Consulereit

Industrial manufacturing · ~300 staff, three EU sites · 3 weeks

NIS2 readiness assessment for a mid-market industrial manufacturer

A three-week gap analysis and twelve-month roadmap for a manufacturing business suddenly in scope of the Dutch Cyberbeveiligingswet. Translated a dense legal text into a prioritised set of things their small IT team could actually do.

Context

The client is a family-owned manufacturer with one IT manager, a small helpdesk, and a handful of OT engineers responsible for line-level control systems. They discovered, via their insurer, that NIS2 brought them into scope as an “essential entity”, and that compliance was expected, not optional, with the Dutch implementation law.

They had no information-security management system, no documented incident procedure, and an OT/IT network that had grown together organically over fifteen years. The board needed to understand two things: where they stood, and what a realistic twelve-month path to adequacy looked like.

Approach

Three weeks, structured as three conversations more than an audit.

  1. Context and evidence, two days on-site talking to the IT manager, the plant managers, and a board member. I asked for the things they already had (vendor contracts, backup logs, change-control spreadsheets, network diagrams) rather than asking them to produce artefacts they didn’t.
  2. Gap map against NIS2 art. 21 and 23, ten domains: risk management, incident handling, supply chain, access control, asset management, crypto, training, OT-specific controls, business continuity, and reporting. Each rated against what the law requires and what the business actually has, with plain-Dutch evidence.
  3. Twelve-month roadmap, sequenced by risk, not by checklist order. Quarter-by-quarter milestones tied to budget, including which items could be absorbed into existing vendor contracts and which genuinely required new spend.

Outcome

A thirty-page report in Dutch and English, with an eight-page board-level summary. Critical gaps (no MFA on the ERP, no tested backup restore path for OT, no incident reporting process for the 24h notification window) were closed within sixty days. The twelve-month roadmap was approved in full at the quarterly board meeting, with budget allocated.

The piece the client valued most, in their own words, was that the roadmap was small enough to actually execute, “not a consultancy wishlist.”

Thinking about an engagement?

Every project starts with a short call, free, no commitment. I'll tell you whether I'm the right fit, and if not, I'll usually know someone who is.

Get in touch See services