- NIS 2
- 7th Jul 2026
- 1 min read
NIS2 Compliance Software: 3 Gaps Spreadsheets Miss
- Written by
In Short...
- Evidence collection under NIS2 is a recurring obligation. Controls must be proven on a rolling basis across multiple owners, and spreadsheets lose ownership and version history the moment more than one person touches them.
- Article 21 makes supply chain security a named, mandatory measure. Assessing and monitoring supplier risk becomes a continuous workflow, well past an annual questionnaire cycle, so manual tracking stalls as supplier counts grow.
- Article 23 sets a tight incident clock. A significant incident triggers a 24-hour early warning, a 72-hour follow-up notification, and a final report within a month, all of which need owners assigned and a workflow tested before an incident forces the issue.
- Board members carry personal accountability for compliance failures. The European Commission confirms NIS2 brings top management into scope for non-compliance, so reporting has to be board-ready without a translation exercise every time it’s requested.
NIS2 compliance fails in spreadsheets because the directive, the EU's cybersecurity law for critical and important entities, demands continuous operational work: recurring evidence collection, supplier oversight, and incident response that stays current as controls, suppliers, and incidents change. A spreadsheet holds a single mapping exercise well. Ongoing execution across a stretched GRC team needs NIS2 compliance software built to run continuously.
Expert View
|
Matt Davies Chief Product Officer, SureCloud |
What our experts say about NIS2 execution
“Teams usually map NIS2’s controls correctly the first time. Where programmes stall is proving it three months later: two people, three spreadsheets, and a Friday afternoon rebuilding who reviewed what and when. That rebuild is the real cost of compliance, and the right evidence trail avoids it.” |
The Three Places NIS2 Work Actually Lives
Read as a list, NIS2’s obligations look manageable: risk management measures, incident reporting, supply chain security, business continuity. In practice, that’s rarely how the work behaves.
The cost of getting security wrong keeps climbing: IBM’s 2025 Cost of a Data Breach Report puts the global average at $4.44 million. NIS2 addresses that same risk category by requiring continuous, ongoing proof of control performance, which is what makes ad hoc tracking a real liability.
Those three obligations, evidence, supply chain, and incident response, generate continuous, repeatable work that spreadsheets handle poorly.
Evidence collection and control assurance
NIS2 requires you to demonstrate that your security measures are in place and working. That means gathering evidence across controls, on a recurring basis, from multiple owners across the business.
In a spreadsheet, this becomes a manual chase. One person owns the tracker, another owns the evidence, and version control depends on whoever last saved the file. When an auditor or regulator asks for proof, you’re rebuilding a timeline that should already exist. A costly rebuild, every time.
Supply chain and third-party oversight
Under Article 21 of NIS2, the directive's core risk management measures provision, supply chain security is a named, mandatory requirement, obliging entities to account for the vulnerabilities of their direct suppliers and service providers. For essential and important entities, that means assessing and monitoring supplier security posture on a continuous cycle that runs well past an annual questionnaire.
That’s a workflow problem. Questionnaires need to go out, get completed, get reviewed, trigger follow-up actions, and feed back into the overall risk picture. Doing that by hand across tens or hundreds of suppliers is where programmes stall.
Supplier failure is already a leading incident driver: in the UK, the Financial Conduct Authority found that over 40% of cyber incidents reported to it in 2025 involved a third party. Supplier oversight run as a lifecycle, with tiering, monitoring, and follow-up built in, is what separates working third-party risk management from a tracker nobody trusts.
Incident response and the 24-hour clock
Under Article 23 of NIS2, a significant incident triggers an early warning to the relevant authority within 24 hours of becoming aware of it, a fuller notification within 72 hours, and a final report within a month. That timeline needs a pre-built workflow with owners already assigned, tested before something goes wrong at 11pm on a Friday.
If your incident response plan lives in a static document, with no assigned owners or escalation paths built in, you’ll find out it’s incomplete at the worst possible moment. Good incident management software covers the compliance layer NIS2 actually tests: classification, evidence, and reporting deadlines that apply whether the trigger is a cyberattack, a vendor failure, a data exposure, or a plain IT outage.
From Tracking the Work to Running It
SureCloud gives governance, risk, and compliance (GRC) teams one place to run NIS2 work, from control mapping through to board reporting. Powered by Gracie AI Agents with Personas and Skills, the platform acts as a virtual GRC team: each agent has a defined role, codified expertise, and reach across every part of your compliance programme. Every activity is auditable, and nothing leaves the tenant environment. Here’s what that looks like across the three areas above:
- Control assurance and evidence: SureCloud maps controls to NIS2 requirements, assigns owners, sets review cycles, and collects evidence directly in the platform. Teams using SureCloud report a 50–65% reduction in manual evidence collection. When an auditor asks for proof, you produce an audit trail instead of a folder of screenshots.
- Third-party risk management: The platform sends supplier questionnaires, tracks responses, scores risk, and flags overdue suppliers automatically. Assessments that previously took weeks complete 50% faster, and supply chain oversight becomes a managed programme instead of a manual project someone has to chase.
- Incident management: SureCloud’s incident workflows are configurable to your organisation’s response process. Owners are assigned, timelines are tracked, and notifications are logged. The 24-hour reporting window becomes a workflow trigger instead of a scramble.
The outcome is audit readiness built into the work as it happens, always ready before a review starts.
NIS2 also places personal accountability on the boards of essential and important entities: the European Commission confirms the directive brings top management into scope for non-compliance. SureCloud surfaces compliance status in a format readable at board level without requiring the CISO to translate a spreadsheet into a presentation at short notice. Board report preparation drops from two weeks to two days.
Why Maintenance Decides Whether NIS2 Compliance Holds
Getting to initial NIS2 compliance is achievable with enough effort and a well-structured spreadsheet. Staying compliant is where the model breaks. Suppliers change. Controls drift. Incidents happen, and each one resets what 'compliant' means. The real question when evaluating any compliance approach is whether you can sustain that pace without burning out the team.
The organisations that struggle at their first NIS2 review are the ones who mapped the directive once and never built the infrastructure to keep it current.
A NIS2 programme that depends on one person knowing where everything lives is fragile. Evidence collection that requires a manual round of emails every quarter will slip. An incident workflow with no live owners built in will fail under pressure.
SureCloud is designed for the maintenance problem as much as the mapping problem. Automated reminders, recurring task schedules, supplier re-assessment cycles, and a central evidence repository mean the programme runs continuously. Teams report 35% higher task completion compared with spreadsheet-based approaches. The programme keeps running between audits because it was built to operate without a burst of manual effort keeping it alive.
Most teams handling NIS2 are managing it alongside other obligations. Where DORA, NIS2, and ISO 27001 overlap for the same organisation, mapping controls once and reusing them across all three keeps evidence collection from multiplying by three.
That’s executable GRC: work that gets done and evidenced as it happens.
See NIS2 Compliance Work in Practice
FAQ’s
Why do spreadsheets fail for NIS2 compliance?
NIS2 is ongoing operational work. It requires recurring evidence collection, supplier oversight, incident workflows, and audit trails that prove the work actually happened. Static files and email chains lose ownership and version history the moment more than one person is involved, which makes them fragile fast.
How does SureCloud help with NIS2 evidence collection?
SureCloud centralises evidence collection, assigns control owners, and keeps a clear history of reviews and updates. That means teams produce audit-ready proof faster, instead of rebuilding timelines from scattered documents and screenshots.
Can SureCloud support third-party risk for NIS2?
Yes. SureCloud supports supplier assessments, response tracking, risk scoring, and follow-up actions. That turns third-party oversight into a managed workflow instead of a manual tracker someone has to chase every week.
How does SureCloud help with NIS2 incident response?
SureCloud supports configurable incident workflows, so owners, deadlines, and escalation paths are visible in one place. That matters because once the 24-hour notification clock under Article 23 starts, you don’t want to be improvising a process for the first time.
When do organisations need to be NIS2 compliant?
Member states had until 17 October 2024 to transpose NIS2 into national law, and the European Commission has since opened infringement action against member states that missed it. Individual registration and compliance timelines vary by country from there, so check your national implementing law or competent authority for the exact date that applies to your entity.
Is NIS2 compliance a one-time project?
No, NIS2 is a continuous operating requirement. Controls drift, suppliers change, and incidents happen, so the real challenge is maintaining compliance over time without depending on one person or a spreadsheet to hold everything together, which is why most teams eventually move from spreadsheets to compliance management software built to keep pace with obligations that never fully close.
Platform +
Frameworks +
Products +
Industries +
Resources +
Company +
London Office
1 Sherwood Street, London, W1F 7BL, United Kingdom
US Headquarters
6010 W. Spring Creek Pkwy., Plano, TX 75024, United States of America
© SureCloud 2026. All rights reserved.
