In NIS2, the challenge is typically not whether documentation exists, but whether it forms a working, auditable system that also supports day-to-day decisions and operations. We start by clarifying applicability and identifying critical services, then build a targeted, prioritised roadmap from a focused gap assessment: what is needed immediately, what can be scheduled, and what belongs to later maturity steps.

The focus is the combination of documented rules and demonstrable operation. Policies and procedures are created to be followed, measured and evidenced. We verify the key controls in practice (for example access, changes, backups, incident handling and suppliers) and structure the required evidence so the system remains sustainable and ‘business as usual’ – not a one-off project.

A well-designed operating model also creates tangible business value: it reduces the likelihood and impact of outages and incidents, clarifies responsibilities and decisions, and strengthens partner trust – particularly during audits, tenders and third-party assessments.