What is a NIS2 gap analysis?
A NIS2 gap analysis is a structured comparison of your current cybersecurity measures against the ten mandatory requirements set out in NIS2 Article 21(2). For each requirement, you assess whether a control is:
Fully implemented — the control exists, is documented, and is operating effectively.
Partially implemented — some measures are in place but incomplete or undocumented.
Not implemented — no relevant control exists.
The result is a gap report showing where you comply and where you have work to do. It is the starting point for a NIS2 compliance programme.
Gap analysis vs risk assessment — what is the difference?
These two activities are related but distinct. NIS2 Article 21 requires both.
| Dimension | Gap Analysis | Risk Assessment |
|---|---|---|
| Question it answers | Which required controls do we have or lack? | What could go wrong, how likely is it, and how severe would it be? |
| Reference point | Fixed list of NIS2 Article 21(2) requirements | Your specific assets, threat landscape, and operating environment |
| Output | Compliance status per control (yes / partial / no) | Prioritised risk register with likelihood, impact, and treatment decisions |
| NIS2 obligation | Required — Article 21(1) | Required — Article 21(2)(a) |
| Frequency | At least annually, or after significant change | At least annually, or after significant change |
| Who does it inform? | Management reporting, board oversight | Security teams, operations, procurement |
How Open Risk Register supports both activities
Scope your assessment
Define the system, process, or organisation you are assessing. This gives your risk and gap analysis a clear boundary — essential for NIS2 documentation.
Identify threats and vulnerabilities
Work through the NIST SP 800-30 catalogue of threat sources and threat events. Each threat maps to one or more NIS2 Article 21 security measures.
Document existing controls
For each identified threat, record whether a control already exists. This data doubles as your gap analysis input — tracking which Article 21 measures are covered.
Score likelihood and impact
Score each risk on a structured 5-point scale. Residual risk after existing controls gives you a prioritised list of gaps to address.
Produce your risk register
The output is a structured risk register showing each risk, its score, and the relevant Article 21 measure — ready for management reporting and audit.
Export and document
Export as JSON for your records or print a formatted PDF report. Your NIS2 obligation requires documented evidence of the assessment process.
Frequently asked questions
A NIS2 gap analysis compares your current cybersecurity measures against all 10 mandatory requirements in NIS2 Article 21(2). It identifies which measures are in place, which are missing, and which are only partially implemented.
A gap analysis checks compliance against a fixed list of requirements. A risk assessment goes further: it identifies specific threats, evaluates their likelihood and impact, and prioritises risks so you know where to focus first. NIS2 Article 21 requires both: the risk assessment informs which measures to implement, and the gap analysis confirms they are in place.
Yes. Open Risk Register includes all 10 NIS2 Article 21 security measures as part of its assessment workflow. You can document existing controls against each requirement, identify gaps, and use the risk register to prioritise remediation.
Not necessarily. Open Risk Register is primarily a risk assessment tool, but its structured workflow captures the information needed for a gap analysis as a by-product. For a standalone compliance checklist view, see the NIS2 Article 21 Checklist page.
Start your NIS2 gap analysis and risk assessment today
Free, browser-based, no account required. Your data stays on your device.
Start Assessment →