NIS2 Compliance: How to Do It and What It Costs a Company
9 min read · AstraLoop Studio
If your company falls within the NIS2 scope, the practical question is no longer "what does the directive say" but "what do I need to do, in what order, and how much will it cost me." The difference between companies that comply smartly and those that burn money almost always comes down to sequencing: doing the right things at the right time, without buying technology before understanding where the gaps actually are.
This article gives you the concrete, step-by-step path, the 2026 deadlines to keep in mind, and realistic cost ranges for consulting. It's not definitive legal advice — it's the operational map I wish I'd had before starting. For the full picture of the obligations, the go-to reference is still the guide on what SMEs concretely need to do under NIS2, while here we focus on the "how" and the "how much."

First question: are you actually in scope?
It sounds obvious, but the first costly mistake is complying when you're not actually required to (or, worse, ignoring an obligation that does apply to you). NIS2 (EU Directive 2022/2555, transposed into Italian law by Legislative Decree 138/2024) applies based on sector and size, and distinguishes between "essential" and "important" entities, with different obligations and penalties for each.
Before spending a single euro on consulting, check whether you're actually in scope. We've dedicated an in-depth piece to the question "does NIS2 apply to my company?", and that's where you should start. In short, what matters is the sector (energy, transport, healthcare, digital, critical manufacturing, ICT suppliers and several others), headcount, and revenue. Watch out for the indirect effect too: if you supply a company that is subject to NIS2, your client will still ask you for contractual security guarantees, even if you're not formally obligated yourself.
The 2026 deadlines that matter
The operational calendar is what worries people most, because 2026 is the year NIS2 becomes real. The dates to mark down:
- Registration with ACN (the National Cybersecurity Agency): entities within scope must register on the ACN platform. The registration windows have already closed for many sectors; if you haven't done it yet, this is your first priority.
- Incident notification obligations from January 1, 2026: significant incidents must be reported to ACN within strict timeframes (early warning within 24 hours, full notification within 72 hours). You need a procedure ready in advance — not improvised on the day of the attack.
- Baseline security measures by October 2026: this is the operational deadline for having implemented the minimum required measures (risk management, access control, backups, incident management, supply chain security).
The full detail, with official dates and phases, is in our deep dive on the NIS2 deadlines for 2026. Keep it open while you plan: missing them isn't a formality, because NIS2 penalties for companies go up to €10 million or 2% of worldwide revenue for essential entities.
The point that changes everything: responsibility sits with leadership
Here's the change most owners haven't fully absorbed yet. Under NIS2, responsibility for cybersecurity can no longer be delegated to IT or an outside vendor. Governing bodies (CEOs, boards, sole directors) must approve risk management measures, oversee their implementation, and can be held personally liable in case of non-compliance.
In practice, Legislative Decree 138/2024 also mandates training for governing bodies. Signing a document isn't enough: leadership has to actually understand what it's approving. This changes how compliance needs to be structured — it's not a technical project to hand off in a corner, it's a governance decision.
The 6-phase compliance journey
A well-executed NIS2 compliance project follows a precise sequence. Skipping steps or reversing their order is the fastest way to spend badly. Here's the order that actually works.
Phase 1. Scoping and gap analysis
You start with a snapshot of the current state. A competent consultant compares your reality (processes, systems, access, suppliers, existing policies) against NIS2 requirements and produces a gap document: what's there, what's missing, what needs fixing. Skip this phase and every later investment is a shot in the dark. This is also the point where you find out whether you need a full IT security audit as a technical baseline — an actual check of vulnerabilities and configurations, not just a paperwork review.
Phase 2. Risk analysis and management
NIS2 requires a risk-based approach. That means mapping critical assets, identifying concrete threats (ransomware, phishing, supply chain compromise), estimating impact, and setting priorities. It's not a theoretical exercise — it's the basis you'll use to justify, even to ACN, why you chose certain measures over others.
Phase 3. Implementing technical and organizational measures
This is where the real measures come in: multi-factor authentication, least-privilege access management, tested backups (not just configured ones), network segmentation, encryption, patch management, endpoint security. On the organizational side you need policies, procedures, and clearly defined roles and responsibilities. This is the most expensive phase if you have a lot of ground to cover, but it's also where a good initial scoping saves you money — because you know exactly what's needed.

Phase 4. Incident management and notification plan
You need a written, tested procedure for handling an incident: who does what, on what timeline, who decides, and how you notify ACN within the 24- and 72-hour windows. Many companies discover they have no clear chain of command only during the attack itself, which is the worst possible time. If you want to understand how that critical window works, our article on what to do in the 72 hours after a data breach ties directly into NIS2's notification obligations.
Phase 5. Supply chain security
This is one of the most underrated and most explicit points in the directive. You need to assess the security of your ICT suppliers and include appropriate contractual clauses. The data is clear: roughly 30% of breaches involve third parties, and supply-chain compromises have quadrupled in five years. NIS2 requires you not to blindly trust whoever supplies you with software and services.
Phase 6. Training, monitoring, and maintenance
Compliance isn't a project with an end date. You need ongoing training for staff (and for leadership, as mentioned), continuous monitoring, updates to your measures, and periodic reviews. A key topic today is controlling unauthorized use of AI tools by employees: the Shadow AI phenomenon — company data pasted into ChatGPT or Copilot — is a gap that NIS2 risk management has to account for, since it ties together data leaks, GDPR, and the new AI Act.
What NIS2 compliance actually costs: real price ranges
Let's get to the numbers, which is probably why you're here. Honest premise: there's no single price, because cost depends on size, IT complexity, how far along you already are, and whether you're an essential or important entity. That said, here are realistic ranges from the Italian market, broken down by component.
| Component | What it includes | Indicative range |
|---|---|---|
| Initial gap analysis / assessment | Snapshot of current state + gap document | €2,000 - €8,000 |
| Structured risk analysis | Asset mapping, threats, priorities | €3,000 - €10,000 |
| Implementation consulting | Support for policies, procedures, technical roadmap | €5,000 - €25,000 |
| Full "turnkey" package (SMEs) | From gap analysis to documented compliance | €10,000 - €40,000 |
| Ongoing consulting / DPO-CISO as a service | Maintenance, monitoring, updates | €800 - €3,000/month |
Three things to keep in mind about these numbers. First: these are consulting costs, on top of which you'll add technology investments (MFA licenses, backup, EDR, any penetration testing). Second: an averagely structured SME starting nearly from scratch rarely gets away with under €15,000-20,000 total between consulting and initial measures. Third: anyone promising you NIS2 compliance as a "fixed €990 package" is selling you a document, not real compliance.
What actually drives the price
- Your starting point: if you already have MFA, backups, and policies, most of the cost is documentation. If you're starting from zero, it's everything.
- IT complexity: number of systems, locations, suppliers, and employees with access.
- Essential or important entity: essential entities face heavier controls and obligations.
- In-house or outsourced: doing it all internally only "costs less" if you already have the expertise; for most SMEs, an external consultant costs less than the mistakes they save you from.
Want to know what NIS2 compliance would really cost you and where to start in your specific case? Request a scope analysis: we'll give you the concrete gap, not a generic quote.
How to choose a NIS2 consultant (without getting ripped off)
The NIS2 consulting market exploded between 2025 and 2026, and, as always with a regulatory deadline, it filled up with salespeople. Here's how to tell a serious consultant from someone selling fear.
- Starts from the gap, not the product: if the first thing they pitch you is buying software, walk away. First you figure out where you stand, then you decide what's needed.
- Has real technical expertise, not just legal: NIS2 is both technical and organizational. A purely legal consultant won't implement anything for you; a purely technical one won't cover governance and notifications. You need a combined approach.
- Connects NIS2, GDPR, and the AI Act: these regulations overlap. Anyone who treats them as separate worlds makes you pay three times for the same work. For the full picture on the new AI regulation, our article on AI Act obligations for SMEs in 2026 shows just how intertwined these topics are.
- Leaves you with demonstrable documentation: compliance has to be proven. The consultant should hand you evidence, not just tell you "you're all set."
- Doesn't promise compliance in a week: a serious compliance project for an SME generally takes 2 to 6 months. Anyone who quotes less is cutting corners.
A bonus almost no one mentions: insurability
Complying with NIS2 doesn't just help you avoid fines. Cyber insurance providers increasingly require exactly the measures NIS2 mandates: MFA, tested backups, incident management, supplier assessment. A compliant company pays lower premiums and, more importantly, doesn't get its claim denied after an attack for "inadequate security measures." Compliance is also an investment in your insurability. If you want the math up front, our analysis on the real cost of a data breach and the ROI of prevention explains why prevention pays off compared to suffering an attack.
Common mistakes to avoid
- Buying technology before the gap analysis: you end up with tools you don't need and gaps that stay open.
- Treating it as an IT-only problem: responsibility sits with leadership, and leadership must be involved and trained.
- Ignoring the supply chain: it's an explicit obligation, not an option.
- Never testing the incident plan: a procedure that's written but never tested isn't worth much when you actually need it.
- Waiting until the deadline: with October 2026 approaching, those who start at the last minute find consultants booked up and prices higher.
NIS2 isn't a compliance burden to grudgingly endure. It's an opportunity to put in order a level of security you need anyway — with Italy accounting for 10% of global incidents and SMEs targeted in 72% of attacks. Done right, it leaves you more protected, more insurable, and with a security governance you didn't have before.
Frequently asked questions
How much does NIS2 compliance cost for an SME?
It depends on your starting point, but for an averagely structured SME, the total cost between consulting and initial measures rarely drops below €15,000-20,000. The gap analysis alone starts at €2,000-8,000. Be wary of fixed packages under €1,000: they sell documents, not real compliance.
Where do you start with NIS2 compliance?
From checking whether you're actually in scope, then the gap analysis — a snapshot of your current state compared against the directive's requirements. Buying technology before this phase is the most common and most costly mistake.
What are the NIS2 deadlines for 2026?
Incident notification obligations to ACN start on January 1, 2026 (early warning within 24 hours, full notification within 72 hours), while baseline security measures must be implemented by October 2026. Registration on the ACN platform, for many sectors, is already a past deadline that needs urgent catch-up.
Is NIS2 responsibility on IT or on the owner?
It's on leadership. Under Legislative Decree 138/2024, governing bodies approve risk management measures, oversee their implementation, and can be held personally liable. Mandatory training for governing bodies is also required. It's no longer a problem you can delegate to IT.
How long does it take to comply with NIS2?
For an SME, a serious compliance project generally takes 2 to 6 months, depending on how far along you already are. Anyone promising compliance in a week is skipping essential steps.
Do I need an external consultant, or can I do it myself?
You can only handle it in-house if you already have cybersecurity and governance expertise. For most SMEs, an external consultant costs less than the mistakes they save you from — especially since they know how to connect NIS2, GDPR, and the AI Act without making you pay three times for the same work.
If the October 2026 deadline has you worried, let's talk: we'll map your current state together and tell you honestly what's needed, in what order, and what it costs.