NIS2 Compliance Checklist
Directive-level checklist covering applicability, governance, the ten Art. 21(2) risk-management areas, Art. 23 incident reporting, and supervisory readiness.
Counsel-grade external checklist for Directive (EU) 2022/2555 (NIS2). NIS2 is a directive — obligations bind through national transposition (Sweden: cybersäkerhetslagen SFS 2025:1506; Germany: NIS2UmsG; Italy: D.lgs. 138/2024). Verify national specifics — deadlines, registration portal, competent supervisory authority — before relying on any item below. This checklist is a working reference, not legal advice.
A. Applicability gate — resolve before anything else
- Entity operates in a sector listed in Annex I (high-criticality) or Annex II (other critical) — energy, transport, banking, health, digital infrastructure, ICT service management, public administration, space; or waste management, manufacture of critical products, digital providers, postal, food, chemicals, research.
- Size threshold met: ≥50 employees or ≥€10m turnover (medium enterprise), with size-independent inclusion for qualified trust services, TLD registries, DNS providers, sole providers of critical services, public electronic communications.
- Classification determined: essential vs important entity — drives supervision intensity and sanction ceiling.
- Jurisdiction / main establishment determined (Art. 26) — which Member State's law and authority applies.
- Registration with the national authority completed within the national deadline (entity details, sector, contact point).
B. Governance and management accountability (Art. 20)
- Management body has formally approved the cybersecurity risk-management measures (board minute or resolution as evidence).
- Management body oversees implementation — recurring board agenda item with documented reporting.
- Management members have completed cybersecurity training (attendance records); equivalent training offered to employees.
- Personal-liability exposure of management under national transposition mapped and communicated to the board.
C. Risk-management measures — Art. 21(2), the ten mandatory areas
Each area requires a documented policy, an implemented control, and evidence that the control operates.
- (a) Risk analysis and information-system security policies — approved ISMS-level policy, risk-assessment methodology, current risk register.
- (b) Incident handling — incident-response plan, classification scheme, defined roles, tested at least annually.
- (c) Business continuity — backup management with tested restores, disaster recovery, crisis-management organisation.
- (d) Supply-chain security — supplier inventory, security requirements in contracts, criticality-tiered supplier assessments; direct-supplier vulnerabilities and practices considered.
- (e) Security in acquisition, development and maintenance — secure development lifecycle, change management, vulnerability handling and disclosure process.
- (f) Effectiveness assessment — internal audit / review cycle, metrics, management review.
- (g) Basic cyber hygiene and cybersecurity training — awareness programme for all staff, phishing testing, completion tracking.
- (h) Cryptography and, where appropriate, encryption — cryptography policy, key management, data-at-rest and in-transit standards.
- (i) HR security, access control and asset management — joiner / mover / leaver processes, least privilege, privileged access management, asset inventory.
- (j) MFA or continuous authentication, secured voice / video / text communications, secured emergency communications — MFA coverage evidenced for remote access and privileged accounts.
- Proportionality assessment documented (Art. 21(1)) — why the measure set matches entity size, exposure, and societal impact.
D. Incident reporting (Art. 23)
- "Significant incident" definition operationalised against national and ENISA criteria (severe operational disruption, financial loss, considerable damage to others).
- 24-hour early warning to CSIRT / competent authority — on-call process capable of meeting the deadline, weekends included.
- 72-hour incident notification — severity and impact assessment, indicators of compromise.
- One-month final report — root cause, mitigation, cross-border impact.
- Intermediate / progress report process for ongoing incidents.
- Recipient-notification duty assessed: informing affected service recipients of significant incidents and of significant cyber threats, with remedies where applicable.
- Reporting channel to the national CSIRT tested (portal accounts, contact details current).
E. Documentation and supervisory readiness
- Statement of applicability mapping each Art. 21(2) area to specific controls and evidence.
- Supervision readiness: audit trail retrievable on authority request; essential entities prepared for proactive supervision (on-site inspection, security scans).
- Sanctions exposure quantified: up to €10m or 2% of global turnover (essential) — €7m or 1.4% (important) — plus national management-liability provisions.
- Interplay mapped: DORA is lex specialis for financial entities; sector-specific rules continue to apply; GDPR breach reporting runs in parallel, not instead.
National transpositions — verify before relying
- Sweden — Cybersäkerhetslagen (SFS 2025:1506). Supervisory authority: MSB (with sector authorities: PTS, Finansinspektionen, IVO, Energimyndigheten). Registration is entity-initiated.
- Germany — NIS2UmsG (implementation status: verify current federal-law reference before citing).
- Italy — D.lgs. 138/2024. Supervisory authority: ACN (Agenzia per la Cybersicurezza Nazionale).
Last reviewed: July 2026. This checklist reflects the directive text and general transposition patterns; national obligations may impose stricter or additional requirements.