IT Partner? See how to deliver NIS2 audit-readiness

View partner offer →

How to Scope an NIS2 Audit-Readiness Engagement

A client asks you for a quote on NIS2 compliance. You know the platform side takes a day or two to set up. You also know the real work is not the platform. What do you actually commit to, and how do you price it so you are not eating implementation hours? This is a scoping guide written by operators, for operators.

The Scoping Question You Have to Answer

A client sends a procurement request, or their insurer asks for proof, or a larger customer demands CyFun Basic evidence. You are asked: "How long will this take, and what will it cost?" Answering that well requires you to separate three very different work streams that a generic "compliance" quote blurs together.

Platform setup (1 to 2 days)

Connecting integrations, running policy wizards, loading estate data. Fixed and fast.

Policy validation and register population (weeks)

Tailoring draft policies to how the client actually operates, populating risk, supplier, incident, and training registers, chasing management sign-off.

Missing security measures (months, variable)

Rolling out MFA, deploying EDR, setting up immutable backup, implementing logging retention. This is engineering work, not compliance paperwork.

What the Platform Does vs What You Do vs What the Client Does

Clarity on this split during scoping prevents the expectations mismatch that kills engagements in month three. The platform is fast. The engagement around it is where the hours go.

Platform work (invisible, automatic)

  • Framework provisioning and wiki scaffolding after intake assessment
  • Integration sync for technical evidence (M365 Graph, EDR, backup, firewall)
  • Policy draft generation via wizards, context-aware to the client
  • Cascade engine (approving one control pre-populates dependents)
  • Evidence expiry tracking, punch-list updates, gap analysis
  • Exports: CCB workbook, CAB share link, branded report, ZIP bundle

MSP work (your billable hours)

  • Client relationship, commercial terms, billing the end client
  • Phase 2 session: sitting with the client once to connect integrations and run wizards
  • Validating and tailoring the policy drafts to the client's real operations
  • Populating the 10 registers with real client data (risk, supplier, incident, training, phishing-test, backup-test, change, policy-review, onboarding, reviews)
  • Chasing management sign-off on policies, one cluster at a time
  • Implementing missing security measures: MFA rollout, EDR deployment, backup hardening, logging retention — this is often the biggest timeline driver and is almost always under-scoped
  • Quarterly reviews, incident coordination, audit prep

Client work (the hand-offs you need)

  • Approving policies at management level
  • Providing estate data: headcount, software inventory, suppliers
  • Participating in training and phishing tests when triggered
  • Being available for the CAB audit on the scheduled date

Three Client Profiles, Three Timelines

The 1 to 2 day platform setup is fixed. What varies is Phase 3, the validation and implementation stretch. During the first scoping conversation, walk the client through which profile they match. This calibrates expectations before you quote a deadline.

Well-equipped client

1 to 3 months

Starting position: M365 with MFA enforced, EDR in place, immutable backup, some form of central logging, written acceptable use policy, annual awareness training running

What drives the timeline: Policy review, management sign-off, register population. The tech is already there; the paperwork catches up.

Tip: These engagements are profitable immediately. Platform work closes ~70% of controls on day one. You spend your hours validating and getting signatures.

Client with gaps

4 to 6 months

Starting position: Some tech in place but measurable gaps: no MFA enforcement, consumer-grade backup, no central logging, or no EDR on every device

What drives the timeline: Missing-measures implementation runs in parallel with policy work. Each gap is its own mini-project: MFA rollout, backup replacement, EDR deployment.

Tip: Quote the platform subscription monthly and the missing-measures work as a separate one-off. Do not bundle them or your hourly rate evaporates.

Greenfield KMO

6 to 9 months or more

Starting position: Consumer-grade backup, no EDR, no MFA enforcement, no logging retention, probably no written policies

What drives the timeline: Most of the timeline is your implementation project. Compliance paperwork rides along in the final 2 months.

Tip: Do not promise audit-ready by a short deadline. Under-scoping a greenfield client creates a missed-deadline stressor around the CCB submission window and damages the relationship.

These ranges are per CyFun tier reached, typically Basic. If the client's destination is Important or Essential, see the next section: it is a multi-year arc, not a longer single window.

When the Destination Is Important or Essential: Plan a Multi-Year Arc

The 1-to-9-month timelines above assume the client is reaching one CyFun tier this engagement, typically Basic. CCB requires audit-validated Basic readiness before progressing to Important, and audit-validated Important before Essential — there is no shortcut, no skipping. So if your client's destination is Important or Essential, the realistic outline is multi-year, not multi-month. Each audit cycle also surfaces remediation work that needs a few months to close out before the next tier opens.

Year 1

Basic readiness and audit

Build the governance, evidence engine, control implementation, and audit-readiness discipline. The 12-month engagement scaffolds this. After the audit, expect 2-3 months of remediation before Year 2 starts.

Year 2

Important readiness and audit

Same loop as Year 1 but on the Important tier (132 controls vs 34 for Basic). The discipline now exists; the controls deepen. Another audit cycle, another remediation window.

Year 3+

Essential readiness and audit

Essential adds the operational-maturity layer: continuous monitoring, advanced incident response, supply-chain attestation. Realistic only after two audit cycles have proved the discipline holds. Real dates are highly context-dependent.

How to Run the Phase 2 Platform Session

Phase 2 is the 1 to 2 day platform setup. You do it once per client, usually remote. The output is a client org with auto-verified technical evidence, first-draft policies, and a complete punch list showing exactly what will fail an audit today. Run it in this order.

1

Connect M365 Graph first

GDAP consent, 30 minutes. This single integration auto-verifies roughly half of CyFun Basic controls. Get this done before anything else so the rest of the session has real data to work with.

2

Connect the EDR

Sophos, Bitdefender, SentinelOne, or Defender for Endpoint. 1 to 2 hours. This pushes auto-verified control coverage past 70% on Basic and gives you accurate device counts for population-gap detection.

3

Connect backup and firewall where connectors exist

If the client runs a supported backup vendor or firewall, connect it now. If not, note the gap; it becomes manual evidence later.

4

Populate declared estate

Headcount, device count, workplace count, software inventory. The platform uses these to detect population gaps (declared 83 devices, Graph sees 12 = real audit finding). Get this right at Phase 2 or you will spend the next three months tidying it up.

5

Run the policy wizards in cascade order

Prioritise the 5 trigger controls first; each wizard pre-populates up to 3 dependent controls via the cascade engine. By the end of the session you have draft policies across the full framework, not a stack of blank templates.

6

Take the first punch-list snapshot

The Audit Punch List now shows Will-fail, At-risk, and Ready. This is your backlog for Phase 3. Review it with the client at the end of the session; this is where the scoping conversation for the implementation work becomes concrete.

How to Price the Engagement

The commercial model has two parts. Keep them separate in your proposal, your contract, and your billing. Clients who are confused about what they are paying for are clients who will haggle every invoice.

Part 1: Monthly compliance subscription

This covers ongoing platform access, quarterly reviews, evidence refresh, punch-list monitoring, and branded reports. ECP charges you a flat 25 euros per client per month. You charge the client between 50 and 250 euros per month depending on size, sector, and service level. With VLAIO subsidy, a client paying 100 euros per month recovers up to 45 euros, netting around 55 euros per month. This is where your recurring margin lives. Note: this is launch-phase pricing — clients onboarded at the current rate stay at that rate for current functionality as the pricing model evolves.

Volume discounts: 10% from 26 to 50 clients, 15% from 51 to 100, 20% past 100.

Part 2: One-off implementation work

Missing-measures engineering (MFA enforcement, EDR deployment, backup hardening, logging retention, policy tailoring workshops) is billed on your standard MSP rates. This is project work, not subscription work. Estimate it from the Phase 2 punch list and quote it separately.

  • MFA enforcement project: typically 3 to 8 hours per tenant depending on size and whether you need a gradual rollout
  • EDR deployment: vendor-specific, usually 0.5 to 1 hour per endpoint for a mid-sized estate
  • Immutable backup setup: depends on current vendor; often a replacement project
  • Policy tailoring and management workshop: 4 to 8 hours for a full pass on the 34 Basic controls

Scope Warnings: Don't Do These

A short list of the scoping mistakes that create unhappy clients and unprofitable engagements.

Do not promise audit-ready in 1 to 2 days

That is platform setup time, not engagement time. Confusing the two is the single most common cause of broken expectations. Platform setup produces auto-verified evidence and draft policies. Audit-ready means those policies are tailored, approved, and backed by populated registers and implemented controls.

Do not promise Important or Essential in a 12-month window

CCB makes you climb the ladder: audit-validated Basic before Important, audit-validated Important before Essential. A client whose destination is Essential is a multi-year engagement (Year 1 Basic, Year 2 Important, Year 3+ Essential). The 12-month proposal scaffolds Year 1 and makes the rest possible — name that explicitly to the VP at proposal time, not in month seven.

Do not skip missing-measures scoping

If the client has no MFA enforcement and you say "2 to 3 months to audit-ready," you have just agreed to do an MFA rollout for free. Walk the Phase 2 punch list with the client. Each Will-fail item that is an implementation gap gets its own line item in the quote.

Do not treat registers as paperwork

Populated registers auto-contribute virtual evidence to controls. An empty supplier register or empty risk register = audit findings, even if every policy is perfect. Schedule dedicated register-population sessions in the engagement timeline.

Do not forget population scope

Integrations cover the declared estate. If the client declares 83 devices but Graph only sees 12, the punch list flags Population gap. A real audit would fail this. Scope a cleanup sprint in Phase 3 where the declared estate is reconciled with what integrations actually report.

Do not quote before running the intake assessment

Framework tier (Small, Basic, Important, Essential) changes scope meaningfully. Run the intake assessment first, confirm the tier, and only then quote. A Basic client (34 controls) and an Important client are very different engagements.

Trigger Moments for the Scoping Conversation

You do not need to sell compliance cold. Your existing clients have triggers that make this conversation natural. Use these as openers.

Insurance renewal

"Your cyber insurer will ask about NIS2 compliance at renewal. Let us get ahead of it before they raise premiums or exclude coverage."

Supply chain ask from a larger customer

"Your biggest customer is asking for CyFun Basic proof. We can generate a branded Supply Chain Compliance Report in days, not months."

NIS2 deadline approaching

"The CCB submission window is coming up. Organisations that start now get audited first; the auditor queue is already forming."

Board or management question

"Your board is asking the right question. Here is a clear answer: where you stand today, what is missing, and what it costs to close the gap."

Procurement requirement in a tender

"This tender requires cybersecurity evidence. We can produce the artefacts they want in weeks, not months."

VLAIO subsidy announced or renewed

"VLAIO covers up to 45% of cybersecurity advisory. After subsidy, your net cost drops meaningfully. This is the best window to start."

Quarterly Rhythm and Renewal Economics

NIS2 audit-readiness is not a project; it is a service. After the client reaches audit-ready, the engagement continues at a lower cadence but never stops. Build this into the proposal from day one.

  • Quarterly review meeting, 30 to 60 minutes, led by you. Re-run the punch list, refresh expiring evidence, update registers, discuss new risks. This is where you demonstrate ongoing value and where the client renews without friction.
  • Technical evidence stays fresh automatically through integrations. The items that expire are manual artefacts: training records, phishing-test results, backup-test logs. The platform flags them in Stale; you schedule the refresh with the client.
  • Annual compliance refresh: redo the intake assessment if the client grew or changed sector, recalibrate the action plan, refresh management sign-offs.
  • Insurance renewal support: generate the evidence pack when the client renews cyber insurance. This is a billable touchpoint that reinforces the value of the subscription.
  • Framework upgrades: when the CCB publishes a new CyFun workbook version, ECP releases a migration; you re-export and the client has the new version. Communicate this proactively to the client so they see the maintenance value.

What ECP Gives You for Scoping

Easy Cyber Protection is the engine behind the engagement. You get a multi-tenant platform with assessment tools, integration sync, policy wizards, evidence collection, branded reports, and audit-ready exports at 25 euros per client per month. Your branding on everything the client sees. No compliance expertise required from you; the framework is encoded. You scope the engagement, we make the platform side predictable.

Frequently Asked Scoping Questions

How long does the whole engagement take end to end?

Per tier reached, platform setup (Phase 2) is 1 to 2 days and Phase 3 runs 1 to 9 months depending on the client's starting position: well-equipped 1 to 3 months, with gaps 4 to 6 months, greenfield 6 to 9 months or more — typically reaching CyFun Basic. If the destination is Important or Essential, that is a multi-year arc (Year 1 Basic, Year 2 Important, Year 3+ Essential) because CCB requires each tier to be audit-validated before the next opens. Walk the client through both layers in scoping: the per-tier estimate from the Phase 2 punch list, plus the multi-year tier-progression chart if their destination is above Basic.

How do I price this so I am not doing free implementation work?

Split the commercial into two streams. The monthly compliance subscription (50 to 250 euros per client) covers platform access, quarterly reviews, evidence refresh, and reporting. Missing-measures engineering (MFA, EDR, backup, logging) is billed separately on your standard MSP rates as one-off project work. Both can qualify for VLAIO subsidy if you are registered as a cybersecurity advisor. Never bundle engineering hours into the subscription fee.

What do I need to know going into the first scoping meeting?

Have the intake assessment ready to run (it determines CyFun tier). Ask about: current MFA coverage, backup vendor and immutability, EDR presence and coverage, logging retention, existing written policies, declared headcount and device count, any regulatory triggers (insurer ask, supply chain ask, tender). These five answers classify the client into one of the three profiles and drive the whole quote.

Do I need compliance or audit qualifications to deliver this?

No. MSPs prepare clients to be audit-ready. The certification audit is performed by a BELAC-accredited CAB auditor, not by you. The platform handles framework mapping and evidence structuring; you handle the client relationship, tailoring, and implementation. Think of it as the MSP is the bookkeeper, the CAB auditor is the external accountant.

What happens if the client misses the CAB audit window?

Under-scoping is the main cause of missed windows, especially on greenfield clients. Set the expectation honestly at scoping: a greenfield client is 6 months plus. If the client insists on a shorter window, either the scope shrinks to getting documented controls in place without full implementation, or the deadline moves. Never promise a 2 month audit-ready date to a client with no MFA and no EDR.

How do I handle the client who says "just tell me the total price"?

Two-line answer. Monthly subscription: X euros per month, starts immediately, includes platform, quarterly reviews, reporting, branded exports. One-off implementation: estimated Y euros based on the gaps we identify in Phase 2, billed as project work at our standard rates. You can qualify for up to 45% VLAIO subsidy on both. This framing closes deals faster than a single blended number.

Related Articles

TARS AI