Managing NIS2 in a Spreadsheet or a GRC Platform? A Practical Comparison
When is a spreadsheet enough for NIS2, and when does it start to cost you? A practical comparison with a GRC platform and continuous compliance.
NIS2 is no longer a “next year” problem. The directive is in force across the EU and member states have now transposed it into national law — the original transposition deadline was 17 October 2024, and the regime has moved from preparation into active supervision and enforcement. The scope is broad, penalties are steep, and management bodies are now personally accountable for compliance.
So most companies reach for the same first tool: a spreadsheet. A requirements checklist, a status column, evidence in folders, reminders over email.
At first it works. At least on the surface.
The trouble starts later — when the requirements list turns into a living process: you have to assign owners, collect evidence, assess suppliers, report to the board, and stand ready for an incident that will not wait until someone finds the right file in a folder called “final_final_v3”.
This article compares two approaches to NIS2 — managing it yourself in spreadsheets, email and folders, versus managing it in a GRC platform such as Quantifier.ai. The point is not that spreadsheets are bad. They are excellent to start with. The catch is that with NIS2, starting is the easy part.
Why NIS2 is hard to run manually
On paper, NIS2 looks like a list of obligations. In practice it is a network of processes, people, documents, deadlines and evidence — and that network only grows for organisations operating across several member states.
Article 21 of the directive requires “appropriate and proportionate” technical and organisational measures across roughly a dozen areas: risk management, incident handling, business continuity, supply-chain security, access control, MFA, encryption and assessing the effectiveness of controls. This is not one policy to tick off — it is a system you have to maintain and prove.
On top of that sits the incident-reporting regime, which runs on a clock: an early warning within 24 hours, a full notification within 72 hours, and a final report within 30 days. You cannot “catch up in a spreadsheet” once an incident is already underway.
The manual approach breaks the moment more than one person is involved. With NIS2, many usually are: IT, security, the board, compliance, legal, procurement, system and process owners, suppliers. Everyone holds a piece of the puzzle. Someone has the policy, someone has the logs, someone knows the vendor, and someone else “thinks they saw that procedure once.”
That is where the real work begins.
When a spreadsheet is enough — and when it starts to hurt
A spreadsheet makes sense at the discovery stage. If a company is still checking whether it falls in scope, building its first requirements map, or running an initial compliance workshop, a sheet is a good sketch.
The problem starts when the sketch begins pretending to be a compliance management system. A spreadsheet stops being enough once you have: multiple requirement owners, many statuses to update, evidence scattered across locations, recurring tasks, suppliers to assess, an obligation to report to the board, audit requirements, incidents that need fast escalation, and links to other standards (ISO 27001, DORA, SOC 2, NIST).
At that point the sheet is no longer a simple tool. It becomes one more thing you have to keep alive by hand — and with NIS2, the first spreadsheet is not the expensive part. Keeping it alive over time is.
Spreadsheet vs GRC platform: where the time goes
The biggest cost of the manual approach is not filling in the table. It is coordination, chasing, reminding, hunting for documents and assembling reports by hand. Here is a practical comparison of the two models.
A spreadsheet shows a list. A platform runs a process. That is the fundamental difference — and it decides whether compliance can be sustained over the next 12 months, not just built once.
NIS2 as continuous compliance
The most common mistake is treating NIS2 as a project to close: run the analysis, prepare the documents, tick off the requirements, revisit it next year.
But NIS2 covers areas that change constantly — IT systems, suppliers, vulnerabilities, incidents, processes, responsible people and risks. That is why a continuous-compliance model makes more sense: keeping compliance alive as a system, rather than as a one-off push.
In this model a company does not ask once a year “are we compliant?” It asks regularly: which controls are active, which evidence is current, which risks have grown, which suppliers need review, whether the board has an up-to-date picture, and whether the incident procedure is ready to use. That is exactly the kind of ongoing visibility a spreadsheet cannot provide — and the reason NIS2 demands a management system, not a table.
The AI layer: what actually removes the busywork
In a GRC platform, part of the operational load shifts to an AI layer (in Quantifier.ai this is the AI Officer — an assistant working between regulation, documentation and the team’s day-to-day work).
The AI Officer does not replace your compliance manager, CISO or risk owner — handing responsibility for cybersecurity to an algorithm is a great idea only in a disaster movie. What it does is support requirements analysis, translating regulation into concrete tasks, spotting gaps in documentation, suggesting action owners, assessing supplier risk and preparing board summaries.
In practice, instead of asking “who was supposed to fill this in?”, the team sees in one place: what is required, who owns it, what the status is, what is missing and what needs a decision. That turns NIS2 from a manual checklist into a managed process.
What a spreadsheet cannot handle across multiple jurisdictions
This is where theory ends and the hard parts begin. NIS2 is one directive, but it lands as separate national laws with their own timelines, registration duties and supervisory authorities. For a company operating in several member states, a spreadsheet has to track divergent national deadlines and registers at the same time — while the 24/72/30 incident clock runs identically everywhere. That is a lot of moving parts to hold in cells by hand.
The penalties are among the steepest in EU regulation: for essential entities, up to €10 million or 2% of global annual turnover; for important entities, up to €7 million or 1.4% (whichever is higher). On top of that comes personal liability for members of the management body — much like under the GDPR.
A spreadsheet will not remind you of a national registration deadline. It will not build the audit trail you will need when a regulator asks. It will not prove who approved which control, when, and on the basis of what evidence. At this stake the question is not “can it be done in a spreadsheet,” but “how long can it be held together without chaos — and will it hold up in front of a supervisory authority?”
There is also an efficiency dividend hiding here. NIS2 and DORA, for example, share near-identical incident-reporting obligations; a single evidence base can serve both, while parallel spreadsheets multiply the work and introduce version conflicts between frameworks.
Spreadsheet or GRC platform: the short answer
A spreadsheet helps you start — at first discovery, the obligations map, a small set of systems.
A GRC platform helps you sustain compliance over time — when multiple owners, evidence, suppliers, board reporting, an audit trail and hard national deadlines are in play.
The more people, systems and evidence involved, the faster the platform pays for itself — not because it is “prettier” than a spreadsheet, but because it organises accountability.
How Quantifier.ai helps you move from spreadsheets to continuous compliance
Quantifier.ai takes organisations from manual compliance management to a continuous-compliance model — through ready frameworks and control mapping, an AI Officer that supports gap analysis, task assignment to owners, review workflows, a central evidence repository, status and risk dashboards, supplier management, incident-process support, and cross-mapping of NIS2 with ISO 27001, DORA and SOC 2.
As a result, NIS2 is no longer a separate spreadsheet kept by one person. It becomes a process the whole organisation can see — and one you can defend in front of an auditor.
See how Quantifier.ai maps NIS2 requirements onto a working process → book a demo.
FAQ
Can NIS2 be implemented on your own in a spreadsheet?
Yes, at the start. A spreadsheet helps with mapping requirements, a first checklist and assigning owners. The problem appears when you have to sustain compliance, collect evidence, report status, assess suppliers and build the audit trail regulators expect.
When does a company need to move from a spreadsheet to a GRC platform?
When multiple departments are involved, when board reporting becomes an obligation, and when you need to collect evidence, monitor suppliers, handle incidents on the 24/72/30 clock, and keep compliance status continuously up to date.
Does the AI Officer replace the compliance manager?
No. The AI Officer supports the team by automating repetitive tasks, analysing gaps, organising evidence and helping prepare reports. Responsibility for decisions and compliance stays with the organisation and its management body.
Which NIS2 processes can be automated?
Among others: requirements mapping, task assignment, evidence collection, control reviews, supplier assessment, status reporting, incident workflows and audit preparation.
Does a NIS2 platform help with other regulations too?
Yes, if it supports cross-mapping. Many NIS2 controls overlap with ISO 27001, DORA, SOC 2 and NIST — one evidence base can serve several regimes at once. NIS2 and DORA in particular share near-identical incident-reporting duties.
What are the penalties for non-compliance with NIS2?
For essential entities, fines reach up to €10 million or 2% of global annual turnover; for important entities, up to €7 million or 1.4% (whichever is higher). Members of the management body can also be held personally liable.