How to Talk to Your IT Partner About NIS2
NIS2 is here, and as a business owner you are ultimately responsible for compliance - even if you outsource IT. But how do you bring this up with your IT partner? What should you ask? And how do you know if they are taking it seriously? This guide gives you a ready-to-use script you can literally forward to your IT provider.
Not sure what NIS2 entails? Start with our guide on what NIS2 is and the specific requirements. Your IT partner should understand the CyberFundamentals framework and its levels.
Why You Need to Have This Conversation
Many Belgian SME owners assume their IT partner has NIS2 covered. This is a dangerous assumption. Here is why you need to bring it up proactively:
Legal responsibility is yours
Under NIS2 (and the Belgian transposition law), management is personally liable. You cannot delegate this responsibility to a supplier.
Most IT partners are generalists
Your IT provider may be excellent at managing servers and networks, but NIS2 compliance requires specific knowledge of risk assessments, policies, and evidence collection.
The deadline is real
Belgium has transposed NIS2 into national law. Enforcement is coming. Waiting until an audit notice arrives is too late.
Your IT partner may not know
Many smaller IT providers and MSPs are still getting up to speed on NIS2 themselves. Your question might be the push they need.
Insurance increasingly requires it
Cyber insurers in Belgium are starting to ask about NIS2 readiness. A conversation now saves scrambling later.
It protects the relationship
Having clear expectations upfront prevents blame games after an incident. Both sides benefit from clarity.
The Conversation Script
Here is a message you can send to your IT partner today. Feel free to copy it, adjust the tone, or simply forward this page:
This message works whether you send it by email, Teams, or WhatsApp. The key is to be specific and request a dedicated meeting - not a five-minute chat at the end of a support call.
5 Questions to Ask Your IT Partner
During the meeting, focus on these five questions. The answers will tell you a lot about whether your IT partner is ready to support your NIS2 journey:
1. Do you know what NIS2 and CyberFundamentals mean for our business?
A good IT partner should understand the framework levels (Basic, Important, Essential) and know which one applies to you. If they look confused, that is a signal.
Green flag
They explain which level you likely need and reference specific controls.
Red flag
They say "NIS2 does not apply to small businesses" without checking your sector and size.
2. Can you do a gap analysis against NIS2 requirements?
Before you can plan, you need to know where you stand. A gap analysis maps your current security measures against what NIS2 requires.
Green flag
They offer a structured assessment with a report and prioritized action items.
Red flag
They say "you already have antivirus and a firewall, so you should be fine."
3. How would we handle a security incident together?
NIS2 requires incident reporting within 24 hours (early warning) and 72 hours (full notification). Your IT partner needs to be part of this process.
Green flag
They have (or can create) an incident response plan with clear roles, contact details, and reporting procedures.
Red flag
They say "just call us when something happens and we will figure it out."
4. What audit evidence can you help us produce?
Compliance is not just about having security measures - it is about proving you have them. You need documentation, logs, policies, and records.
Green flag
They can provide security reports, patch management logs, access reviews, and help draft policies.
Red flag
They do not understand what an auditor would ask for or say "we do not do documentation."
5. What timeline is realistic to become audit-ready?
NIS2 readiness is a journey, not a single project. You need a realistic roadmap with milestones.
Green flag
They propose a phased plan: quick wins in 1-3 months, core controls in 3-6 months, full readiness in 6-12 months.
Red flag
They either promise "we can do it in two weeks" or refuse to commit to any timeline.
Red Flags: Signs Your IT Partner Is Not Ready
Watch out for these warning signs during the conversation. They do not necessarily mean you need a new IT partner, but they do mean you need additional support:
"NIS2 does not apply to you"
Unless they have thoroughly checked your sector classification and company size, this dismissal is premature. Many companies that think they are exempt actually fall under NIS2 through sector classification or as part of a supply chain.
"We already handle your security, so you are compliant"
Security measures and compliance are not the same thing. Compliance requires documented policies, risk assessments, incident response plans, and audit evidence. Having a firewall is not the same as being NIS2-ready.
"We will deal with it when the auditors come"
This is like saying you will study for the exam during the exam. NIS2 readiness takes months of preparation. Auditors expect to see a track record of compliance, not a last-minute scramble.
They cannot explain the CyberFundamentals levels
In Belgium, NIS2 is implemented through the CCB CyberFundamentals framework. If your IT partner does not know the difference between Basic, Important, and Essential levels, they are not ready to guide you.
They have no other clients working on NIS2
If none of their clients are working on NIS2, they may lack practical experience. Ask for references or case studies from similar compliance projects.
They resist putting things in writing
If they are reluctant to document responsibilities, SLAs, or incident response procedures, that is a governance red flag. NIS2 is all about documented, demonstrable security.
Next Steps After the Meeting
Once you have had the conversation, here is what to do depending on the outcome:
Best case: Your IT partner gets it
They understand NIS2, can perform a gap analysis, and propose a roadmap.
- Agree on a gap analysis timeline (start within 4 weeks)
- Define roles and responsibilities in writing
- Set up monthly progress check-ins
- Ask for a written proposal with costs and milestones
- Consider using a compliance platform to track progress together
Middle ground: Willing but not yet ready
They take NIS2 seriously but lack specific compliance experience.
- Give them time to get trained (4-6 weeks is reasonable)
- Suggest they explore compliance tooling and frameworks
- Consider bringing in a specialized NIS2 consultant to supplement
- Set a review date to reassess their readiness
- Use a platform like Easy Cyber Protection to provide structure for both of you
Worst case: They dismiss or deflect
They do not take NIS2 seriously or refuse to engage with the topic.
- Document the conversation and their response
- Seek a second opinion from another IT provider or consultant
- Do not wait - start your NIS2 preparation with another partner
- Consider whether this reflects broader quality issues with the relationship
- Remember: your legal liability does not go away because your IT partner is unprepared
Make NIS2 Conversations Easier
Easy Cyber Protection gives you and your IT partner a shared platform for NIS2 readiness. Track your gap analysis, manage controls, collect evidence, and prepare for audits - together. No more spreadsheet ping-pong.
Frequently Asked Questions
Can I just forward this article to my IT partner?
Absolutely. That is exactly what this article is designed for. The conversation script, the five questions, and the red flags section give your IT partner a clear picture of what you need. It removes the awkwardness of "I found something on the internet" by providing a structured, professional framework for the discussion.
What if my IT partner says NIS2 does not apply to my business?
Ask them to verify specifically. NIS2 applies based on sector and company size. In Belgium, many SMEs in manufacturing, food production, healthcare, digital services, and other sectors are covered. Even if you are not directly in scope, your larger clients may require NIS2-level security from their suppliers. The CCB has published guidance to help determine scope.
Should I switch IT partners if they are not NIS2-ready?
Not necessarily. Many IT partners are still building NIS2 expertise. What matters is their willingness to learn and adapt. If they are dismissive or refuse to engage, that is a bigger concern than a current knowledge gap. Give willing partners a reasonable timeline (2-3 months) to get up to speed, and supplement with specialized tools or consultants in the meantime.
How much should NIS2 compliance cost through my IT partner?
Costs vary widely depending on your current security maturity, company size, and which CyberFundamentals level you need. For a typical Belgian SME (10-50 employees) at the Basic or Important level, expect a gap analysis to cost between 2,000-5,000 EUR, and ongoing compliance management between 500-2,000 EUR per month. Be wary of partners who quote either very low (they may not understand the scope) or very high (they may be overcomplicating it).