NIS2 Compliance Checklist: 10-Step Implementation Guide for 2025

TL;DR

NIS2 compliance requires 10 categories of measures under Article 21, plus registration (Art. 3) and management accountability (Art. 20). This checklist covers all mandatory areas with concrete action items.

The NIS2 Directive does not prescribe a specific implementation framework, it defines objectives, not methods. This checklist translates the legal requirements into concrete, actionable steps for your compliance team.

An important note on documentation: NIS2 requires not just the implementation of measures, but also the ability to demonstrate that implementation. Authorities can request documentation during inspections. For each step in this checklist, there are corresponding evidence requirements.

Expected Evidence for Authority Inspections

Authorities inspecting an Essential Entity will typically request the following documents:

📄Written scoping decision (EE or IE) with justification

📄Registration evidence with the competent authority

📄Current risk analysis with date and management body approval

📄Information security policy (approved, versioned)

📄Incident response plan with 24h/72h notification process

📄Business continuity plan and DRP with test records

📄Supplier inventory and current risk assessments

📄Management training evidence (certificates, attendance lists)

📄MFA implementation evidence for critical systems

📄Records of management review meetings on cybersecurity

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

Determine Your Scope

Art. 2–3

Identify your sector (Annex I or Annex II of the NIS2 Directive?)
Check company size (≥50 employees or ≥€10M turnover = potentially in scope)
Check special rules (DNS, TLD, trust services, public administration)
Determine classification as Essential or Important Entity
Document and obtain sign-off on the scoping decision

Art. 3(3)

Identify the national competent authority for your sector
Access the authority's registration portal (e.g. BSI Meldeplattform in Germany)
Prepare required information: company name, registration number, sector, contact
Complete registration before the deadline (usually within 3 months of becoming in-scope)
Archive the registration confirmation

Build a Risk Management Framework

Art. 21(2)(a)

Inventory information assets and critical services
Analyse the threat landscape (internal, external, supply chain)
Define and document your risk assessment methodology
Prioritise risks by likelihood and impact
Create and obtain sign-off on a risk treatment plan
Schedule annual review and update

Establish Incident Response Procedures

Art. 21(2)(b) + Art. 23

Define what constitutes a 'significant incident' under Article 23 NIS2
Designate an Incident Response Team (IRT) with clear responsibilities
Document the 24h early warning process to the competent authority / CSIRT
Create a 72h full notification template (including incident classification, impact assessment)
Define the final report process (1 month)
Conduct at least annual exercises / tabletop drills
Retain incident logs for at least 5 years

Ensure Business Continuity

Art. 21(2)(c)

Conduct a Business Impact Analysis (BIA) for all critical services
Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
Implement backup strategy (3-2-1 rule: 3 copies, 2 media, 1 offsite)
Create Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)
Run and document regular backup restoration tests
Develop a crisis management communications plan

Supply Chain Risk Management

Art. 21(2)(d)

Inventory all critical suppliers and service providers
Define risk assessment criteria for suppliers
Conduct security questionnaires / assessments for Tier-1 suppliers
Include contractual cybersecurity requirements in supplier contracts
Review supplier patch management and vulnerability disclosure policies
Conduct annual supply chain risk review

Technical Security Controls

Art. 21(2)(e)+(h)+(i)+(j)

Implement and document network segmentation
Enable Multi-Factor Authentication (MFA) for all remote access
Implement encryption for data in transit and at rest
Deploy Privileged Access Management (PAM) for admin accounts
Establish patch management process with defined SLAs
Conduct regular penetration tests / vulnerability scanning
Deploy Endpoint Detection and Response (EDR)

Training and Cyber Hygiene

Art. 20 + Art. 21(2)(g)

Conduct annual cybersecurity training for all staff
Specific training for management bodies (Article 20 obligation!)
Run regular phishing simulations
Create and communicate employee cybersecurity policies
Publicise internal reporting process for suspicious activities
Document training attendance (for authority evidence)

Policies and Documentation

Art. 21(2)(a)+(f)

Create and approve an Information Security Policy (ISMS Policy)
Acceptable Use Policy for IT systems
Password and access management policy
Mobile Device Management policy
Data backup policy
Review and update all policies at least annually
Maintain version control and approval history

Ongoing Monitoring and Improvement

Art. 21(2)(f)

Set up Security Information and Event Management (SIEM)
Define Key Security Indicators (KSIs) and measure monthly
Conduct annual internal NIS2 controls audits
Hold management review meeting at least annually
Systematically convert incident lessons into improvements
Track NIS2 updates and national authority communications

Check your current gap status

Our interactive tool walks you through all 40+ NIS2 controls and shows your compliance score in real time.

📊 Start Gap Assessment

Timeline: How Long Does NIS2 Implementation Take?

Implementation time depends heavily on the existing security baseline. As a rough guide for a medium-sized company with no existing ISMS:

Months 1–2Foundation

▸Determine and document scope
▸Complete authority registration
▸Conduct gap analysis
▸Initial risk management assessment

Months 3–5Core measures

▸Create and test incident response plan
▸Activate MFA for all critical access points
▸Create business continuity plan
▸Supplier inventory and initial assessments

Months 6–9Depth

▸Create and approve all policies
▸Conduct and document management training
▸Set up SIEM or extend existing monitoring
▸Introduce contractual supplier requirements

Months 10–12Audit-readiness

▸Internal review of all measures
▸Tabletop exercise for incident response
▸Management review meeting
▸Compile documentation package for authority inspection

FAQ

How long do companies have to register after falling in scope?▾

NIS2 Article 3(3) requires registration within 3 months of the point at which an entity meets the thresholds for classification as an Essential or Important Entity. Different deadlines may apply in some countries. Check the national implementing laws of your country.

Do we need to create a separate policy document for each of the 10 Article 21 points?▾

No. You can cover multiple requirements in a single information security policy, provided all points are addressed. What matters is that the policy is approved by the management body and reviewed regularly.

How often must security measures be reviewed?▾

NIS2 requires measures to be reviewed 'regularly'. ENISA recommends at least annual reviews plus event-driven reviews following incidents, material changes in the threat environment, or technological changes.

What if we cannot complete the entire checklist?▾

Authorities understand that compliance is a process, not a one-time action. Prioritise the measures with the highest risk (registration, incident response, MFA) and document your progress and residual risks. A traceable plan and demonstrable progress are better than no documentation.