NIS2 Compliance Checklist: 14 Steps for EU Businesses in Scope

The Network and Information Security Directive 2 (NIS2, Directive 2022/2555/EU) replaced NIS1 in 2022 and required member state transposition by October 2024. It significantly expanded scope — adding new sectors, lowering the threshold for "essential" and "important" entities, and introducing direct personal liability for senior management for compliance failures.

If your organisation is in scope, here is the practical compliance checklist that covers what NIS2 supervisors inspect.

Are you in scope?

NIS2 applies to organisations in 18 sectors classified as "essential" or "important." If your organisation has 50+ employees or $10M+ annual turnover and operates in any of these sectors, you are likely in scope:

• Energy (electricity, oil, gas, district heating, hydrogen)
• Transport (air, rail, water, road)
• Banking and financial market infrastructure
• Health (hospitals, labs, pharma, medical devices)
• Water (drinking water, wastewater)
• Digital infrastructure (DNS, cloud, data centres, CDN, TSPs)
• ICT service management (MSPs, MSSPs)
• Public administration
• Space
• Postal and courier services
• Waste management
• Chemicals, food, manufacturing, digital providers, research

The 14-step NIS2 compliance checklist

1. 1
   Register with your national NCA. Most member states require in-scope entities to register with the national competent authority (NCA). Deadline varies by country — check your national implementation.
2. 2
   Designate a responsible management body. NIS2 Article 20 requires senior management to approve cybersecurity risk management measures and be personally liable for compliance failures. A nominated CISO or equivalent is required.
3. 3
   Conduct a cybersecurity risk assessment. Document your information assets, threats, vulnerabilities and existing controls. This must be reviewed at least annually.
4. 4
   Implement a cybersecurity policy. A written policy covering risk management, incident response, access control, encryption and business continuity. Must be approved at board/senior management level.
5. 5
   Set up incident detection and logging. You must be able to detect, log and investigate security incidents. SIEM, EDR or equivalent tooling appropriate to your size. Logs must be retained (typically 12+ months).
6. 6
   Build an incident response plan. Documented procedure for responding to a cybersecurity incident: detection → containment → eradication → recovery → post-incident review. Test it annually.
7. 7
   Establish the 24-hour initial notification process. For significant incidents, you must notify your NCA within 24 hours of becoming aware. "Significant" means: disruption to services, financial loss above thresholds, or data breach affecting other entities. Who sends this notification and how?
8. 8
   Build the 72-hour detailed report process. A fuller incident report within 72 hours, covering severity, impact, indicators of compromise and initial remediation steps. Who writes this? What data do they need?
9. 9
   Assess and manage supply chain risk. NIS2 explicitly requires risk assessment of direct suppliers and service providers. Critical ICT suppliers need security assessments. This is one of the most under-resourced areas in current compliance programmes.
10. 10
    Implement access control and privileged access management. Multi-factor authentication (MFA) required for all critical system access. Least-privilege principle applied. Privileged accounts reviewed quarterly.
11. 11
    Encrypt sensitive data at rest and in transit. Data encryption policies documented. Encryption standards specified (minimum AES-256 at rest, TLS 1.2+ in transit). Key management processes defined.
12. 12
    Implement business continuity and backup. Backup strategy documented and tested. Recovery time objectives (RTOs) defined for critical systems. Backup integrity verified regularly.
13. 13
    Train all staff on cybersecurity. Annual mandatory cybersecurity awareness training. Specific training for staff with privileged access. Management training on their personal liability under NIS2.
14. 14
    Document everything. NIS2 supervisors expect evidence, not assertions. Keep documentation of: risk assessments (with dates), policy reviews, training completion, incident logs, supplier assessments and audit results. This evidence package should be producible within 48 hours of a regulator request.

What supervisors look for

Based on early supervisory activity across EU member states, NIS2 audits focus most heavily on: incident notification capability (can you actually get a report out in 24 hours?), supply chain risk assessment (most organisations have not done this rigorously), and senior management accountability (do board members know their personal liability?).

The penalty for non-compliance ranges from $7M or 1.4% of global annual turnover (important entities) to $10M or 2% of global annual turnover (essential entities) — plus personal liability for management.

When did NIS2 come into force?

NIS2 (Directive 2022/2555/EU) was published in December 2022. Member states were required to transpose it into national law by 17 October 2024. Obligations now apply — though enforcement timelines vary by member state.

Does NIS2 apply to financial services firms?

Yes — banking and financial market infrastructure are explicitly included in NIS2's essential entities scope. Financial firms also need to consider DORA (Digital Operational Resilience Act), which has specific ICT risk management requirements. Where both apply, DORA takes precedence for financial entities.