Maintaining NIS 2 Compliance: Ongoing Requirements

Key Takeaways

Point	Summary
Continuous obligation	NIS 2 compliance is ongoing, not a one-time achievement
Regular reviews	Cybersecurity measures must be reviewed and updated periodically
Evolving requirements	The European Commission may adopt implementing acts with specific technical requirements
Supervision readiness	Essential entities must be prepared for proactive supervision at any time
Documentation	Comprehensive records are essential for demonstrating ongoing compliance

Quick Answer: Maintaining NIS 2 compliance requires continuous effort including regular risk assessments, policy updates, incident response testing, supply chain reviews, management training, and documentation maintenance. Essential entities must be audit-ready at all times, while important entities must respond promptly to any supervisory inquiries.

Ongoing Compliance Activities

Monthly Activities

Activity	Description
Security monitoring review	Review alerts, incidents, and monitoring effectiveness
Patch management	Apply security patches and verify coverage
Backup verification	Test backup restoration for critical systems
Vulnerability scanning	Run automated scans and address findings
Access reviews	Review and revoke unnecessary access rights

Quarterly Activities

Activity	Description
Management reporting	Brief management on cybersecurity status, incidents, and compliance
Incident response exercises	Conduct tabletop or simulated exercises
Supplier monitoring	Review critical supplier security posture
Training updates	Deliver security awareness refresher content
Phishing simulations	Test employee awareness with simulated attacks
Policy compliance checks	Verify adherence to security policies across the organization

Annual Activities

Activity	Description
Risk assessment review	Conduct a comprehensive risk reassessment
Policy review	Update all security policies and procedures
Business continuity testing	Full test of business continuity and disaster recovery plans
Penetration testing	Commission external penetration tests
Supply chain assessment	Reassess all critical suppliers
Management training	Ensure management body members complete cybersecurity training
Compliance audit	Conduct internal or external NIS 2 compliance audit
Documentation review	Update all compliance documentation

Adapting to Evolving Requirements

Implementing Acts

The European Commission may adopt implementing acts that specify technical and methodological requirements for certain sectors. Organizations should:

• Monitor ENISA publications and EU Official Journal for new implementing acts
• Assess the impact of new requirements on existing measures
• Update compliance programs to reflect new specific requirements
• Engage with industry associations to understand sector-specific expectations

Threat Landscape Changes

The cybersecurity threat landscape evolves constantly. Maintaining compliance requires:

• Subscribing to relevant threat intelligence feeds
• Participating in sector-specific information sharing groups
• Updating risk assessments when new significant threats emerge
• Adjusting security controls to address new attack vectors
• Reviewing incident response procedures against new threat scenarios

Organizational Changes

Internal changes can affect compliance. Monitor and respond to:

Change	Compliance Impact
New systems or services	Update asset inventory, risk assessment, and security controls
Mergers or acquisitions	Reassess scope, integrate systems, and extend compliance program
Restructuring	Update roles, responsibilities, and reporting lines
New markets	Check if additional national transpositions apply
Technology migration	Ensure new platforms meet NIS 2 security requirements
Staff changes	Update access controls, provide training, and adjust responsibilities

Demonstrating Compliance

Documentation Requirements

Maintain comprehensive records that demonstrate ongoing compliance:

Document Type	Content
Risk registers	Current risks, assessments, and treatment decisions
Policy library	All security policies with version history and approval records
Incident logs	Records of all incidents, responses, and reports filed
Training records	Attendance, completion certificates, and assessment results
Audit reports	Internal and external audit findings and remediation tracking
Supplier assessments	Security evaluations and contractual compliance records
Management minutes	Records of management discussions and decisions on cybersecurity
Testing results	Penetration test reports, vulnerability scan results, exercise outcomes

Responding to Supervision

Essential entities should be prepared for proactive supervision:

• Maintain readily accessible compliance documentation
• Designate a point of contact for supervisory inquiries
• Have processes for responding to information requests promptly
• Prepare for on-site inspections (including unannounced visits)
• Keep remediation tracking up to date for any known gaps

Important entities should be ready for reactive supervision:

• Respond promptly to any inquiry from the competent authority
• Cooperate fully with investigations or audits
• Demonstrate corrective actions taken after incidents

Integration with Other Compliance Programs

If your organization maintains other compliance programs, integrate NIS 2 activities to avoid duplication:

ISO 27001

Organizations with ISO 27001 certification can align NIS 2 maintenance with ISMS activities:

• Internal audits cover both ISO 27001 controls and NIS 2 requirements
• Management reviews address both certification and regulatory compliance
• Risk assessments serve dual purposes
• Surveillance audits help maintain NIS 2 readiness

GDPR

GDPR compliance activities that overlap with NIS 2:

• Data breach procedures cover both GDPR notification and NIS 2 incident reporting
• Security measures satisfy both regulatory requirements
• Training programs address both cybersecurity and data protection

Key Metrics to Track

Metric	Target	Frequency
Vulnerability remediation time	Within defined SLAs (critical: 48h, high: 14 days)	Monthly
Patch coverage	95%+ of systems patched within policy timelines	Monthly
Training completion	100% of required personnel trained	Quarterly
Incident response time	Detection and reporting within NIS 2 timelines	Per incident
Backup restoration success	100% of tested restorations successful	Monthly
Supplier assessment coverage	100% of critical suppliers assessed	Annually
Policy review completion	All policies reviewed within 12 months	Annually
Management briefing frequency	At least quarterly	Quarterly

Common Questions

How do we know if we are still compliant?

Regular internal assessments against the NIS 2 requirements are the best way to verify ongoing compliance. Consider conducting quarterly compliance checks covering the 10 requirement areas of Article 21, supplemented by annual comprehensive audits. Organizations with ISO 27001 can leverage their existing audit program for this purpose.

What triggers a compliance review?

Beyond scheduled reviews, the following events should trigger an ad hoc compliance review: significant cybersecurity incidents, material changes to IT infrastructure, organizational restructuring, new regulatory guidance or implementing acts, significant changes in the threat landscape, and findings from supervisory activities.

Can Bastion help with ongoing compliance?

Yes. Bastion provides managed compliance services that cover the ongoing maintenance of NIS 2 compliance, including regular risk assessments, policy reviews, incident response support, supply chain monitoring, and preparation for supervisory activities. This approach ensures continuous compliance without overburdening your internal team.