NIS2 compliance checklist: a practical path to audit-ready
NIS2 compliance is a programme, not a one-off. This checklist turns the directive into concrete steps you can work through.
Scope & governance
- Confirm whether you are an essential or important entity.
- Meet any national registration requirements.
- Get management to formally own and approve the cybersecurity measures (Article 20).
- Arrange management training on cybersecurity risk.
Close the Article 21 gaps
- Run a gap assessment against the ten security measures.
- Prioritise and remediate missing and partial controls.
- Document each control — policies, procedures and evidence.
- Manage supply-chain risk with your key vendors.
Incident reporting
- Build detection and triage so you can recognise a significant incident.
- Prepare the 24-hour early warning, 72-hour notification and one-month report processes.
- Rehearse the reporting flow with the real decision-makers.
Keep it live
- Review and update measures as risks and the business change.
- Repeat testing and exercises regularly.
- Maintain evidence ready for a supervisor.
- Feed incidents and findings back into improvement.
Common pitfalls
- Treating NIS2 as a one-time project rather than an ongoing programme.
- Controls that exist but are undocumented or untested.
- Assuming you are out of scope without checking.
- Management signing off without genuine oversight.
FAQ
Related questions
Where should we start with NIS2?
Confirm your scope and class, then run a gap assessment against the ten Article 21 measures. That tells you what to prioritise and gives management a clear picture to own.
Is a one-time project enough for NIS2?
No. NIS2 requires an ongoing, evidenced risk-management programme with regular testing, updates and management oversight — not a single compliance push.
How do we prove compliance to a supervisor?
With documentation and evidence: policies, implemented controls, test results, incident-reporting processes and records of management oversight. Independent testing strengthens that evidence.
Keep reading
More guides
-
NIS2 scope: is your organisation in scope?
NIS2 covers essential and important entities across ~18 sectors, mostly from medium size upward. Here is how to tell if it applies to you.
Read guide -
The NIS2 security measures: Article 21 explained
Article 21 sets ten baseline risk-management measures every in-scope entity must implement. Here is what each one means.
Read guide