nis2audit

NIS2 compliance checklist: a practical path to audit-ready

Updated 2026-07-06 2 min read

NIS2 compliance is a programme, not a one-off. This checklist turns the directive into concrete steps you can work through.

Scope & governance

  • Confirm whether you are an essential or important entity.
  • Meet any national registration requirements.
  • Get management to formally own and approve the cybersecurity measures (Article 20).
  • Arrange management training on cybersecurity risk.

Close the Article 21 gaps

  • Run a gap assessment against the ten security measures.
  • Prioritise and remediate missing and partial controls.
  • Document each control — policies, procedures and evidence.
  • Manage supply-chain risk with your key vendors.

Incident reporting

  • Build detection and triage so you can recognise a significant incident.
  • Prepare the 24-hour early warning, 72-hour notification and one-month report processes.
  • Rehearse the reporting flow with the real decision-makers.

Keep it live

  1. Review and update measures as risks and the business change.
  2. Repeat testing and exercises regularly.
  3. Maintain evidence ready for a supervisor.
  4. Feed incidents and findings back into improvement.

Common pitfalls

  • Treating NIS2 as a one-time project rather than an ongoing programme.
  • Controls that exist but are undocumented or untested.
  • Assuming you are out of scope without checking.
  • Management signing off without genuine oversight.

FAQ

Related questions

Where should we start with NIS2?

Confirm your scope and class, then run a gap assessment against the ten Article 21 measures. That tells you what to prioritise and gives management a clear picture to own.

Is a one-time project enough for NIS2?

No. NIS2 requires an ongoing, evidenced risk-management programme with regular testing, updates and management oversight — not a single compliance push.

How do we prove compliance to a supervisor?

With documentation and evidence: policies, implemented controls, test results, incident-reporting processes and records of management oversight. Independent testing strengthens that evidence.