Ever wanted to know how your organization is doing with something like the NIS2 implementation? Stop signing up for special courses, reading through massive books, or printing out checklists! Microsoft Purview has Compliance Manager, which allows you to easily view your implemented measures and those still to be addressed. Compliance Manager offers hundreds of templates to choose from, including ISO27001 and GDPR. In this article, I’ll discuss another recent compliance model: NIS2.
I won’t spend too much time explaining what NIS2 is. If you’re reading this, you’re probably curious about how NIS2 applies to your own Microsoft 365 tenant. The good news is that this template is already available in Microsoft Purview, and you can start using it right away.
Do note that most templates are not free to use, including the NIS2 template. If you’re an E5 customer, your first three templates are free. But don’t worry if you don’t have E5 licenses; you can purchase the templates individually.
When you log in to Microsoft Purview, navigate to Compliance Manager under Solutions in the left-hand menu. Clicking on it will take you to the Compliance Manager dashboard. Here, you’ll see a quick overview of your compliance score for activated templates and key improvements that can significantly enhance this score.
Take note that I’m logged into my own test tenant in the screenshots below. In this case, I haven’t done much yet, but you can see I’ve already scored over 10,000 points. This is because Microsoft applies its own standards to the templates and has already done some of the work. In my screenshot, you’ll see that I’ve personally scored 236 points, while the majority (9,945 points) are Microsoft-managed points. I’ll explain how this is calculated later. Let’s now move on to creating the NIS2 assessment.
When you navigate to Regulations in the Compliance Manager’s left-hand menu, you’ll see all the available regulations provided by Microsoft. These could include ISO templates, the EU Artificial Intelligence Act, and, in this case, the NIS2. Think of these as templates you can grab off the shelf to immediately evaluate your tenant’s compliance. In this list, you’ll also find the services to which the regulation applies, such as Microsoft 365 or Azure.
Search for NIS2 in this list, and you’ll find that it’s available for Microsoft 365. It’s good to know that this regulation covers your entire Microsoft 365 suite, though NIS2 also involves organizational measures for your entire company. The NIS2 template in Compliance Manager won’t cover every aspect of your business, but will address everything related to your use of the Microsoft 365 suite.
On the left-hand menu, select Assessments. This will take you to an overview of the activated assessments in your tenant. In my case, I’ve already activated the EU GDPR. You’ll also see the number of free regulations available and the purchased licenses. In my case, I’ve used 1 credit out of the 3 free E5 regulations.
Now, let’s create a new assessment for the NIS2 Directive (EU) 2022/2025 of the European Parliament and of the Council, better known as NIS2. Click Add Assessment, and the following screen will appear. Here, choose NIS2.
The next step is to create a group for this specific assessment. You can select an existing group (e.g., Default Group), but I recommend creating a new group. If you plan to apply multiple regulations in Compliance Manager later, you’ll be able to filter actions and scores per group. For instance, you might create a separate NIS2 group and a Data and Privacy group for ISO27001 and ISO27018 regulations. This approach helps keep your assessments organized.
Note that these are not Microsoft 365 Groups but standalone groups within this portal. These groups do not involve assigning users; they are only used for grouping assessments in this portal.
Next, select the services you want to activate for this regulation. For NIS2, only Microsoft 365 is available. However, with other regulations, you might notice services like Azure, Amazon Web Services, or Google Cloud Platform listed. The available options depend on what has been made accessible.
After creating the assessment, it will appear in the list of activated assessments. In my case, this also used an extra credit. Note that it may take some time for the progress score to display accurately. The system checks whether certain requirements have already been met and calculates the points from Microsoft-managed actions.
In the overview, you’ll see your score and the required actions for the regulation, in this case, NIS2. Under the Progress tab, you’ll notice that 1,114 points have already been scored by Microsoft, contributing to the 88% compliance score.
For NIS2, most points are Microsoft-managed, leaving only 113 points for us to address. This means that Microsoft has already implemented most of the requirements for NIS2.
Microsoft actions can be found under the Microsoft Actions tab. When you select a Microsoft action, you’ll see its implementation status and notes regarding implementation. Usually, you don’t need to take any action on these items, but they can be useful for audits within your Microsoft 365 environment.
Under the Your Improvement Actions tab, we can see that I haven't achieved any score yet within my tenant.
Curious about how to improve compliance in your Microsoft 365 environment? Let’s take a closer look at the Your Improvement Actions section, which you’ll find at the bottom of the same page.
Here, you’ll see an overview of various measures you can take, each with a different point value. The columns indicate the impact of the action. The higher the points, the higher the associated risk. This means that actions with more points are more critical to address.
You’ll also see the Action Type listed for each measure. For the NIS2, this typically falls under Operational or Technical actions. It’s good to know that not every measure requires a technical solution; some actions focus more on operational processes, policies, or documentation.
Let’s take a closer look at the improvements to be made, starting with an operational improvement:
The first action, as you can see, is Assign trainings and send reminders, which falls under operational actions. When you select this action, a new window will open where you can find more details about its implementation and how to proceed:
Microsoft provides recommendations on how to implement this action, but since this is an operational task, you are free to adapt it to your organization's practices. For example, you may already have a different method for organizing training sessions.
There are three tabs you can explore:
In this specific case, the Related Controls section shows that the action is tied to the NIS2 regulation and specifies the exact article:
Clicking on the reference provides a detailed description. Here, for example, we see that the action originates from Article 20.2, providing clarity on the regulatory foundation for this implementation.
Since this is a manual action, it can be manually verified. As shown in the image below, the action is initially marked as not implemented or tested, but these steps are required to complete it.
For this example, let’s assume your organization already provides training sessions. Now, we’ll focus on implementing this action. Click Edit details in the top-right corner, and a new screen will appear:
Once the implementation and verification are successfully completed, the action will be marked as completed on your dashboard, and the associated points will be earned. Keep in mind that updates to the list may not be directly updated; it may take some time after saving your actions.
In part 2 of this blog, I will explore how to implement NIS2 through technical solutions, including the use of Priva Privacy Risk Management. I will also explain how to export NIS2 compliance data within Microsoft 365 using Compliance Manager. You can read this here.
Hi, I'm Ziggy Itjoejaree. I work as Modern Workplace Engineer and have a big interest in Microsoft Purview, Data, AI and compliancy. In my daily job, I am mostly helping customers transform and migrate to a Cloud work environment.
Hi! Do we need to have E5 license to get all out of this NIS2 check? We currently have E3 within our organization
You don't need a E5 License to use Compliance Manager. You can also buy credits to use on of the templates, for example NIS2. Also, all of the checks and implementation you can do within the NIS2, are interpretable and you can use Purview or other tools to implement the right things for the NIS2. There are somme possibilities within Purview that can help you with implementing the strategy that requires E5, but it is not a hard pass if you are using E3 right now.