From Zero to Compliant: Your Complete Compliance Roadmap

Whether you're starting from scratch or building on existing security practices, this roadmap guides you through the complete journey to compliance. We've designed it specifically for Belgian SMEs, with clear phases, realistic timelines, and decision points that help you invest appropriately for your actual risk level.

Winding mountain trail ascending toward the summit with visible waypoints - representing the compliance journey
Your compliance journey has clear phases and milestones

The 5 Phases of Your Compliance Journey

1

Phase 1: Assessment

Understand where you stand and where you need to go

Timeline: 1-2 weeks

Before implementing anything, you need clarity on your current security posture, your regulatory obligations, and the gap between them. This phase prevents wasted effort on unnecessary controls while ensuring you don't miss critical requirements.

Objectives:

  • Determine if NIS2 applies to your organization
  • Identify your required CyberFundamentals assurance level
  • Document your current security measures and practices
  • Identify gaps between current state and requirements
  • Estimate effort and resources needed for compliance

Deliverables:

  • Scope determination document (in/out of NIS2, sector classification)
  • Current state inventory of existing security controls
  • Gap analysis report with prioritized findings
  • Resource estimate and preliminary timeline
2

Phase 2: Foundation

Build your security baseline with Small tier

Timeline: 2-4 weeks

The CyberFundamentals Small tier consists of 7 essential controls that protect against the most common cyber threats. These are the fundamentals every organization should have, regardless of compliance requirements. They're designed to be achievable without specialized security expertise.

Objectives:

  • Implement all 7 Small tier controls
  • Document policies and procedures for each control
  • Train key staff on new security practices
  • Establish basic incident response capability
  • Create evidence collection habits from the start

The 7 Small Tier Controls

  1. Asset inventory and management
  2. Secure configuration of devices
  3. Access control and user management
  4. Security awareness for all staff
  5. Malware protection
  6. Backup and recovery procedures
  7. Patch management and updates

Deliverables:

  • Implemented controls with supporting documentation
  • Staff training completion records
  • Basic incident response procedure
  • Evidence folder with proof of implementation
3

Phase 3: Build

Achieve solid protection with Basic tier

Timeline: 2-3 months

The Basic tier expands to 34 controls, adding depth to your security posture. This level provides robust protection suitable for most SMEs and satisfies many customer and partner security requirements. It's the recommended target for organizations that handle sensitive data or provide services to larger enterprises.

Objectives:

  • Implement remaining 27 Basic tier controls
  • Formalize security policies and governance
  • Establish regular security review cycles
  • Implement technical controls for network and data protection
  • Prepare for potential third-party audits

Basic Tier Control Categories

  • Risk management framework
  • Network security and segmentation
  • Data protection and encryption
  • Incident detection and logging
  • Business continuity planning
  • Supplier and third-party security

Deliverables:

  • Complete policy framework documentation
  • Technical controls implementation report
  • Security governance structure
  • Audit-ready evidence package
Lighthouse beacon cutting through coastal fog - guidance through uncertainty
Clear guidance through the complexity of compliance requirements
4

Phase 4: Mature

Achieve Important or Essential tier for regulated sectors

Timeline: 2-4 months

Important tier (117 controls) and Essential tier (140 controls) are designed for organizations in regulated sectors where a security incident could have significant societal impact. These levels require substantial investment but provide comprehensive protection and full regulatory compliance.

Objectives:

  • Implement advanced security controls specific to your tier
  • Establish formal security governance with leadership involvement
  • Implement continuous monitoring and threat detection
  • Develop comprehensive incident response and recovery capabilities
  • Prepare for regulatory audits and certification

Advanced Control Categories

  • Security operations center (internal or outsourced)
  • Advanced threat detection and response
  • Supply chain security management
  • Cryptographic controls and key management
  • Physical security integration
  • Security metrics and continuous improvement

Deliverables:

  • Comprehensive security program documentation
  • Continuous monitoring capability
  • Formal incident response team and procedures
  • Certification-ready evidence package
5

Phase 5: Maintain

Establish ongoing compliance as business as usual

Timeline: Ongoing

Compliance is not a one-time achievement—it's a continuous process. This phase establishes the practices that keep you compliant as threats evolve, your business changes, and regulations update. Without maintenance, even the best implementation degrades over time.

Objectives:

  • Establish regular review and audit cycles
  • Maintain current awareness of threat landscape
  • Keep documentation and evidence up to date
  • Ensure incident reporting capability (24-hour NIS2 requirement)
  • Integrate security into business change processes
  • Monitor regulatory developments and adapt accordingly

Ongoing Maintenance Activities

Activity Frequency
Control effectiveness review Quarterly
Policy review and updates Annually
Staff security awareness training Annually, plus ongoing
Penetration testing or vulnerability assessment Annually
Incident response drill Annually
Evidence collection and organization Continuous

Deliverables:

  • Documented review cycle and schedule
  • Continuous improvement log
  • Updated evidence repository
  • Annual compliance status report

How Phases Map to CyberFundamentals and NIS2

Each phase builds upon the previous one, aligning with CyberFundamentals assurance levels and NIS2 requirements:

Phase CyberFundamentals NIS2
Phase 1: Assessment Gap Analysis Scope Determination
Phase 2: Foundation Small (7 controls) Basic security hygiene
Phase 3: Build Basic (34 controls) Standard compliance
Phase 4: Mature Important/Essential (117-140 controls) Full NIS2 compliance
Phase 5: Maintain Continuous assurance Ongoing compliance

Realistic Timeline Expectations

Based on our experience with Belgian SMEs, here are realistic timelines for each phase. Your actual timeline depends on your starting point, available resources, and target tier.

Small Business (10-50 employees)

Target: Small or Basic tier 2-3 months total

Often achievable with existing IT resources. Focus on Phase 1-3.

Medium Business (50-250 employees)

Target: Basic or Important tier 4-6 months total

May require additional IT support or external expertise. Likely in NIS2 scope.

Essential Sector Entity

Target: Essential tier 6-12 months total

Requires dedicated resources and likely external audit preparation.

When to Stop vs. When to Continue

Not every organization needs to reach the highest tier. Here's how to make that decision:

Consider stopping at your current level if:

  • You've reached your legally required tier
  • Your risk assessment doesn't indicate elevated threats
  • Customer/partner requirements are satisfied
  • The cost of additional controls outweighs the risk reduction
  • You're outside NIS2 scope and have solid basics in place

Continue to the next level if:

  • Regulatory requirements demand a higher tier
  • You handle particularly sensitive data
  • Your sector has elevated threat profiles
  • Key customers require specific certifications
  • A security incident would have severe business impact

Ready to Start Your Journey?

Easy Cyber Protection guides you through each phase with actionable tasks, automated evidence collection, and clear progress tracking. Start with our free assessment to understand your scope and requirements.

Frequently Asked Questions

Can I skip phases if I already have some security in place?

You can't skip the Assessment phase—it's essential to understand where you are and what you need. However, if you already have controls in place, those phases will go faster. The assessment will identify what you already have, allowing you to focus only on gaps.

What if I can't afford to do this all at once?

That's exactly why we've structured this as phases. Start with Phase 1 (Assessment) and Phase 2 (Small tier)—both are achievable with minimal investment. Then progress through subsequent phases as budget allows. Small tier alone significantly reduces your risk.

Do I need external consultants or can I do this internally?

Phases 1-3 (through Basic tier) can typically be done internally, especially with a guided platform. Phase 4 often benefits from external expertise due to the complexity and volume of controls. Phase 5 (Maintain) is primarily internal with occasional external audits.

How do I know which tier I actually need?

Your required tier depends on your NIS2 classification. Essential entities need Essential tier, Important entities typically need Important or Basic tier depending on specifics. If you're outside NIS2 scope, Basic tier is a strong recommendation for any business handling customer data or providing IT services.

What happens if regulations change after I've achieved compliance?

This is why Phase 5 (Maintain) is so important. Part of maintenance is monitoring regulatory developments and adapting your controls accordingly. A good compliance platform will alert you to changes that affect your requirements and help you adjust.

Related Resources

Sources

  1. NIS2 Directive (EU) 2022/2555 — Official Journal of the European Union
  2. CyberFundamentals Framework — Centre for Cybersecurity Belgium (CCB)
  3. Centre for Cybersecurity Belgium (CCB) — Official Belgian cybersecurity authority