Achieving NIS2 compliance can feel overwhelming, but breaking it down into actionable steps makes the process manageable. This checklist guides you through everything your organisation needs to do—from determining if NIS2 applies to you, through implementing the required security measures.
Use this checklist as a practical roadmap to prepare for NIS2 compliance or assess your current readiness.
New to NIS2? Read our comprehensive NIS2 guide for detailed background on the directive and its requirements.
Quick Reference: NIS2 Compliance Timeline
| Milestone | Date | Action Required |
|---|---|---|
| Directive entered into force | 16 January 2023 | Awareness |
| Member state transposition deadline | 17 October 2024 | Check national law |
| Enforcement begins | October 2024 onwards | Full compliance required |
| First compliance audits | 2025 | Be audit-ready |
Checklist 1: Scope Assessment
Before implementing any security measures, confirm whether NIS2 applies to your organisation.
✅ 1.1 Determine Your Sector Classification
Essential Entities (Annex I):
- Energy (electricity, oil, gas, hydrogen, district heating)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Health sector (hospitals, healthcare providers, laboratories)
- Drinking water supply and distribution
- Waste water collection and treatment
- Digital infrastructure (DNS, TLD, cloud, data centres, CDNs)
- ICT service management (managed services, managed security)
- Public administration (central government)
- Space (ground-based infrastructure)
Important Entities (Annex II):
- Postal and courier services
- Waste management
- Chemical manufacturing and distribution
- Food production and distribution
- Manufacturing (medical devices, electronics, machinery, vehicles)
- Digital providers (marketplaces, search engines, social networks)
- Research organisations
✅ 1.2 Verify Size Thresholds
- Medium enterprise: 50+ employees OR €10M+ annual turnover/balance sheet
- Large enterprise: 250+ employees OR €50M+ annual turnover
Note: Some entities are covered regardless of size (DNS providers, TLD registries, trust service providers, public administration, sole providers of critical services).
✅ 1.3 Check for Automatic Inclusion
Even below size thresholds, you may be in scope if:
- You are a trust service provider
- You provide public electronic communications networks
- You are the sole provider of an essential service in a member state
- You are designated as critical under the CER Directive
- A disruption to your services could have significant impact on public safety
✅ 1.4 Document Your Classification
- Record your entity type (essential or important)
- Document the rationale for your classification
- Identify your national competent authority
- Note your registration requirements (if any)
Checklist 2: Governance & Management Accountability
NIS2 places explicit responsibility on management bodies. Complete these governance requirements:
✅ 2.1 Board-Level Accountability
- Assign cybersecurity responsibility to a board member or senior executive
- Schedule regular cybersecurity updates to the board (quarterly minimum)
- Document board approval of cybersecurity risk management measures
- Ensure management can be held accountable for NIS2 compliance
✅ 2.2 Management Training
- Provide NIS2-specific training to all management body members
- Document training completion and content covered
- Schedule refresher training annually
- Include training on personal liability implications
✅ 2.3 Organisational Structure
- Appoint a CISO or equivalent cybersecurity lead
- Define clear reporting lines for cybersecurity matters
- Establish a cybersecurity steering committee or working group
- Document roles and responsibilities in writing
Checklist 3: Risk Management Framework
Implement a comprehensive risk management approach as required by Article 21.
✅ 3.1 Risk Assessment
- Conduct a full cybersecurity risk assessment
- Identify critical assets, systems, and data
- Map all network and information systems in scope
- Assess threats and vulnerabilities for each asset
- Calculate risk levels (likelihood × impact)
- Document risk assessment methodology and results
✅ 3.2 Risk Treatment
- Develop risk treatment plans for all identified risks
- Prioritise risks based on severity and business impact
- Assign owners for each risk treatment action
- Set deadlines and track progress
- Accept, mitigate, transfer, or avoid each risk (documented decision)
✅ 3.3 Ongoing Risk Management
- Schedule regular risk assessment reviews (minimum annually)
- Trigger reassessments after significant changes
- Monitor emerging threats relevant to your sector
- Update risk register continuously
Checklist 4: Security Policies & Procedures
Develop and maintain the policies required under NIS2.
✅ 4.1 Core Security Policies
- Information Security Policy (overarching)
- Acceptable Use Policy
- Access Control Policy
- Data Classification Policy
- Cryptography and Encryption Policy
- Network Security Policy
- Vulnerability Management Policy
- Patch Management Policy
✅ 4.2 Operational Procedures
- Incident Response Procedures
- Change Management Procedures
- Backup and Recovery Procedures
- User Access Management Procedures
- Third-Party Access Procedures
- Secure Development Procedures (if applicable)
✅ 4.3 Policy Governance
- Assign policy owners for each document
- Set review schedules (minimum annually)
- Establish version control and change tracking
- Communicate policies to all relevant personnel
- Obtain acknowledgement of policy awareness
Checklist 5: Technical Security Measures
Implement the technical controls required under Article 21.
✅ 5.1 Access Control & Authentication
- Implement role-based access control (RBAC)
- Apply principle of least privilege
- Deploy multi-factor authentication (MFA) for:
- All remote access
- All privileged accounts
- All access to critical systems
- All administrator accounts
- Conduct quarterly access reviews
- Implement automated account deprovisioning
✅ 5.2 Network Security
- Segment networks appropriately
- Deploy firewalls and intrusion detection/prevention systems
- Implement secure configurations for all network devices
- Monitor network traffic for anomalies
- Secure wireless networks
- Protect remote access connections (VPN, zero trust)
✅ 5.3 Endpoint Security
- Deploy endpoint detection and response (EDR) solutions
- Implement anti-malware protection
- Enable host-based firewalls
- Enforce device encryption
- Manage mobile devices (MDM)
- Control removable media
✅ 5.4 Cryptography & Data Protection
- Encrypt data at rest (databases, file storage, backups)
- Encrypt data in transit (TLS 1.2+ for all connections)
- Implement secure key management
- Use approved cryptographic algorithms
- Protect cryptographic keys from unauthorised access
✅ 5.5 Vulnerability Management
- Conduct regular vulnerability scans (minimum monthly)
- Perform annual penetration testing
- Define vulnerability remediation SLAs:
- Critical: 24-48 hours
- High: 7 days
- Medium: 30 days
- Low: 90 days
- Track remediation to completion
- Establish secure configuration baselines
Checklist 6: Incident Response & Reporting
Prepare for the strict incident reporting requirements under NIS2.
✅ 6.1 Incident Response Plan
- Document incident response procedures
- Define incident classification criteria
- Establish incident response team and roles
- Create communication templates (internal and external)
- Define escalation procedures
- Identify when incidents become "significant"
✅ 6.2 NIS2 Notification Requirements
Ensure you can meet the mandatory reporting timelines:
| Notification | Deadline | Content |
|---|---|---|
| Early warning | Within 24 hours | Suspected cause (malicious?), potential cross-border impact |
| Incident notification | Within 72 hours | Initial assessment, severity, impact, IoCs |
| Intermediate report | Upon request | Status update |
| Final report | Within 1 month | Root cause, detailed description, remediation |
- Identify your national CSIRT contact details
- Create notification templates for each stage
- Assign responsibility for regulatory notifications
- Test notification procedures in exercises
✅ 6.3 Incident Detection
- Implement security monitoring (SIEM)
- Configure alerting for security events
- Establish 24/7 monitoring capability (or contract with MSSP)
- Define detection use cases relevant to your threats
- Integrate threat intelligence feeds
✅ 6.4 Post-Incident Activities
- Conduct post-incident reviews
- Document lessons learned
- Update procedures based on findings
- Track incidents and trends over time
Checklist 7: Business Continuity & Backup
Ensure operational resilience as required under NIS2.
✅ 7.1 Business Continuity Planning
- Conduct business impact analysis (BIA)
- Identify critical business processes
- Define recovery time objectives (RTO) and recovery point objectives (RPO)
- Develop business continuity plans for critical services
- Establish crisis management procedures
- Define crisis communication protocols
✅ 7.2 Backup Management
- Implement automated backups for all critical systems
- Follow the 3-2-1 backup rule:
- 3 copies of data
- 2 different storage types
- 1 offsite/offline copy
- Encrypt all backups
- Test backup restoration regularly (minimum quarterly)
- Document backup schedules and retention periods
✅ 7.3 Disaster Recovery
- Develop disaster recovery plans
- Identify recovery sites (if applicable)
- Document system recovery procedures
- Test disaster recovery annually
- Update plans after each test
Checklist 8: Supply Chain Security
Address the supply chain security requirements explicitly mandated by NIS2.
✅ 8.1 Supplier Risk Assessment
- Inventory all suppliers and service providers
- Classify suppliers by criticality and access level
- Conduct security assessments of critical suppliers
- Review supplier certifications (ISO 27001, SOC 2, etc.)
- Assess supplier incident history and security posture
✅ 8.2 Contractual Requirements
- Include cybersecurity requirements in all supplier contracts
- Require incident notification from suppliers
- Define security SLAs and penalties
- Require right-to-audit clauses
- Address data protection and confidentiality
- Include termination and transition provisions
✅ 8.3 Ongoing Supplier Management
- Monitor supplier compliance continuously
- Conduct periodic supplier security reviews
- Track supplier security incidents
- Update supplier risk assessments annually
- Maintain supplier contact lists for incidents
Checklist 9: Training & Awareness
Build a security-aware culture throughout your organisation.
✅ 9.1 Security Awareness Programme
- Develop annual security awareness training programme
- Make training mandatory for all employees
- Cover NIS2-relevant topics:
- Phishing and social engineering
- Password security
- Data handling and classification
- Incident reporting procedures
- Physical security
- Track training completion rates
- Test awareness through phishing simulations
✅ 9.2 Role-Based Training
- Provide additional training for IT staff
- Train incident response team members
- Educate developers on secure coding (if applicable)
- Brief management on their NIS2 responsibilities
- Train procurement on supplier security requirements
✅ 9.3 Training Records
- Maintain records of all training delivered
- Document training content and dates
- Track individual completion status
- Generate compliance reports as needed
Checklist 10: Documentation & Audit Readiness
Prepare evidence for compliance verification and potential audits.
✅ 10.1 Compliance Documentation
- Maintain a compliance evidence repository
- Document all NIS2 implementation activities
- Keep records of risk assessments and treatment plans
- Archive incident reports and notifications
- Store policy versions and approval records
- Retain training records and attendance logs
✅ 10.2 Audit Preparation
- Conduct internal compliance audits
- Address audit findings promptly
- Prepare an audit evidence pack
- Identify key personnel for audit interviews
- Review and update documentation regularly
✅ 10.3 Continuous Improvement
- Track compliance metrics and KPIs
- Review effectiveness of security measures
- Update controls based on new threats
- Benchmark against industry best practices
- Plan for annual compliance reviews
Summary: NIS2 Compliance Quick Reference
| Area | Key Actions | Priority |
|---|---|---|
| Scope | Confirm applicability, document classification | 🔴 High |
| Governance | Board accountability, management training | 🔴 High |
| Risk Management | Risk assessment, treatment plans | 🔴 High |
| Policies | Core security policies, procedures | 🔴 High |
| Technical Controls | MFA, encryption, monitoring | 🔴 High |
| Incident Response | Response plan, 24/72h reporting capability | 🔴 High |
| Business Continuity | BCP, backup testing, DR plans | 🟡 Medium |
| Supply Chain | Supplier assessments, contracts | 🟡 Medium |
| Training | Awareness programme, role-based training | 🟡 Medium |
| Documentation | Evidence repository, audit readiness | 🟡 Medium |
Next Steps
- Download this checklist and assign owners to each section
- Conduct a gap analysis against your current state
- Prioritise high-risk items for immediate action
- Develop a compliance roadmap with realistic timelines
- Engage expert support where needed
Related Articles
- Complete NIS2 Guide - Comprehensive overview of the NIS2 directive
- GDPR Compliance Guide - Data protection requirements that complement NIS2
- DORA Compliance Guide - Digital operational resilience for financial entities
Get Expert Help
Need help with your NIS2 compliance journey? Vision Compliance provides gap assessments, implementation support, and ongoing compliance monitoring for NIS2.
- Cybersecurity & NIS2 Services - Expert NIS2 compliance support
- Incident Response Services - 72-hour notification support
- Contact us - Schedule a free consultation
This checklist provides general guidance and should be adapted to your organisation's specific circumstances. For comprehensive compliance advice, consult with qualified professionals.