NIS2 checklist:How to achieve compliance step by step

What is NIS2 and why does it matter? 

The NIS2 Directive is the EU’s latest push to strengthen cybersecurity across its member states. It replaces the original NIS Directive from 2016 and raises the bar significantly with stricter requirements, broader scope, and tougher enforcement. 

Designed to protect Europe’s critical infrastructure, NIS2 affects a wide range of organizations, from energy providers and healthcare systems to digital services and transport operators. 

But it doesn’t stop there. Many organizations in the supply chain, even those outside the EU, are now under pressure to meet NIS2 requirements to stay contractually compliant. With legal deadlines approaching, now is the time to get ahead. Our NIS2 checklist shows you exactly what’s required, so you can act with confidence, minimize risk, and strengthen your security and position in the market. 

The NIS2 checklist: 10 steps to compliance 

This 10-step NIS2 checklist gives you a clear path to NIS2 compliance—from risk management to reporting—so you can tackle every requirement with structure and confidence. Let’s get started.

1. Implement risk management practices

Effective NIS2 compliance starts with knowing your risks and managing them continuously. Identify vulnerabilities across your systems, services, and supply chain, then put the right technical and organizational measures in place to reduce your exposure. 

This includes, for instance, phishing protection, regular patching, access controls, and system logging. Your risk management approach should be documented, regularly reviewed, and integrated into your overall security strategy. The goal is to spot weaknesses early and act fast to stay one step ahead.

2. Establish vulnerability and incident management 

Security incidents can’t always be prevented, but how you prepare for an incident makes all the difference. Under NIS2, organizations must have clear processes to detect, report, and respond to vulnerabilities and incidents. 

Define who is responsible for what, how incidents should be escalated, and when regulators need to be informed. A structured notification process helps you stay compliant under pressure and ensures the right people act at the right time. Tools like SIEM, monitoring systems, and automated alerts can give you the visibility you need to respond fast. 

3. Set up a business continuity plan (BCP)

NIS2 expects you to keep critical operations running, even in a crisis. That means having a documented business continuity plan with clear steps for backup, recovery, and communication. 

Backups should be automated, encrypted, and stored securely. Recovery procedures need to be tested regularly to make sure they work when it counts. And your crisis communication plan should define who does what and how information flows if systems go down. 

4. Review third-party security

Cyber risks don’t stop at your network and your security is only as strong as your weakest vendor. That’s why NIS2 requires you to manage security across your entire supply chain, including vendors, service providers, and partners. 

Your NIS2 checklist should include a structured risk assessment for all third parties, focusing on their access to your systems and data. Define contractual obligations around security, including breach notification and compliance requirements. And don’t stop there – regularly monitor your suppliers to ensure they meet your standards over time. Your compliance is only as strong as your weakest link. 

5. Build an information security management system (ISMS)

An effective information security management system (ISMS) is the backbone of NIS2 compliance and every NIS2 checklist. It helps you manage risks, define policies, and document your security efforts end to end. 

Align your ISMS with a recognized standard like ISO 27001 or an equivalent framework. Make sure it also covers procurement, so that security requirements are built into your supplier selection and onboarding processes. A strong ISMS turns compliance from a checklist into a system that works. 

6. Review and audit your controls regularly

NIS2 requires you to evaluate your security measures on an ongoing basis. Test how well your controls work, identify gaps, and define clear steps for improvement. 

Document the results and involve independent audits where possible to validate your approach. This ensures your defences remain effective and your compliance efforts stand up to scrutiny. 

7. Raise cyber awareness across teams

Under NIS2, cybersecurity is a leadership responsibility. Senior management must not only support security efforts, they need to understand and actively drive them. 

Provide targeted training for leadership to ensure they can make informed decisions and fulfil their obligations. At the same time, roll out role-based awareness programs across all teams. Regular phishing simulations and practical training help build a security-first mindset— at every level of your organization. This step is a key part of your NIS2 checklist, because compliance starts with awareness. 

8. Introduce a cryptographic policy

NIS2 calls for strong encryption and secure communication, especially when handling sensitive data. Define a clear cryptographic policy that sets standards for encryption in transit and at rest. 

Include key management procedures, guidelines for secure protocols, and rules for protecting communication channels. Your policy should be aligned with recognized best practices and regularly reviewed to stay up to date with evolving threats. 

9. Set access controls

Controlling who can access what is a core part of NIS2 compliance and a key item on any NIS2 checklist. Implement role-based access controls that align with job responsibilities and apply the least privilege principle to minimize unnecessary access. 

Make sure access rights are reviewed regularly and revoked immediately when no longer needed. This includes having clear offboarding procedures to remove access when employees leave or change roles. The goal is to keep critical systems and data protected at all times. 

10. Deploy secure authentication (MFA)

NIS2 requires strong identity protection, especially for access to critical systems. That’s why you should implement multi-factor authentication (MFA) across your environment to reduce the risk of unauthorized access. 

Establish clear, secure access policies that encompass users, devices, and systems handling sensitive or critical data. Enforce MFA consistently wherever access vulnerabilities exist, prioritizing privileged accounts and critical infrastructure. Regularly review and update your authentication methods to stay ahead of evolving cyber threats and comply with NIS2’s stringent security requirements. 

NIS2 timeline and enforcement 

The EU deadline for NIS2 implementation has passed and enforcement is now a reality in many countries. If you're based in a member state, where NIS2 has already been transposed into national law, the rules are no longer theoretical, they apply right now. 

Even if you're based outside the EU, such as in the UK, NIS2 may still impact your business. If you work with EU-based partners or operate in regulated supply chains, compliance is increasingly becoming a contractual obligation. 

Wherever you operate, the message is clear: NIS2 is no longer a future requirement, it’s here. Our NIS2 checklist helps you take the right steps to get compliant, avoid penalties, and stay competitive in cross-border business. 

Is your organization affected by NIS2? 

If your organization operates in a critical sector or supports one as a supplier, NIS2 likely applies to you. 

The directive covers a wide range of sectors, including: 

• Essential sectors: energy, transport, banking, healthcare, water supply, digital infrastructure, public administration, and space 

• Important sectors: food, postal and courier services, chemicals, manufacturing, digital providers, research, and waste management 

NIS2 applies not just to operators of essential services but also to many industrial and non-industrial organizations that play a key role in supply chains. 

Who qualifies? 

Your organization is likely in scope if it meets one of these thresholds: 

• 50+ employees or €10 million+ annual revenue 

• In some sectors, the threshold rises to 250+ employees, €50 million+ revenue, and €43 million+ balance sheet total 

Based on these criteria, tens of thousands of companies across the EU must now meet NIS2 obligations. If you're unsure whether your business falls under the directive, our NIS2 checklist helps you assess your situation and take the right next steps. 

Want to see, whether you’re organization is affected by NIS2? Find out with our NIS2 checker.

What if you're not compliant? 

Failing to comply with NIS2 is a legal and a business risk. The consequences can be severe: 

• Fines of up to €10 million or 2% of global annual turnover 

• Reputational damage that erodes customer and partner trust 

• Exclusion from supply chains due to unmet contractual obligations 

• Personal liability for senior management in the event of non-compliance 

Use the NIS2 checklist to spot gaps early and take the steps needed to stay on the safe side, legally and commercially. 

Want to find out more about NIS2? Watch our on-demand webinar to learn about requirements, implementation, and compliance.