Skip to Content

Gap assessment

The gap assessment measures where you stand against the NIS2 Article 21 cybersecurity risk-management measures and turns the result into a prioritised plan.

The compliance dashboard after a gap assessment — overall score and per-control-area breakdown

What’s assessed

Article 21(2) sets out the baseline measures every in-scope entity must take — risk analysis and information-system security policies, incident handling, business continuity and crisis management, supply-chain security, secure acquisition and development, policies to assess effectiveness, basic cyber hygiene and training, cryptography, access control and asset management, multi-factor authentication and secure communications.

Reglyze breaks these into controls and sub-controls and scores each on two axes:

  • Implementation — is the measure actually in place?
  • Documentation — can you evidence it?

National transposition

NIS2 is an EU directive: it applies through each member state’s own law, and several national authorities publish a control framework that maps onto the Article 21 measures. Reglyze scores you against the Article 21(2) baseline — the common core — so the same evidence carries over to the framework that applies to you:

  • France — ANSSI’s ReCyF (Référentiel Cyber France): mandatory security objectives (the “what”) plus recommended measures (the “how”) that are a recognised way to demonstrate compliance to ANSSI.
  • Germany — the BSI under the NIS2-Umsetzungsgesetz (NIS2UmsuCG), with IT-Grundschutz as the established methodology.
  • ItalyACN under D.Lgs 138/2024, which sets the baseline security measures and the notification duties.
  • Portugal — the CNCS and the Quadro Nacional de Referência para a Cibersegurança (QNRCS).

Where a national framework adds or refines a measure, treat your gap-assessment scores as the starting evidence base rather than the final word.

Scoring & severity

Each control gets an implementation and documentation score; together they roll up to an overall posture score and a per-control severity (how urgent the gap is). The dashboard shows the distribution so you can see at a glance whether you’re dealing with a few critical holes or broad shallow ones.

From gaps to a plan

Every gap can feed a remediation task with an owner, a due date, and a severity — so the assessment isn’t a static report but the start of a tracked work list. See Policies & documents for generating the artefacts a gap calls for, and Multi-framework to see the same work mapped to ISO 27001 / NIST CSF / DORA.

Re-assessing

Run the assessment periodically and after material change. NIS2 Article 21(1) expects measures to be kept effective over time — trend your scores to evidence that.

Getting started