training programmes, testing, metrics & monitoring, continuous improvement
Within weeks, you’re a certified NIS 2 Directive Lead Implementer.
What you actually walk away with
Let me be specific, because “you’ll learn a lot” is not a value proposition:
- A complete implementation roadmap you can present to your board on Monday morning. Not “notes from a training,” but a structured plan with phases, milestones, and deliverables.
- Incident response frameworks that meet NIS 2’s mandatory 24h/72h reporting timelines. Documented, tested, defensible.
- A risk assessment methodology built around real-world scenarios, not textbook examples. You’ll know how to assess, prioritise, and document risks in a way that satisfies auditors.
- Supply chain security approaches that go beyond “our vendors signed an NDA.” Actual assessment frameworks, contractual requirements, and ongoing monitoring.
- The PECB Certified NIS 2 Directive Lead Implementer credential , recognised across Europe, and backed by our Certified or Refunded guarantee.
- The kind that comes from knowing exactly what you’re doing, not guessing.
Why this course is different
There are other NIS 2 courses out there. Most of them are taught by trainers who read slides about the directive. That’s not what happens here.
I’m a practicing CISO. I run NIS 2 implementations for organisations across Europe. When I teach incident response, it’s because I’ve built incident response programmes. When I teach risk management, it’s because I’ve sat in front of auditors and defended risk assessments. The examples in this course are real. The methodology is tested. The war stories are mine.
This is not a theoretical exercise. It’s a compressed, intensive transfer of implementation know-how from someone who does this work every day.
And if you don’t pass the exam? We refund you. That’s our Certified or Refunded guarantee. No fine print. No conditions beyond completing the course and sitting the exam.
Is this for you?
This course is built for professionals who are done reading about NIS 2 and ready to implement it:
- CISOs and security managers leading (or about to lead) NIS 2 compliance projects
- GRC and compliance officers tasked with translating the directive into operational reality
- IT managers in critical infrastructure sectors, energy, transport, healthcare, digital services, and the rest of the 18 sectors now in scope
- Consultants advising clients on NIS 2 and needing the credential to back it up
- Risk managers integrating NIS 2 requirements into enterprise risk frameworks
Not the right fit? If you’re looking for a high-level introduction to what NIS 2 is and who it applies to, our NIS 2 Foundation course is the better starting point. The Lead Implementer track assumes you’re past the “what” and ready for the “how.”
Secure your seat
NIS 2 Directive Lead Implementer
May 4–8, 2025 | Live Online | English
PECB Certification Exam Included | 31 CPD Credits
Certified or Refunded Guarantee
Seats are limited. We keep cohorts small to ensure real interaction, real questions, and real answers.
