Understand your scope
Start with your company structure. Look at UK entities, EU establishments, European operations, shared services and relevant managed service activities. Also consider whether specific services provided in the EU may fall under NIS2 jurisdiction rules.
You do not need to solve every legal question on day one. The first goal is to find where NIS2 may apply and where legal advice is needed. Keep a dated record of your scope review.
Map your external attack surface
Compare your official inventory with what is really visible online. Look for domains, subdomains, IP addresses, applications, cloud systems and exposed services.
With a specialised platform such as Patrowl, this discovery can be automated and accelerated. Without dedicated tooling, the effort depends on company size, subsidiaries, acquisitions, cloud environments and the quality of existing records. There is no credible universal timeframe.
The goal is simple: maintain a reliable view of what you expose.
Make vulnerability management measurable
Finding a vulnerability is only the first step. You also need to know where it exists, whether the asset is exposed, who owns the fix and how long the risk stays open.
Metrics such as MTTE and MTTR can help teams measure real remediation performance. The aim is not to count thousands of findings. It is to reduce the risks that matter most and keep evidence of that work.
Give management clear evidence
Cyber security is also a leadership issue. Executives need simple indicators, such as unknown exposed assets, critical Internet-facing vulnerabilities, remediation time and risks that remain open.
The goal is not another complex dashboard. Management should understand the main risks and be able to show oversight.