Compliance 9 min read · May 2026 · HubSecure Team

NIS2 Compliance Checklist: How HubSecure Covers Every Requirement

The NIS2 Directive expanded the scope of cybersecurity obligations across the EU significantly. For the sectors it covers, compliance is not optional. This guide maps every key NIS2 requirement to specific HubSecure capabilities — with a checklist you can use directly.

TL;DR

NIS2 overview: who it applies to and what it requires

The NIS2 Directive (EU 2022/2555), which became applicable to member states in October 2024, significantly expanded both the scope and the severity of EU cybersecurity requirements compared to the original NIS Directive.

NIS2 applies to entities in 18 sectors categorised as either "essential" (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space) or "important" (postal and courier services, waste management, manufacture of certain products, food, chemicals, digital providers, and research). Medium enterprises (50+ employees or EUR 10M+ turnover) in these sectors are in scope. Large enterprises face stricter oversight.

Penalties under NIS2: Essential entities face fines of up to EUR 10M or 2% of global annual turnover (whichever is higher). Important entities face fines of up to EUR 7M or 1.4% of global turnover. Management bodies can be held personally liable for compliance failures — a significant change from NIS1.

The four pillars of NIS2 compliance are:

  1. Incident reporting: Significant incidents must be reported to the relevant national authority within 72 hours of becoming aware of them. A final report must follow within one month.
  2. Risk management: Entities must implement appropriate and proportionate technical and organisational measures to manage cybersecurity risks, based on a formal risk assessment.
  3. Supply chain security: Entities must address security risks arising from relationships with suppliers and service providers, including security requirements in contracts.
  4. Governance and accountability: Management bodies must approve and oversee cybersecurity risk management measures. Management body members must undertake cybersecurity training.

How HubSecure covers each NIS2 requirement

1. Incident reporting (72-hour window)

HubSecure's Incidents module is built on ITIL incident management combined with DFARS/CISA 72-hour reporting requirements. When a significant incident is identified, the module automatically initiates the 72-hour reporting clock, assigns the incident owner, and enforces the notification workflow — including the initial report to the national authority and the follow-up final report within 30 days.

Every incident record includes: incident classification, affected assets, timeline of discovery and response actions, evidence of containment measures, and the complete audit log of all actions taken during the incident. The Evidence Timeline provides the complete record needed for the final report without manual reconstruction.

2. Risk management frameworks

HubSecure's QMS (Quality Management System) module provides the risk management framework required by NIS2. Risk registers, risk assessments, risk treatment plans, and periodic review cycles are built into the workflow. Risk owners are assigned from the client record, and risk treatment actions are tracked to completion with evidence captured automatically.

The risk assessment process maps to ISO 27005 and covers the NIS2 requirement for measures covering: policies on risk analysis and information system security, incident handling, business continuity, supply chain security, acquisition and maintenance of network and information systems, human resources security, and access control.

3. Supply chain security

NIS2 requires entities to assess and manage security risks from suppliers and service providers. HubSecure supports this through the vendor management workflow in the QMS module, which includes: supplier security assessments linked to contract records, security requirements tracking per supplier, and evidence capture for supplier review cycles.

The post-quantum encryption in HubSecure's HydraShield cipher suite also directly addresses NIS2's requirement to consider "the security of network and information systems" — including protection against future threats like quantum computing.

4. Governance and accountability

NIS2 requires management bodies to approve cybersecurity risk management measures and be accountable for compliance. HubSecure's audit trail and Evidence Timeline provide the governance evidence needed to demonstrate that management oversight is occurring: approval workflows are logged with the approving identity and timestamp, risk assessment reviews are attributed to specific management roles, and the complete history of governance decisions is available for regulatory review.

The role-based access control system ensures that governance responsibilities are assigned to specific roles, and that access to sensitive functions is restricted to authorised personnel — creating the access control evidence that NIS2 requires.

NIS2 compliance checklist

Incident management

72-hour reporting capabilityHubSecure Incidents module with automated 72h clock, notification workflow, and report templates covered
Incident classificationITIL-based severity classification with mandatory fields for NIS2 reportability assessment covered
Evidence of response actionsEvidence Timeline captures every action taken during incident response with timestamps and actor attribution covered
30-day final reportReport workflow with deadline tracking and evidence export covered

Risk management

Formal risk assessmentQMS risk register with ISO 27005-aligned assessment workflow and risk owner assignment covered
Risk treatment plansRisk treatment actions tracked to completion with evidence capture covered
Business continuity measuresBCP documentation and testing workflows in QMS module covered
Access control policiesRBAC with role-based permission matrices, enforced at platform level covered
Encryption requirementsAES-256-GCM + ML-KEM-768 post-quantum encryption via HydraShield across all sensitive data covered

Supply chain security

Supplier security assessmentsVendor management workflow with security assessment linked to contract records covered
Security requirements in contractsContract document management with security requirements checklist and signature audit trail covered
Periodic supplier reviewReview cycle tracking with evidence capture per supplier covered

Governance and accountability

Management approval of cybersecurity measuresApproval workflows with management role attribution and timestamp logging covered
Evidence of management oversightEvidence Timeline provides complete, exportable governance record covered
Cybersecurity training documentationTraining record management in HRM module with completion evidence covered

Important note: HubSecure provides the technical and operational capabilities required by NIS2, but NIS2 compliance also requires legal and organisational measures that are specific to each entity. We recommend working with a qualified NIS2 advisor to complete your compliance programme. HubSecure supports the technical compliance layer — not the full legal compliance analysis.

Talk to our compliance team

We'll walk you through how HubSecure maps to your specific NIS2 obligations and identify any gaps in your current setup.

Book a compliance review

Related posts

Proof by Default: How Automatic Evidence Creation Replaces Audit Scrambles · Why Regulated Companies Need Governed AI, Not Just AI · Post-Quantum Encryption: Why Your Business Data Needs It Now · Why European Companies Should Stop Sending Client Data Through US Cloud Tools