NIS2 Compliance Checklist: 10 Essential Steps with ISO 27001 Mapping
October 23, 2025
Updated: February 22, 2026
22 min read
Cybersecurity
NIS2 compliance can feel overwhelming — 18 sectors, 10 minimum security measures, management liability, incident reporting timelines, and supply chain obligations. But breaking it into structured, actionable steps makes the process manageable. This checklist is designed as a practical roadmap for organisations that already understand NIS2 and need to implement and verify compliance systematically. Every step includes ISO 27001 control references so you can leverage existing certifications.
Key Takeaways
This checklist covers 10 practical steps from scope assessment to continuous improvement.
Each step maps to specific ISO 27001:2022 controls, showing coverage and gaps.
NIS2 requires all 10 minimum measures to be implemented proportionate to risk.
Management approval and training are mandatory — this is not optional.
Where are we now? As of early 2026, most EU member states have transposed NIS2 into national law and enforcement is active. Organisations in scope should already be compliant or actively implementing.
Step 1: Determine Scope and Classification
Objective: Confirm whether NIS2 applies and which category your organisation falls under.
Actions
Identify your organisation's primary sector(s) against NIS2 Annex I (essential) and Annex II (important)
Verify your size against the thresholds: 50+ employees OR EUR 10M+ annual turnover for general inclusion
Check if any size-independent criteria apply (trust services, DNS, TLD registries, public comms, public administration)
Determine whether you are an essential entity (Annex I, large) or important entity (Annex II, or medium in Annex I)
Identify in which member state(s) you are subject to NIS2 and which national law applies
Check your national authority's entity registration requirements and deadlines
Decision Matrix
Your Sector
Size
Classification
Supervision
Annex I (high criticality)
Large (250+ or EUR 50M+)
Essential entity
Proactive
Annex I (high criticality)
Medium (50+ or EUR 10M+)
Important entity
Reactive
Annex II (other critical)
Large or medium
Important entity
Reactive
Any sector
Below medium thresholds
Out of scope*
N/A
*Unless size-independent criteria apply or you are in the supply chain of an in-scope entity.
ISO 27001 mapping: No direct equivalent — this is a regulatory scoping exercise unique to NIS2.
Step 2: Conduct a Gap Analysis
Objective: Assess your current cybersecurity posture against all NIS2 requirements and identify what needs to change.
Actions
Map your existing security controls, policies, and procedures against the 10 minimum measures (Article 21)
Assess incident response capabilities against the 24h/72h/1m reporting timeline
Evaluate supply chain security practices against Article 21(2)(d)
Review management engagement — has the board formally approved cybersecurity measures?
Check whether management has undergone cybersecurity training (mandatory under Article 20)
Identify all critical and important information systems and their current protection level
Document findings in a structured gap analysis report with risk ratings
Gap Analysis Template
NIS2 Measure
Current Status
Gap Description
Risk Rating
Priority
Risk analysis and security policies
e.g., Partial
Missing formal risk assessment methodology
High
1
Incident handling
e.g., Basic
No 24-hour early warning capability
Critical
1
Business continuity
e.g., Good
Backup testing not documented
Medium
2
Supply chain security
e.g., Minimal
No supplier risk assessments conducted
High
1
...
...
...
...
...
ISO 27001 mapping: Clause 6.1 (actions to address risks), Clause 9.1 (monitoring, measurement, analysis), Clause 10.1 (nonconformity and corrective action).
Step 3: Establish Governance and Accountability
Objective: Create the governance structures required by NIS2, including mandatory management involvement.
Actions
Present the gap analysis to the board/management body and obtain formal approval of the compliance roadmap
Designate a NIS2 compliance lead with clear authority, budget, and reporting lines
Schedule management cybersecurity training — this is mandatory, not optional
Establish a cybersecurity governance committee or integrate NIS2 into existing risk committees
Define roles and responsibilities for all 10 minimum measure domains
Create a compliance reporting cadence (quarterly to the board is recommended)
Management Obligations Under NIS2
Obligation
Article
What It Means in Practice
Approve measures
Art. 20(1)
Board must formally sign off on the cybersecurity risk-management programme
Oversee implementation
Art. 20(1)
Regular status updates, KPI reviews, and audit findings presented to management
Undergo training
Art. 20(2)
Directors must attend cybersecurity awareness and risk management training
Accept personal liability
Art. 20(1)
Members of management can be personally sanctioned for failures
Ensure staff training
Art. 20(2)
All employees must receive regular cybersecurity training
ISO 27001 mapping: Clause 5 (leadership), Clause 5.1 (leadership and commitment), Clause 5.3 (organizational roles, responsibilities and authorities).
Step 4: Implement Risk Management
Objective: Establish a formal risk management framework that covers all NIS2 Article 21 requirements.
Actions
Adopt or develop a risk assessment methodology (consider ISO 27005, NIST CSF, or OCTAVE)
Create an asset inventory of all network and information systems
Classify assets by criticality and sensitivity
Conduct a comprehensive risk assessment covering all identified assets
Develop a risk treatment plan with accepted, mitigated, transferred, and avoided risks
Document the risk acceptance criteria approved by management
Develop or update information security policies covering all 10 measure domains
Establish a policy review cycle (annual minimum)
Risk Assessment Considerations for NIS2
Your risk assessment must specifically address:
Threats to network and information systems (not just data)
Cascading effects — how an incident at your organisation could affect other entities or the public
Supply chain risks — vulnerabilities introduced through third-party products and services
Physical and environmental threats alongside cyber threats
The societal impact of service disruption, not just business impact
ISO 27001 mapping: Clause 6.1.2 (information security risk assessment), Clause 6.1.3 (risk treatment), Clause 8.2 (risk assessment execution), Clause 8.3 (risk treatment execution), Annex A.5.1 (policies for information security).
Step 5: Build Incident Response Capability
Objective: Establish detection, reporting, and response capabilities that meet NIS2's strict timelines.
Actions
Develop a cybersecurity incident response plan with defined roles, escalation paths, and communication protocols
Implement security monitoring and detection (SIEM, EDR, network monitoring)
Define what constitutes a "significant incident" per NIS2 criteria
Create notification templates for each reporting stage (24h, 72h, 1m)
Identify your national CSIRT/competent authority and register contact points
Establish a 24/7 incident detection capability (internal SOC or outsourced)
Define the process for dual notification when GDPR is also triggered
Conduct tabletop exercises at least twice a year
Establish post-incident review procedures and lessons-learned processes
Incident Reporting Quick Reference
Stage
Deadline
To Whom
Content
Early warning
24 hours
National CSIRT / competent authority
Suspected malicious? Cross-border impact?
Incident notification
72 hours
National CSIRT / competent authority
Severity, impact, indicators of compromise
GDPR notification (if personal data)
72 hours
Data protection authority
Nature of breach, categories, number of subjects
Intermediate report
On request
National CSIRT / competent authority
Status update on handling
Final report
1 month
National CSIRT / competent authority
Root cause, full analysis, mitigation measures
ISO 27001 mapping: A.5.24 (incident management planning), A.5.25 (assessment and decision), A.5.26 (response), A.5.27 (learning from incidents), A.5.28 (collection of evidence).
Step 6: Secure the Supply Chain
Objective: Assess, manage, and monitor cybersecurity risks from suppliers and service providers.
Actions
Create an inventory of all suppliers and service providers that have access to your systems or data
Classify suppliers by criticality (critical, important, standard)
Conduct cybersecurity risk assessments for all critical and important suppliers
Include security requirements in all supplier contracts (encryption, MFA, incident reporting, audit rights)
Request evidence of security certifications (ISO 27001, SOC 2) or conduct your own assessments
Establish a supplier monitoring programme with regular reviews (annual for critical suppliers)
Define incident notification requirements for suppliers (how quickly must they report breaches to you?)
Review results of any EU-level coordinated supply chain risk assessments relevant to your sector
Supplier Risk Assessment Criteria
Criterion
What to Assess
Access level
What systems and data does the supplier access?
Criticality
How dependent is your service on this supplier?
Security maturity
Does the supplier hold ISO 27001, SOC 2, or equivalent?
Incident history
Has the supplier experienced breaches? How did they respond?
Sub-processors
Does the supplier use sub-contractors with access to your data?
Geographic risk
Is the supplier subject to laws that could compromise security?
Business continuity
Could the supplier's failure disrupt your operations?
ISO 27001 mapping: A.5.19 (information security in supplier relationships), A.5.20 (addressing security within supplier agreements), A.5.21 (managing security in the ICT supply chain), A.5.22 (monitoring, review and change management of supplier services), A.5.23 (information security for use of cloud services).
Step 7: Implement Technical Security Controls
Objective: Deploy the technical measures required by NIS2 across all relevant domains.
Actions
Deploy multi-factor authentication (MFA) for all system access, prioritising privileged accounts and remote access
Implement encryption for data at rest and in transit, following current best practices (AES-256, TLS 1.3)
Establish access control based on role-based access control (RBAC) and the principle of least privilege
Deploy network segmentation to isolate critical systems
Implement vulnerability management — regular scanning with defined SLAs for remediation
Establish patch management processes with risk-based prioritisation
Deploy logging and monitoring across all critical systems (centralised SIEM)
Implement secure communication channels for normal and emergency operations
Establish key management procedures for cryptographic controls
Conduct regular penetration testing (at least annually, after significant changes)
Technical Control Priority Matrix
Control
Impact
Implementation Effort
Priority
MFA on all accounts
Critical
Medium
Immediate
Encryption at rest and in transit
High
Medium
Immediate
Centralised logging (SIEM)
High
High
Short-term
Network segmentation
High
High
Short-term
Vulnerability scanning (automated)
High
Low
Immediate
Patch management process
High
Medium
Immediate
Penetration testing
High
Low (outsourced)
Short-term
Endpoint detection and response (EDR)
High
Medium
Short-term
Secure email gateway
Medium
Low
Short-term
Data loss prevention (DLP)
Medium
High
Medium-term
ISO 27001 mapping: A.8.1 (user endpoint devices), A.8.2-A.8.5 (access rights and authentication), A.8.9 (configuration management), A.8.15 (logging), A.8.20 (network security), A.8.22 (web filtering), A.8.23 (network segmentation), A.8.24 (use of cryptography), A.8.25-A.8.33 (development security).
Step 8: Deploy Training and Awareness
Objective: Ensure all staff — from the board to new hires — have the cybersecurity knowledge NIS2 requires.
Actions
Develop a cybersecurity training programme covering threats, policies, and individual responsibilities
Ensure management members receive dedicated training on cyber risk identification and governance
Conduct phishing simulations at least quarterly
Provide role-based training for IT staff, developers, incident responders, and data handlers
Include cybersecurity in onboarding for all new employees
Maintain training records documenting who was trained, when, and on what topics
Measure training effectiveness through assessments and phishing simulation results
Schedule annual refresher training for all staff
Training Programme Structure
Audience
Topics
Frequency
Delivery
Board/management
Cyber risk governance, NIS2 obligations, personal liability, incident response roles
Annual + after significant events
Workshop / briefing
All employees
Phishing recognition, password security, social engineering, incident reporting
Secure coding, OWASP Top 10, vulnerability management, DevSecOps
Quarterly
Technical workshops
New hires
Company security policies, acceptable use, reporting procedures
At onboarding
E-learning + orientation
ISO 27001 mapping: A.6.3 (information security awareness, education and training), Clause 7.2 (competence), Clause 7.3 (awareness).
Step 9: Establish Business Continuity
Objective: Ensure critical services can continue or be restored rapidly after a cybersecurity incident.
Actions
Identify critical business functions and their maximum tolerable downtime (RTO/RPO)
Develop business continuity plans (BCPs) for each critical function
Create disaster recovery plans (DRPs) for critical IT systems
Implement automated backup with encryption and off-site/offline storage
Test backup restoration regularly (at least quarterly)
Develop a crisis management plan with communication protocols and decision authority
Define crisis communication procedures for internal stakeholders, regulators, customers, and media
Conduct business continuity exercises at least annually (tabletop + full simulation)
Document lessons learned and update plans accordingly
Backup Best Practices for NIS2
Aspect
Recommendation
Frequency
Daily for critical data; real-time replication for critical systems
Storage
3-2-1 rule: 3 copies, 2 different media, 1 off-site
Encryption
All backups encrypted at rest and in transit
Immutability
At least one backup copy immutable (protection against ransomware)
Testing
Full restoration test quarterly; spot checks monthly
Retention
Aligned with data retention policies and legal requirements
ISO 27001 mapping: A.5.29 (information security during disruption), A.5.30 (ICT readiness for business continuity), A.8.13 (information backup), A.8.14 (redundancy of information processing facilities).
Step 10: Validate and Maintain Compliance
Objective: Verify that all measures are implemented effectively and establish an ongoing compliance programme.
Actions
Conduct an internal audit against all NIS2 requirements (use this checklist as the audit framework)
Commission an external security audit or penetration test to validate controls
Run an incident response exercise to test your 24-hour reporting capability
Verify all documentation is complete, current, and accessible (policies, procedures, risk assessments, training records)
Complete national registration with the competent authority if required
Establish compliance monitoring metrics (KPIs) and reporting cadence
Schedule annual compliance reviews aligned with risk assessment updates
For organisations with existing ISO 27001 certification, this mapping shows where you already have coverage and where NIS2 requires additional measures:
NIS2 Minimum Measure (Art. 21)
ISO 27001:2022 Controls
Coverage
NIS2-Specific Gaps
1. Risk analysis and security policies
6.1, A.5.1
Full
None — ISO 27001 core strength
2. Incident handling
A.5.24-A.5.28
Partial
NIS2 24h/72h/1m reporting timelines; notification to national CSIRT
3. Business continuity
A.5.29-A.5.30, A.8.13-A.8.14
Full
Minor — NIS2 emphasises crisis management
4. Supply chain security
A.5.19-A.5.23
Partial
NIS2 requires broader due diligence; consideration of EU-level assessments
5. Secure acquisition and development
A.8.25-A.8.33
Full
None
6. Effectiveness assessment
9.1, 9.2, 9.3
Full
None — ISO 27001 requires regular audits
7. Cyber hygiene and training
A.6.3, 7.2, 7.3
Partial
NIS2 mandates management training specifically
8. Cryptography
A.8.24
Full
None
9. HR security and access control
A.5.15-A.5.18, A.8.2-A.8.5
Full
None
10. MFA and secure communications
A.8.5
Partial
NIS2 is more specific about MFA and emergency comms
Key Gaps for ISO 27001-Certified Organisations
Even with full ISO 27001 certification, you will need to address:
Incident reporting timelines — ISO 27001 does not specify 24-hour or 72-hour reporting to external authorities
Management personal liability — ISO 27001 requires leadership commitment but does not address personal sanctions
Mandatory management training — ISO 27001 requires competence and awareness but does not mandate board-level cybersecurity training
National registration — ISO 27001 does not cover regulatory registration requirements
Cross-border cooperation — ISO 27001 does not address EU-level incident coordination
NIS2 Compliance Maturity Assessment
Use this simple scoring model to assess your organisation's NIS2 readiness:
Level
Score
Description
Level 0: Non-existent
0
No controls in place for this measure
Level 1: Initial
1
Ad hoc, informal processes; no documentation
Level 2: Developing
2
Documented policies exist but inconsistently applied
Level 3: Defined
3
Policies implemented, documented, and consistently applied
Level 4: Managed
4
Measured, monitored, and regularly reviewed
Level 5: Optimised
5
Continuous improvement; industry best practice
Target for NIS2 compliance: All 10 measures should score at least Level 3 (Defined), with critical measures (incident handling, risk management, access control) at Level 4 (Managed).
FAQ
How long does NIS2 compliance take?
For organisations with existing ISO 27001 certification, 3-6 months to close NIS2-specific gaps. For organisations starting from a lower maturity level, 9-18 months for a comprehensive implementation. The most time-consuming elements are typically incident response capability, supply chain due diligence, and management training.
Can we use this checklist for audit purposes?
Yes. This checklist maps to all 10 NIS2 minimum measures and can serve as an internal audit framework. For external audit readiness, supplement with evidence collection for each control (policies, logs, training records, test results).
What evidence should we maintain?
For each measure: approved policies, implementation records, testing results, training attendance, management meeting minutes showing cybersecurity governance, incident logs, supplier assessments, risk assessment reports, and audit findings with corrective actions.
Is there a NIS2 certification?
There is no official "NIS2 certified" standard. However, ISO 27001 certification demonstrates that the majority of NIS2 requirements are met. Some member states may accept third-party compliance attestations. ENISA may develop assessment frameworks in the future.
What if we are in scope in multiple member states?
You will be supervised primarily by the member state of your main establishment. However, each national transposition may have slightly different requirements. Work with advisors who understand the specific requirements in all relevant jurisdictions.
Conclusion
NIS2 compliance is a structured journey, not a destination. This 10-step checklist provides the framework, but the real work is in execution — implementing controls that genuinely protect your organisation, not just satisfying regulatory requirements.
Start with the gaps. If you already have ISO 27001, you are 70-80% of the way there. Focus on incident reporting capability, management training, supply chain due diligence, and national registration. If you are starting from scratch, prioritise risk assessment, incident response, and the technical controls that reduce your exposure most significantly.
The organisations that approach NIS2 as an opportunity to improve their cybersecurity maturity — rather than a compliance burden — will gain the most lasting value.
Need support with NIS2 compliance? Vision Compliance provides gap assessments, implementation support, incident response planning, and ongoing compliance monitoring.
Robert Lozo, mag. iur., is a Partner at Vision Compliance specializing in EU regulatory compliance. He advises organizations on GDPR, NIS2, AI Act, and financial regulation, delivering audit-ready documentation and compliance roadmaps across regulated industries.