Home Services Industries Approach Resources Blog Contact
Free. Ungated. No email required.

NIS2 compliance checklist 2026

The practical 47-point checklist for European organizations subject to the NIS2 Directive. Free. Ungated. Ready to share.

Talk to Burak
Burak Yazici

Burak Yazici

PECB Certified NIS2 Lead Implementer

How to use this checklist. Work top to bottom. Mark items as done, in progress, or not applicable. Anything unchecked after your first pass is a gap. Bring the gaps to your next risk committee or board meeting.

1 Scope Assessment

Confirm whether NIS2 applies, and at which tier. If you get this wrong, everything downstream is wrong.

1. Map the organization against the 18 NIS2 sectors (Annex I and Annex II).

Include subsidiaries, joint ventures, and EU branches of non-EU parents.

2. Confirm size thresholds: 50+ employees or EUR 10m+ turnover, 250+ or EUR 50m+.

Use the EU SME definition. Aggregate linked and partner enterprises.

3. Check size-independent categories (DNS, TLD, cloud, data centers, CDN, MSPs).

These are in scope regardless of headcount or turnover.

4. Classify each in-scope legal entity as Essential or Important.

Determines fine exposure (up to 10m/2% vs 7m/1.4%) and supervisory regime.

5. Identify the competent national authority for each Member State of operation.

Cross-border operations can require registration in multiple Member States.

6. Document your NIS2 applicability conclusion in writing.

Evidence your reasoning. Regulators will ask.

2 Governance and Management Accountability

NIS2 Article 20 makes the management body personally accountable. This section is about making that accountability real.

7. Formally appoint a management-body owner for NIS2 compliance.

Named individual, documented in board minutes.

8. Approve cybersecurity risk management measures at board level.

Board minutes must show review and sign-off on Article 21 measures.

9. Schedule and complete mandatory board cybersecurity training.

Keep attendance records and training content. NIS2 requires this on an ongoing basis.

10. Publish a written NIS2 governance charter.

Roles, escalation paths, reporting cadence, and committee mandates.

11. Define the cyber risk appetite and tolerance thresholds.

Quantified where possible. Reviewed annually.

12. Establish a quarterly board reporting pack on NIS2 posture.

KRIs, incidents, supplier issues, control effectiveness.

3 Article 21 Technical Measures

The ten minimum measures. Proportionality applies, but every measure must be addressed explicitly. "We don't do that" is not an answer.

13. Documented risk analysis methodology and information-security policies.

Approved, versioned, reviewed annually.

14. Incident handling capability (detect, contain, eradicate, recover).

Runbooks for top 5 scenarios. Tested at least annually.

15. Business continuity, backup, and disaster recovery plans.

Includes tested restoration from immutable or offline backups.

16. Crisis management procedures with defined crisis team and authority.

Not the same as BCP. Focus is decision making under duress.

17. Security in acquisition, development, and maintenance of systems.

Secure SDLC, vulnerability management, patching SLAs.

18. Vulnerability handling and disclosure process.

Includes a coordinated vulnerability disclosure policy.

19. Policies and procedures to assess effectiveness of cybersecurity measures.

Control testing, internal audit, or independent assurance.

20. Basic cyber hygiene practices and role-based cybersecurity training.

Includes phishing simulations and privileged-user training.

21. Cryptography and encryption policy (at rest, in transit, key management).

Aligned to ENISA guidance or an equivalent standard.

22. Human-resources security, asset management, and access control.

Joiner/mover/leaver processes, least privilege, periodic access review.

23. Multi-factor authentication on all privileged and external access.

Phishing-resistant MFA for admins (FIDO2, hardware tokens).

24. Secured voice, video, and text communications where appropriate.

Encrypted channels for incident and crisis communications.

4 Incident Reporting

The 24 / 72 hour / one month cadence is non-negotiable. Build the machinery, then rehearse it.

25. Written definition of "significant incident" for your entity.

Calibrated to your sector and the Member State implementing act.

26. 24-hour early warning playbook to the national CSIRT.

Template drafted, owner named, escalation path tested.

27. 72-hour formal notification with initial severity and impact assessment.

Includes cross-border impact assessment where relevant.

28. One-month final report with root cause, mitigation, and lessons learned.

Formal post-incident review signed off by incident owner.

29. 24/7 contact roster for authorities, CSIRT, and crisis team.

Test out-of-hours reachability quarterly.

30. Customer notification playbook for incidents affecting service.

Aligns with NIS2, GDPR, and any sector-specific obligations.

31. Annual incident reporting exercise (tabletop or live).

Include legal, comms, board, and at least one Member State authority simulation.

5 Supply Chain Security

Article 21(2)(d) extends your obligations to suppliers. Your regulator will audit how you manage third parties.

32. Complete supplier inventory with criticality tiering.

Especially ICT, cloud, MSP, and any supplier with privileged access.

33. Supplier security assessment methodology with defined evidence requirements.

ISO 27001, SOC 2, or equivalent. Plus bespoke controls where needed.

34. Contractual clauses for security, incident reporting, and audit rights.

Include obligations flowing down to their subcontractors.

35. Ongoing supplier monitoring and attestation process.

Annual for critical suppliers, on material change otherwise.

36. Exit and concentration-risk plan for critical suppliers.

Including realistic migration timelines and data-repatriation terms.

6 Training and Awareness

NIS2 explicitly treats training as a control, not a nice-to-have.

37. Role-based training matrix (board, executives, IT, developers, general staff).

Minimum hours and content per role, tracked per person.

38. Annual mandatory cybersecurity training with completion tracking.

Evidence retained for supervisory inspections.

39. Phishing simulations at least quarterly with measurable improvement targets.

Link results into role-based retraining.

40. Dedicated training for developers and privileged users.

Secure coding, admin-account hygiene, incident escalation.

7 Ongoing Compliance

NIS2 is not a project, it is a regime. These items keep the organization compliant year after year.

41. Registration with the relevant national competent authority completed.

2026 window: 1 January to 28 February 2026.

42. Annual NIS2 internal audit with remediation tracker.

Findings reported to the management body.

43. Evidence repository with retention policy.

Policies, minutes, training logs, incident reports, supplier attestations.

44. Change-management process to keep NIS2 documents current.

Trigger reviews on org change, new systems, or regulatory updates.

45. Regulatory horizon scan for implementing acts and national transposition.

Quarterly update to the risk committee.

46. Maturity roadmap beyond minimum compliance.

Move from "compliant" to "defensible and resilient".

47. External assurance or independent review at least every two years.

Independent eyes on your own homework.

Need help implementing this?

Book a call with Burak Yazici, PECB Certified NIS2 Lead Implementer. No pitch deck, just a conversation about where you are and the shortest route to compliant and defensible.

Book a call with Burak See services
nis2-compliant.com | Burak Yazici, PECB Certified NIS2 Lead Implementer