The NIS2 is coming. For some organizations, this means direct compliance, for others it applies 'indirectly': you may not fall under it, but your customers do. And they will start asking you questions.

What you often hear then: “We need to become compliant. We probably need new tools.”
But the truth is simpler: you mainly need to make better use of what you already have.

NIS2 is about technical control

Not about new software. At its core, NIS2 requires demonstrable digital resilience. This means, among other things:

• Up-to-date systems
• Insight into vulnerabilities
• Detection of suspicious activities
• Protection of endpoints and access
• And attention to human behavior

All justified. But what is forgotten: many organizations already have tools for this, but they are not being used optimally.

Example: Microsoft 365 Business Premium

Do you work with Microsoft 365 Business Premium or higher? Then you already have access to:

• Defender for Endpoint (incl. threat detection and asset visibility)
• Conditional Access for secure access
• Intune for device management
• Basic DLP capabilities
• Security scores and logs via the Microsoft 365 Security Center

All components that cover a significant part of the technical controls under NIS2, provided they are properly configured and used. Many organizations pay for all this but extract less than 30% of the value.

What you might already have and what it can do for you

The table below provides an impression of common security measures and tools that your organization might already use or have in your license package. Note: this overview is intended as a guideline. Every organization is different, and there are more solutions than we can mention here. But it does show that you often have more in-house than you think.

See it as a starting point. Not as a checklist. What works for you depends on your situation, your ambitions, and how your existing IT and security are already set up. Want to know where the real gaps are for your organization? A GAP analysis helps to make this concrete.

Awareness? Doesn't have to be a platform

For user awareness, many companies immediately think of large-scale e-learning projects. And yes, there are good solutions for that (such as Nimblr). But you can also start small: with monthly attention during a team meeting, internal phishing tests, or a simple newsletter. What counts is: structural attention and measurable repetition. Not the tool itself.

A crisis plan is not a luxury and often already half present

NIS2 also requires incident response and communication during disruptions. Sounds like a whole process, but often you already have the basics:

• Internal phone structure
• IT partner you can call
• Basic scenarios you can write out with a few sessions

Make it tangible, document it, and practice it once a year. You're not done yet, but you are demonstrably working on it.

Start with what is already there

Use the NIS2 Cyber Score from Samen Digitaal Veilig as a low-threshold GAP analysis. Then look at your existing suppliers and tools: What can you already do? What can you use better with some extra configuration?

Don't be overwhelmed by parties that want to "solve everything" with new software, new dashboards, or thick licenses. More tooling also means more management, more integrations, more risks.

Our view

At Brandaris Cybersecurity, we always start with a simple question: What do you already have in-house? And what does it actually do for you? Only then do we look at where it pinches and whether it can be solved with what is already there. Whether it's updates, monitoring, detection, or human behavior.

NIS2 doesn't have to be a monstrous task. It requires attention, insight, and a bit of structure. And if you do that well, more falls into place than you think.