NIS 26 min read

NIS 2 Compliance Checklist: A Step-by-Step Guide

Achieving NIS 2 compliance requires a structured approach covering governance, technical measures, incident response, and supply chain management. This checklist provides a practical roadmap for organizations working toward compliance with the directive's requirements.

Key Takeaways

Point Summary
Scope First determine if your organization falls within NIS 2 scope
10 requirement areas Article 21 outlines the cybersecurity measures to implement
Management involvement Senior leadership must approve measures and undergo training
Ongoing process Compliance is not a one-time effort but requires continuous maintenance
Framework alignment Using ISO 27001 or similar frameworks accelerates compliance

Quick Answer: NIS 2 compliance requires organizations to address 10 categories of cybersecurity measures, establish incident reporting processes, manage supply chain risks, and ensure management accountability. Use this checklist to systematically work through each requirement area.

Phase 1: Assessment and Scoping

Determine Applicability

  • Identify your organization's sector(s) under Annex I or Annex II
  • Verify your organization meets the size thresholds (50+ employees or 10M+ turnover)
  • Determine whether you are classified as an essential or important entity
  • Check your national transposition for any additional or specific requirements
  • Identify which national authority and CSIRT you will report to

Conduct Gap Assessment

  • Map current cybersecurity measures against NIS 2's 10 requirement areas
  • Identify existing certifications that support compliance (ISO 27001, SOC 2, etc.)
  • Assess current incident response and reporting capabilities against NIS 2 timelines
  • Evaluate supply chain security practices
  • Document gaps and prioritize remediation actions

Phase 2: Governance and Management

Management Accountability

  • Brief senior management on NIS 2 obligations and personal liability
  • Establish formal management approval process for cybersecurity measures
  • Schedule regular cybersecurity training for management body members
  • Define management reporting cadence for cybersecurity risk status
  • Document management roles and responsibilities for NIS 2 compliance

Organizational Structure

  • Designate NIS 2 compliance responsibility (CISO, security team, or external partner)
  • Define escalation paths for cybersecurity incidents
  • Establish communication channels with national authorities and CSIRT
  • Integrate cybersecurity governance into existing risk management structures

Phase 3: Risk Management

Risk Analysis and Policies

  • Develop or update information security risk assessment methodology
  • Conduct a comprehensive risk assessment of network and information systems
  • Create or update the information security policy
  • Establish a risk treatment plan with prioritized actions
  • Define risk acceptance criteria and approval processes
  • Schedule periodic risk assessment reviews (at least annually)

Asset Management

  • Create and maintain an inventory of critical assets and systems
  • Classify assets based on their criticality and risk
  • Map dependencies between systems and services
  • Document data flows and processing activities

Phase 4: Technical Measures

Network and System Security

  • Implement network segmentation and access controls
  • Deploy intrusion detection and prevention systems
  • Establish secure configuration baselines for all systems
  • Implement patch management and vulnerability scanning processes
  • Deploy endpoint protection on all devices

Cryptography and Encryption

  • Define policies for encryption at rest and in transit
  • Implement key management procedures
  • Use recognized encryption standards and algorithms
  • Review and update cryptographic controls regularly

Access Control and Authentication

  • Implement multi-factor authentication where appropriate
  • Apply least privilege access principles
  • Establish identity management and access review processes
  • Implement privileged access management
  • Define processes for granting, reviewing, and revoking access

Secure Development

  • Integrate security into system acquisition and development processes
  • Implement secure coding practices and code review procedures
  • Establish vulnerability handling and disclosure processes
  • Test security of systems before deployment

Phase 5: Incident Management

Incident Detection and Response

  • Deploy monitoring and detection tools across critical systems
  • Develop incident classification framework (including "significant incident" criteria)
  • Create detailed incident response procedures with roles and responsibilities
  • Establish communication protocols for internal and external stakeholders
  • Define forensic investigation procedures

Incident Reporting

  • Map NIS 2 reporting timelines (24h/72h/1 month)
  • Create report templates for each stage (early warning, notification, final report)
  • Identify and register with the relevant national CSIRT and competent authority
  • Establish procedures to determine cross-border impact
  • Align NIS 2 reporting with other obligations (e.g., GDPR breach notification)

Testing and Exercises

  • Schedule regular incident response tabletop exercises
  • Test reporting procedures with realistic scenarios
  • Conduct post-exercise reviews and update procedures accordingly
  • Include supply chain scenarios in exercises

Phase 6: Business Continuity

Business Continuity Planning

  • Develop business continuity plans for critical services
  • Define recovery time objectives (RTO) and recovery point objectives (RPO)
  • Implement backup and recovery procedures
  • Test backup restoration regularly
  • Establish crisis management procedures and communication plans

Disaster Recovery

  • Design disaster recovery architecture for critical systems
  • Implement redundancy for essential services
  • Document disaster recovery procedures
  • Test disaster recovery plans at least annually
  • Define roles and responsibilities during recovery operations

Phase 7: Supply Chain Security

Supplier Management

  • Map all suppliers with access to or impact on your systems
  • Classify suppliers by risk level
  • Conduct security assessments of critical suppliers
  • Embed cybersecurity requirements in supplier contracts
  • Establish supplier incident notification requirements

Ongoing Monitoring

  • Implement regular security reviews of critical suppliers
  • Monitor for vulnerabilities in supplier products
  • Track and follow up on supplier security incidents
  • Review and update supplier risk classifications annually

Phase 8: Training and Awareness

Cybersecurity Training

  • Develop cybersecurity awareness training for all employees
  • Implement role-specific training for security personnel
  • Schedule and document management cybersecurity training
  • Conduct phishing simulations and awareness campaigns
  • Track training completion and effectiveness

Cyber Hygiene

  • Define and communicate basic cyber hygiene practices
  • Implement and enforce password policies
  • Establish software update and patching procedures for end-user devices
  • Provide guidance on secure remote working practices

Phase 9: Documentation and Evidence

Required Documentation

  • Information security policy
  • Risk assessment reports and treatment plans
  • Incident response procedures and reporting templates
  • Business continuity and disaster recovery plans
  • Supply chain security policies and supplier assessments
  • Training records for management and employees
  • Access control policies and procedures
  • Cryptography and encryption policies

Compliance Evidence

  • Maintain records of management approvals and oversight activities
  • Document security assessments and their findings
  • Keep incident logs and response records
  • Archive training attendance and certification records
  • Store audit reports and remediation tracking

Phase 10: Continuous Improvement

Review and Update

  • Schedule annual reviews of all cybersecurity measures
  • Monitor changes in the threat landscape and adjust measures accordingly
  • Track and incorporate lessons learned from incidents and exercises
  • Review and update policies and procedures regularly
  • Stay informed about implementing acts and guidance from ENISA

Common Questions

How long does NIS 2 compliance take?

The timeline depends on your starting point. Organizations with existing frameworks like ISO 27001 can often achieve compliance in 3-6 months. Organizations starting from scratch may need 6-12 months or more. Key factors include organization size, complexity, and current security maturity.

Can we achieve compliance without external help?

While possible, most organizations benefit from expert guidance, especially for gap assessments, policy development, and incident response planning. Partners like Bastion can significantly accelerate the process by providing proven frameworks, templates, and expert oversight.

What should we prioritize if we cannot do everything at once?

Start with the areas of highest risk: incident reporting capabilities (the strict timelines are non-negotiable), risk assessment, and management governance. Then address supply chain security and the remaining technical measures based on your gap assessment findings.

← PreviousNIS 2 Penalties and Enforcement: What You Need to KnowNext →NIS 2 Risk Assessment: How to Evaluate Cybersecurity Risks
Back to NIS 2 guides