Applies to: NIS2 entities converting audit findings into a time-bound baseline-remediation plan.
A 90-day plan is the operational bridge between audit output and measurable NIS2 readiness. The goal is to remove critical blockers first, stabilize governance controls, and create evidence-backed execution momentum before broader baseline deadlines.
Key Takeaways
- The first 90 days should focus on high-impact blockers, not full-document perfection.
- Severity and dependency must drive sequence decisions.
- Governance cadence and closure evidence must be set at day 1.
- A structured 90-day cycle reduces deadline risk and rework.
Scope of This Article
This article covers:
- A practical 90-day remediation structure for baseline obligations.
- Priority sequencing by severity, dependency, and evidence readiness.
- Governance checkpoints for execution control.
This article does not cover:
- Client-identifying remediation plans.
- Full proprietary implementation playbooks.
Official Reference Framework
| Source | Why it matters for a 90-day plan |
|---|---|
| Legislative Decree 138/2024 (Gazzetta Ufficiale) | Defines legal obligations and governance accountability driving remediation urgency. |
| ACN Determination on baseline obligations | Defines requirement points and control structure used for remediation sequencing. |
| ACN Reading Guide for baseline specifications | Clarifies evidence expectations and implementation interpretation. |
| ACN Guidance on incident notification | Anchors incident-readiness actions and reporting workflows. |
| ACN NIS baseline modalities/specifications | Provides implementation context and timeline checkpoints. |
Why a 90-Day Window Works
A 90-day horizon is long enough to remove structural blockers and short enough to preserve execution discipline. It allows teams to:
- prove immediate governance progress,
- close critical control gaps early,
- establish repeatable reporting and evidence routines.
90-Day Execution Structure (3 Waves)
| Wave | Time window | Primary objective | Typical output |
|---|---|---|---|
| Wave 1 | Days 1-30 | Remove critical blockers and establish governance baseline | Critical backlog activation, owner assignment, governance structure fixes |
| Wave 2 | Days 31-60 | Stabilize major controls and process dependencies | Major gap remediation, cross-reference repair, evidence capture routines |
| Wave 3 | Days 61-90 | Consolidate quality and lock monitoring cadence | Validation cycle, residual-risk review, next-quarter execution plan |
Wave 1 (Days 1-30): Critical Stabilization
Priority focus:
- critical findings with direct compliance impact,
- missing governance structure (revision/approval/accountability blocks),
- mandatory reporting process setup for high-risk domains.
Minimum outputs:
- approved critical remediation queue,
- named owner for each critical item,
- closure-evidence criteria defined per item,
- weekly executive checkpoint cadence launched.
Wave 2 (Days 31-60): Dependency Repair and Major Controls
Priority focus:
- major findings with high dependency centrality,
- process-chain continuity (monitoring -> response -> recovery),
- role taxonomy and ownership alignment across document families.
Minimum outputs:
- reduced major backlog in high-risk categories,
- dependency map updated and validated,
- evidence matrix populated for in-progress controls.
Wave 3 (Days 61-90): Quality Consolidation and Scale Prep
Priority focus:
- closure validation of first two waves,
- unresolved minor issues affecting audit confidence,
- governance packet for the next remediation cycle.
Minimum outputs:
- closure validation report (planned vs evidence-validated),
- residual-risk snapshot,
- next 90-day roadmap with board-level decision points.
Minimum Governance Rhythm for the 90-Day Plan
| Forum | Cadence | Mandatory agenda |
|---|---|---|
| Control owners | Weekly | blocker removal, dependency decisions, evidence status |
| Executive remediation board | Bi-weekly | critical/major trend, deadline variance, escalation actions |
| Governance/board checkpoint | Monthly | compliance exposure trend and resource decisions |
90-Day KPI Set
| KPI | Why it matters |
|---|---|
| Critical findings closed (validated) | Measures blocker removal quality |
| Major findings overdue ratio | Measures schedule risk |
| Evidence-validated closure rate | Measures real control completion |
| Dependency-blocked items count | Measures orchestration maturity |
| Governance decision lead time | Measures response speed on escalations |
Common 90-Day Execution Mistakes
- Planning too many parallel streams with weak ownership.
- Marking activities complete without closure evidence.
- Delaying dependency mapping until mid-cycle.
- Treating governance checkpoints as status meetings only.
FAQ
Is 90 days enough to reach full NIS2 compliance?
Usually no. It is enough to remove the highest-risk blockers and establish disciplined execution.
Should minor findings be ignored in the first cycle?
Not ignored, but sequenced after critical and dependency-heavy major findings.
Can the same owner manage all high-priority items?
This creates bottlenecks. Ownership should be distributed with clear escalation governance.
What if requirement details are unclear during execution?
Pause closure on that item and align to official baseline wording before proceeding.
Conclusion
A 90-day plan creates execution traction where audit reports alone do not. By sequencing work through criticality, dependencies, and evidence-based closure, organizations can reduce compliance risk quickly and build a controlled path toward full baseline readiness.
Related reading
- Compliance Documentation Audit for NIS2 Baseline Obligations: Method Overview
- NIS2 Documentation Audit Checklist: Operational Method for Baseline Readiness
- Recurring NIS2 Documentation Patterns and Quick Wins for Baseline Readiness
- Aegister NIS2 Compliance Service
- Aegister Virtual CISO Service