The remediation roadmap (“Piano di Adeguamento”) is a mandatory Appendix C document and requires governing/management approval under ID.IM-01 point 1. In practice, this plan should convert risk, audit, and incident findings into sequenced implementation work with clear owners, deadlines, and closure evidence.
Key takeaways
- The remediation plan is an approval-required governance instrument, not a technical to-do list.
- It should consolidate gaps from risk assessment, control reviews, incidents, and compliance checks.
- Milestones should be aligned with the first-application baseline deadline (October 2026).
- Effective plans enforce accountability, dependency mapping, and measurable closure criteria.
Timeline context for planning discipline
| Obligation | First-application timing | Planning impact |
|---|---|---|
| Incident-notification obligations | January 2026 (9-month milestone) | Already live; remediation should include immediate operational stabilization |
| Baseline security-measure adoption | October 2026 (18-month milestone) | Roadmap must drive closure of remaining baseline gaps before deadline |
What an approvable ID.IM-01 roadmap must show
| Objective | Minimum output | Evidence |
|---|---|---|
| Gap consolidation | Unified list of findings and obligations | Consolidated gap register |
| Prioritization | Risk/impact-based sequencing | Priority model and rationale |
| Delivery governance | Owner, milestone, due date, status | Program tracker and steering notes |
| Closure control | Objective completion criteria | Closure evidence log |
Practical remediation-plan structure
1. Purpose, scope, and references
Define scope of remediation and legal/ACN reference model.
2. Input sources and baseline gap inventory
List where gaps come from: assessments, reviews, incidents, audits, and authority requirements.
3. Prioritization framework
Define how actions are ranked (risk, regulatory urgency, dependency, effort).
4. Workstreams and milestones
Group actions by domain and assign delivery milestones up to October 2026.
5. Ownership and escalation
Assign accountable owners and define escalation thresholds for delays.
6. Closure and verification model
Define acceptance criteria and required evidence for each action closure.
7. Governance reporting cycle
Set steering cadence, KPI set, and re-prioritization triggers.
Frequent remediation-plan failures
- Too many actions with no prioritization logic.
- Deadlines without dependency mapping.
- Actions closed with no verifiable evidence.
- No explicit accountability for delayed or blocked items.
- Plan not updated after incidents or risk reassessment.
20-day hardening checklist
- Consolidate all open findings into one remediation register.
- Apply a documented prioritization model.
- Define milestones and dependency chains through October 2026.
- Assign accountable owners and escalation paths.
- Set closure criteria and required evidence per action.
- Submit roadmap for governing-body approval and monthly review.
FAQ
Is the remediation roadmap mandatory for approval?
Yes. Appendix C lists “Piano di adeguamento” with reference ID.IM-01 point 1.
Can the remediation plan be merged with risk treatment?
It can be linked tightly, but should remain clear as a governance roadmap with milestone and closure discipline.
What is the main governance KPI for this plan?
On-time closure rate of prioritized actions with valid evidence, not just task completion volume.
Conclusion and next steps
A strong ID.IM-01 plan is the operational backbone of NIS closure toward October 2026. The immediate focus should be one integrated, evidence-driven roadmap that links risk decisions to accountable execution and verifiable outcomes.
Related reading
- NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now
- NIS2 risk treatment plan: practical guide for ID.RA-06 approval
- NIS2 KPIs and continuous improvement: operational metrics for resilient compliance
- Aegister NIS2 Compliance Service
- Free NIS2 Assessment