NIS2 and Microsoft 365: The Practical Admin Checklist for SMBs (2026)

Microsoft 365Security & ComplianceSMB SolutionsDefenderCloud SecurityData ProtectionBackup & Recovery
Written By Tiago Carvalho
NIS2 and Microsoft 365: The Practical Admin Checklist for SMBs in Critical Sectors (2026)

tiagoscarvalho.com

NIS2 is the European Union's second-generation cybersecurity directive, and by mid-2026 the question for Microsoft 365 admins in small and mid-sized organisations is no longer "is this real?" but "does it apply to us, and what do we actually do about it?" The transposition deadline was 17 October 2024; by 2026, transposition remained uneven across the EU. Some member states had completed national implementation, while others were still finalising or correcting their transposition after Commission infringement steps. In countries where transposition is complete, mid-sized organisations in critical sectors are now in scope and their management bodies have explicit governance duties and may face accountability measures under national law where those duties are not met. This article is the practitioner's framework: the in-scope question, the ten Article 21 measures translated into operational requirements, the Microsoft 365 controls that map to each measure, where Microsoft 365 alone is not enough, the 24-hour / 72-hour / one-month incident reporting framework, and a pre-compliance checklist. Validate the current transposition status, scope definitions and reporting requirements against your national competent authority and qualified counsel before relying on this article for binding interpretation.

📅 June 2026 ⏱ 18 min read 🔐 Security & Compliance 📚 Decision Framework
Key Takeaways
🇯🇪
NIS2 transposition is uneven across the EU, but the direction is set. By 2026, transposition remained uneven across the EU. Some member states had completed national implementation, while others were still finalising or correcting their transposition after Commission infringement steps. In your country, the obligations bind from the date your national law takes effect, which may have already happened. Confirm the national transposition status and the specific national act that implements NIS2 in your jurisdiction before relying on transition dates.
🎯
The scope question is the first practical decision. Medium-sized entities are usually those with 50–249 employees and either annual turnover above €10 million or annual balance sheet total above €10 million. Large entities are usually those with 250+ employees and either annual turnover above €50 million or annual balance sheet total above €43 million. Scope still depends on the listed sector, national transposition and any national designation rules. Microenterprises and small enterprises below the medium-sized thresholds are generally out of scope, with specific exceptions (qualified trust service providers, top-level domain name registries, DNS service providers, and a few other specific categories).
🛡️
Article 21 sets ten cybersecurity risk-management measures. Risk analysis and information security policies; incident handling; business continuity (including backup and disaster recovery); supply chain security; secure acquisition, development and maintenance; policies to assess control effectiveness; basic cyber hygiene and training; cryptography and encryption; human resources security, access control and asset management; multi-factor authentication, secured communications and emergency communication. The measures are technology-neutral and outcomes-based; the depth and sophistication of controls must be proportionate to the entity's risk exposure, size and the societal impact of incidents.
📝
Article 23 incident reporting is a three-stage framework. An early warning within 24 hours of becoming aware of a significant incident; an incident notification within 72 hours including an initial impact assessment; and a final report within one month including root cause analysis and mitigation. The thresholds for what counts as a "significant" incident are defined nationally but generally include disruption of services, financial loss or material harm to recipients. Microsoft Sentinel and Microsoft Purview audit logging are the foundations admins use to support these timelines on the M365 side; the reporting itself is an organisational process.
👑
Management body accountability is the under-discussed shift. Article 20 makes management bodies of essential and important entities responsible for approving the cybersecurity risk-management measures and overseeing their implementation. Members of the management body are required to follow specific cybersecurity training. Management bodies have explicit governance duties and may face accountability measures under national law where those duties are not met. The IT director is not the only person on the hook.
💰
Penalties matter, and they scale with entity classification. Essential entities face fines up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities face fines up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher. These are maximum administrative fine levels in the Directive. The actual enforcement process, authority and national wording depend on the member state transposition. Validate the applicable cap and enforcement model in your national law before quoting a number in a board memo.
🔗
Where this article fits. NIS2 lands on the legal, risk, compliance and IT leadership tables of every European mid-sized organisation in a critical sector. This article is for the Microsoft 365 administrator or architect who has been told the organisation is in scope and needs a structured way to map the obligations to the tenant's capabilities and to identify what the tenant cannot solve alone. It is a practitioner's framework, not legal advice; for binding interpretation of NIS2 in your jurisdiction, work with qualified counsel and your national competent authority.
📌
How to use this guide:
1. Starting from zero: read top to bottom; the scope check and the 10-measures mapping table are the highest-value sections.
2. Already confirmed scope: jump to the Microsoft 365 controls mapping and the gap section.
3. Responding to a board or audit question: jump to the penalties, the management accountability section and the incident reporting timeline.

Am I in scope? The 2026 SMB question

NIS2 introduced a size-based scope replacing the entity-by-entity designation model of NIS1. The starting point is your organisation's size, then the sector, then any national-discretion expansion. Three categories matter.

Classification Thresholds In-scope sectors
Essential entities Usually organisations that meet the large-enterprise size criteria under the applicable EU/national definition, commonly 250+ employees and either annual turnover above €50M or annual balance sheet total above €43M, in a listed Annex I sector. Energy, transport, banking, financial market infrastructures, health (manufacturers of medical devices), drinking water, wastewater, digital infrastructure (top-level domain name registries, DNS service providers, trust service providers, data centre service providers, cloud computing service providers, content delivery network providers), ICT service management, public administration entities, space.
Important entities Usually organisations that meet the medium-enterprise size criteria under the applicable EU/national definition, commonly 50–249 employees and either annual turnover above €10M or annual balance sheet total above €10M, in a listed Annex I or Annex II sector (with national transposition determining the precise classification). Postal and courier services, waste management, manufacture and distribution of chemicals, production, processing and distribution of food, manufacture of certain products (medical devices, computer/electronic/optical, electrical equipment, machinery, motor vehicles and trailers, other transport equipment), digital providers (online marketplaces, online search engines, social networking services platforms), research organisations.
Out of scope (with exceptions) Microenterprises and small enterprises (fewer than 50 employees AND below €10M turnover AND below €10M balance sheet). Exceptions where size does not exempt: qualified trust service providers, top-level domain name registries, DNS service providers, and a few other specific roles. Member states may also include smaller entities where they are the sole provider of a critical service or where disruption would materially impact public safety or public health.
⚠️
Member state discretion can extend the scope. Each national transposition can identify additional entities as in-scope, including some that fall below the size threshold. The directive lays out the criteria; the member state acts on them. The practical implication: even if a quick read of the EU directive suggests you are out of scope, the national act in your country may say otherwise. Check the national list of designated essential and important entities, where one has been published.

For a Microsoft 365 admin in a mid-sized organisation, the realistic 2026 sequence is:

  • Confirm the organisation's size band (employees, turnover, balance sheet) against the NIS2 definitions.
  • Confirm whether the organisation's primary activity sits in one of the listed sectors (Annex I for essential; Annex II for important).
  • Cross-check against the national list of designated entities where one has been published.
  • Where the answer is "in scope", treat it as binding regardless of whether the national authority has formally communicated.
  • Where the answer is "probably out of scope", document the rationale and revisit annually or on significant business change.

NIS2 state in 2026: transposition, enforcement, simplification

The transposition deadline of 17 October 2024 came and went with a significant minority of member states behind schedule. The European Commission opened infringement procedures and, on 7 May 2025, escalated to a reasoned opinion against 19 member states for failing to notify full transposition. By 2026, transposition remained uneven across the EU. Some member states had completed national implementation, while others were still finalising or correcting their transposition after Commission infringement steps. The patchwork is genuine and operationally relevant: an organisation operating in multiple member states may have NIS2 obligations binding in some jurisdictions before others.

EU-level guidance and simplification discussions may affect how organisations interpret or evidence compliance, but they should not be treated as removing the core Article 21 and Article 23 obligations unless formally adopted and reflected in national implementation. Track any simplification proposal through to formal adoption and national transposition before relying on it in compliance planning.

🔎
Validate national transposition for the jurisdictions where you operate. The ENISA tracker, the Commission's digital strategy page on NIS2 transposition, and national competent authority pages are the authoritative sources. Treat blog posts and vendor white papers (including this one) as orientation, not as the source of binding dates.

The 10 Article 21 cybersecurity measures, in plain English

Article 21(2) lists ten cybersecurity risk-management measures that in-scope entities must implement. The measures are technology-neutral; they tell you what to achieve, not which products to buy. The proportionality principle of Article 21(1) means the depth and sophistication of controls must be calibrated to the entity's risk exposure, size and the societal impact of incidents.

# Measure What it expects
(a) Risk analysis and information security policies Documented risk assessment of information systems, with reviewed and approved policies covering classification, acceptable use, access, incident response, business continuity, and supplier security.
(b) Incident handling Documented processes for detection, triage, containment, eradication, recovery, post-incident review. Linked to the Article 23 reporting timeline.
(c) Business continuity, backup management, disaster recovery and crisis management Backup strategy with verified restorability; disaster recovery plans tested at least annually; crisis communication plan; recovery time and recovery point objectives documented for critical services.
(d) Supply chain security Identification of critical suppliers, assessment of their security posture, contractual security requirements, contingency planning for supplier failure. The most under-prepared measure in most mid-sized organisations.
(e) Security in network and information system acquisition, development and maintenance, including vulnerability handling and disclosure Secure development lifecycle for in-house systems; vulnerability management programme with prioritisation and patching SLAs; coordinated vulnerability disclosure where the organisation provides services to external parties.
(f) Policies and procedures to assess the effectiveness of cybersecurity risk-management measures Internal audit, control testing, penetration testing or red-team exercises, metrics that demonstrate the controls are working, not just documented.
(g) Basic cyber hygiene practices and cybersecurity training Mandatory training for all staff; role-appropriate deeper training for IT, security, finance and HR; phishing simulations; documented attendance.
(h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption Encryption-at-rest and encryption-in-transit policies; key management approach documented; identification of data flows where encryption is mandatory in the organisation's context.
(i) Human resources security, access control policies and asset management Background checks where appropriate; onboarding / offboarding processes with documented access revocation; least-privilege access control; asset inventory with ownership.
(j) Multi-factor authentication or continuous authentication solutions; secured voice, video and text communications; secured emergency communication systems MFA on all administrative access and on user access to critical systems; secured communications for sensitive operations; documented out-of-band emergency communication if primary channels are compromised.

Microsoft 365 controls mapped to the 10 measures — control, evidence, gap

Most of the ten Article 21 measures have direct or near-direct Microsoft 365 capability that can support compliance. None of them is a checkbox. For each measure, the mapping below identifies: the M365 control that supports it, the evidence output an admin can produce, and the typical non-M365 gap that the organisation must close outside the tenant.

Article 21 measure Microsoft 365 control Evidence output Non-M365 gap
(a) Risk analysis & InfoSec policies Microsoft Purview Compliance Manager; Microsoft 365 Secure Score; Purview Information Protection sensitivity labels. Compliance Manager improvement actions report; Secure Score export; sensitivity label policy list. Authored and approved information security policies; classification scheme aligned to organisation risk; named policy owner.
(b) Incident handling Microsoft Sentinel; Defender XDR (incident graph, AIR); Purview audit logging. Sentinel incident timeline; Defender XDR investigation summary; Purview audit search export. Incident response procedure, decision authority, named incident commander, escalation criteria, tabletop exercise records.
(c) Business continuity, backup, DR Microsoft 365 Backup for supported Exchange Online / SharePoint Online / OneDrive workloads; third-party backup vendors (Veeam, AvePoint, Druva, Rubrik, Cohesity) for broader coverage. Backup configuration export; restore test logs; RPO / RTO documentation; vendor-side restore evidence. Business continuity plans covering facilities, alternative locations, communications and crisis management; tested DR plans beyond data restore.
(d) Supply chain security Microsoft Entra Conditional Access (vendor / partner access); Defender for Cloud Apps (SaaS app discovery); Entra guest user controls. Conditional Access policy export for partner access; SaaS discovery report; guest user access review evidence. Vendor risk management programme; contractual security clauses; contingency planning for supplier failure; supplier inventory with criticality rating.
(e) Secure SDLC, vulnerability handling Microsoft Defender Vulnerability Management; Defender for Cloud (Azure workloads); GitHub Advanced Security; Defender for DevOps. Vulnerability inventory and remediation status; SDLC posture report; coordinated disclosure intake log. Secure development standards; patching SLAs; coordinated vulnerability disclosure policy where external services are provided.
(f) Effectiveness assessment Compliance Manager improvement actions; Secure Score; Sentinel workbooks; Defender attack simulation training. Compliance Manager assessment results; Secure Score trend; attack simulation campaign reports. Independent penetration testing and red-team exercises; internal audit reports; documented remediation tracking.
(g) Cyber hygiene & training Defender for Office 365 attack simulation training; Microsoft Viva Learning; admin centre training assignment reports. Phishing simulation results; training completion exports; HR LMS or Viva Learning attendance. Organisation-specific use case training; mandatory completion enforcement; documented attendance for all populations including the management body.
(h) Cryptography & encryption Purview Information Protection sensitivity labels with encryption; M365 Message Encryption; BitLocker and Defender for Endpoint disk encryption reporting; Customer Key for tenant-managed encryption. Sensitivity label policy export; BitLocker compliance report; Customer Key configuration evidence. Documented cryptography policy; key management approach; documented encryption-mandatory data flows in the organisation's context.
(i) HR security, access control, asset management Entra Conditional Access; Entra PIM; Entra Identity Governance (lifecycle workflows, access reviews); Microsoft Intune (device inventory and compliance). Conditional Access policy export; PIM role activation logs; access review evidence; Intune device inventory report. Background check procedures where appropriate; documented onboarding / offboarding workflow with access revocation; asset register beyond IT devices.
(j) MFA, secured comms, emergency communication Entra Conditional Access with phishing-resistant authentication strengths; Microsoft Authenticator passkeys; Microsoft Teams security controls, encryption in transit/at rest, sensitivity labels for meetings, and end-to-end encryption where supported for specific meeting scenarios; M365 Message Encryption. MFA coverage report (authentication methods + sign-in logs); CA policy export; Teams security settings export. Documented out-of-band emergency communication procedure if primary channels are compromised; secured voice scenarios outside Teams.

Where Microsoft 365 alone is not enough

Microsoft 365 covers a large part of the technical surface but does not satisfy NIS2 on its own. The directive expects organisational practice, not only product configuration. The most consistent gaps are below.

  • Supply chain security programme. The technical controls scope partner access; the broader programme — vendor risk assessments, contractual security requirements, contingency plans — is organisational. Most under-prepared measure in mid-sized organisations.
  • Documented information security policies. Microsoft Purview Compliance Manager may provide NIS2-related assessment templates depending on tenant, region and licensing. Treat them as a starting point for evidence and gap tracking, not as legal confirmation of compliance. The policy text itself, the approval, the version history and the awareness rollout sit outside the tool.
  • Business continuity beyond data backup. Microsoft 365 Backup can support recovery for supported Exchange Online, SharePoint Online and OneDrive workloads, but NIS2 business continuity is broader than restoring Microsoft 365 data. Business continuity under NIS2 means the organisation can continue to operate critical services through a major disruption; that requires plans for facilities, alternative work locations, communications, and stakeholder management.
  • Incident response process and decision authority. Sentinel and Defender XDR generate the signal; the incident response team, the decision authority for activating major incident mode, and the cross-functional crisis playbook are human and organisational.
  • Penetration testing and red-team exercises. Microsoft tools provide attack simulation training, but full penetration testing is typically delivered by an external party. Required for the (f) effectiveness assessment measure for many entity profiles.
  • Management body training and oversight. Article 20 requires management body cybersecurity training. The training material can come from Microsoft Viva Learning or third-party providers; the attendance, the discussion at the board, and the documented oversight are organisational.
  • National regulator engagement. The relationship with the national competent authority, registration where required, and the reporting workflow are external to the tenant.
  • Documentation under audit conditions. Article 21 controls need to be demonstrable. A configured tenant is not the same as an audit-ready evidence trail. Compliance Manager helps; the evidence collection and presentation is an organisational practice.

Article 23 incident reporting: the 24h / 72h / one-month framework

Article 23 prescribes a three-stage incident reporting process. The thresholds for what counts as a "significant" incident are defined in national transposition acts, but generally include disruption to service delivery, financial loss, material harm to recipients, or significant impact on public safety or public health. Verify the precise threshold and reporting destination (national CSIRT or competent authority) for each member state where the organisation operates.

Stage Deadline Content M365 telemetry that supports
Early warning Within 24 hours of becoming aware of the incident Initial notification including whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have cross-border impact. Microsoft Defender XDR incident graph; Sentinel alert; basic IOC summary from Defender for Endpoint / Defender for Office 365.
Incident notification Within 72 hours of becoming aware Initial impact assessment, severity, indicators of compromise (where available), update on the early warning. Sentinel investigation pack; Defender XDR incident summary; affected user / mailbox / device list from Microsoft Purview audit search.
Final report Within one month of the incident notification Detailed description, root cause analysis, mitigation measures taken or planned, cross-border impact where relevant. Full Sentinel investigation timeline, Defender XDR forensic data, eDiscovery case if data exposure is in scope, Purview audit log evidence.
Progress / status report On request from the competent authority Interim updates where the incident continues beyond one month. Sentinel watchlists, ongoing alert correlation, incident review meetings.
⚠️
The 24-hour clock starts when the entity becomes aware of the incident. Awareness is interpreted operationally as having enough information to recognise that a significant incident is in progress. Poor detection capability will not normally be a comfortable defence under regulatory scrutiny; entities need processes capable of recognising, escalating and reporting significant incidents within the required windows. The practical implication for admins: detection capability and the incident response process must be calibrated to allow recognition, escalation and reporting decisions within the 24-hour window.

Management body accountability (Article 20)

Article 20 is the part of NIS2 that changes the executive conversation. Management bodies of essential and important entities are accountable for approving the cybersecurity risk-management measures of Article 21 and for overseeing their implementation. Members of the management body must follow specific cybersecurity training. Management bodies have explicit governance duties and may face accountability measures under national law where those duties are not met — the precise enforcement mechanisms, including any temporary measures against management responsibilities, depend on the national transposition.

Operationally for a Microsoft 365 admin, the implications are:

  • The IT or security team is no longer the only stakeholder. The management body sign-off on cybersecurity controls becomes part of the documented evidence chain.
  • Cybersecurity reporting to the management body needs cadence, content and an audit trail. Microsoft Defender XDR, Microsoft Sentinel, Microsoft Secure Score and Microsoft Purview Compliance Manager can provide the metrics; the briefing pack and the meeting minutes are organisational.
  • Management body cybersecurity training is mandatory. Source the training internally or externally; document attendance.
  • Where the organisation has a CISO or equivalent, the accountability does not transfer to that role; it sits with the management body.

NIS2 evidence pack: what the admin should be able to produce

Auditors, national competent authorities and management body briefings all ask the same operational question: "show me." A configured Microsoft 365 tenant is not the same as an audit-ready evidence trail. The table below collects the practical evidence pack a Microsoft 365 admin should be able to produce on request, mapped to Article 21 measures and to the M365 surface that produces it. Treat this as a living document; export the artefacts on a defined cadence, version-control the exports, and document the date and the producer.

Evidence artefact Source What it demonstrates
Conditional Access baseline Microsoft Entra ID policy export. Access control posture and MFA enforcement coverage (Article 21 (i) and (j)).
MFA coverage report Microsoft Entra ID authentication methods / sign-in logs. Real adoption of MFA across the user base, not only configured policy (Article 21 (j)).
Admin role review Microsoft Entra PIM / role assignment exports. Least-privilege admin posture and review evidence (Article 21 (i)).
Device compliance baseline Microsoft Intune compliance reports. Endpoint posture against the organisation's compliance baseline (Article 21 (i) and (g)).
Endpoint risk posture Microsoft Defender for Endpoint. Endpoint EDR coverage, threat and vulnerability state (Article 21 (b), (e), (g)).
Mail security baseline Microsoft Defender for Office 365 policy exports. Anti-phishing, anti-malware, Safe Links, Safe Attachments coverage (Article 21 (g)).
Incident timeline Microsoft Sentinel / Microsoft Defender XDR. End-to-end incident detection, investigation and response evidence for Article 23 reporting (Article 21 (b)).
Audit log evidence Microsoft Purview audit. Forensic trail across the M365 tenant for incident reconstruction and access review (Article 21 (b), (i)).
DLP / sensitivity label policy Microsoft Purview. Data protection and encryption-mandatory data flow evidence (Article 21 (h)).
Backup / restore evidence Microsoft 365 Backup configuration + third-party backup vendor reports. Restorability of supported workloads with documented RPO / RTO (Article 21 (c)).
Training evidence Microsoft Defender Attack Simulation / Microsoft Viva Learning / HR LMS. Cyber hygiene training coverage and completion across populations including the management body (Article 21 (g), Article 20).
Supplier access evidence Microsoft Entra guest users; access reviews; Conditional Access policies scoped to partners. Vendor / partner technical access scoping and review (Article 21 (d)).
🔎
Export cadence and ownership matter. Evidence that lives only in a portal is not evidence. Schedule exports on a defined cadence (weekly, monthly or quarterly depending on the artefact), store in a versioned repository, record the export date and the producer. The audit asks for the artefact and the chain of custody, not for an admin to log into a portal during the conversation.

Pre-compliance checklist (12 items)

The checklist below collects the highest-impact actions for the second half of 2026. The work is partly technical (configure controls in the tenant), partly organisational (write policies, train people), and partly documentary (collect evidence in a way that survives an audit).

  • Confirm the scope determination in writing.Document the entity classification (essential / important / out of scope), the rationale, the national act being relied on, and the date of the determination. Revisit annually or on significant business change.
  • Identify the national competent authority and CSIRT.Record contact details, registration requirements, and the reporting channel for each member state where the organisation has activities. The 24-hour clock does not pause while you look up where to send the report.
  • Run a gap analysis against the 10 Article 21 measures.Map each measure to current controls, identify gaps, prioritise by risk. Microsoft Purview Compliance Manager may provide NIS2-related assessment templates depending on tenant, region and licensing; validate them against your national transposition and entity-specific risk profile.
  • Deploy the Microsoft Entra and Defender baselines mapped in this article.Conditional Access with phishing-resistant MFA, Defender for Office 365 preset security policies, Microsoft Intune compliance baselines, Microsoft Sentinel for detection and incident response.
  • Document the backup and disaster recovery position.Microsoft 365 Backup covers Exchange / SharePoint / OneDrive; identify the gaps (Teams chats, Planner, Loop, Power Platform) and the third-party tooling that covers them. RTO / RPO documented per critical service.
  • Stand up an incident response process aligned with Article 23.Detection, triage, escalation paths defined; named incident commander; documented decision authority for activating major incident mode. Practice with tabletop exercises.
  • Build the supply chain security programme.Inventory critical suppliers, assess security posture, embed contractual security requirements in renewals, define contingency for supplier failure. The most under-prepared measure in mid-sized organisations.
  • Roll out cyber hygiene training for all staff + role-specific deeper modules.Microsoft Defender for Office 365 attack simulation; Viva Learning content; documented attendance. Role-specific for IT, security, finance, HR, and management body.
  • Train the management body on cybersecurity and document attendance.Article 20 specifically requires this. The training does not have to be technical; the management body must be able to oversee implementation and understand the risks. Documented attendance is part of the audit evidence.
  • Define and test the effectiveness assessment cycle.Internal audit; periodic penetration testing (typically external); red-team exercises where appropriate to the entity profile. Document the cadence, the scope and the remediation tracking.
  • Set up audit-ready evidence collection.Microsoft Purview Compliance Manager evidence library; Sentinel reports; Defender posture reports; signed policies; training attendance records; supplier assessments. The audit asks for documents, not for screenshots.
  • Run an incident reporting tabletop exercise within the 24h / 72h / one-month framework.Test the workflow end-to-end: detection from Defender XDR, triage decision, escalation to management body, draft of the early warning, communication with the national CSIRT. Find the broken links before a real incident does.
0 of 12 items checked

Common mistakes

  1. "We are too small; NIS2 does not apply to us."The size threshold for important entities is usually 50–249 employees with annual turnover or balance sheet above €10 million. Many mid-sized organisations cross one threshold without crossing the other. Confirm against both, not against the more comfortable one. National transposition may also extend scope below the EU thresholds in specific cases.
  2. "We use Microsoft 365, so we are NIS2 compliant."Microsoft 365 covers a large part of the technical surface. It does not write your information security policy, run your supply chain assessments, train your management body or build your incident response process. NIS2 is an organisational obligation that uses technical controls.
  3. Treating the 24-hour clock as starting when the incident is fully understood.The clock starts at awareness, interpreted as enough information to recognise a significant incident is in progress. Poor detection capability will not normally be a comfortable defence under regulatory scrutiny. Detection and decision capability must be calibrated to the window.
  4. Forgetting supply chain.Measure (d) is the most under-prepared in mid-sized organisations. Vendor risk assessments, contractual security requirements, contingency planning — not just a list of suppliers in a spreadsheet.
  5. Treating management body training as a tick-box.Article 20 makes the management body accountable for governance duties. The training must enable oversight, not just attendance. Document the discussion, the decisions, and the actions taken.
  6. Relying on Microsoft Purview Compliance Manager templates without review.Compliance Manager templates are a useful starting point for evidence and gap tracking, not legal confirmation of compliance. Validate the templates against the national act and customise to the entity-specific risk profile.
  7. Documenting controls without measuring effectiveness.Article 21(f) is explicit about assessment of effectiveness. Configured controls that have never been tested are not compliant under audit scrutiny. Internal audit, penetration testing, red-team where appropriate.
  8. Ignoring multi-member-state operations.An organisation with activities in multiple EU member states may have NIS2 obligations in some jurisdictions before others, with different national reporting destinations and possibly different penalty caps. Map the obligations per jurisdiction; do not assume one-size-fits-all.

References & further reading

Primary EU sources
Microsoft documentation

Translating NIS2 into a Microsoft 365 control baseline?

If your organisation needs to translate NIS2 into a Microsoft 365 control baseline, I can help map Article 21 to your tenant, identify evidence gaps, prepare the incident reporting workflow and build a practical remediation roadmap for management body review.

Get in touch
Tiago Carvalho
Next

EU AI Act + Microsoft 365: 2026 Admin Compliance Framework