NIS2 Compliance Checklist: Your Complete Step-by-Step Guide

Last updated: March 2026. This checklist reflects NIS2 Directive (2022/2555), enforceable since 18 October 2024, and Commission Implementing Regulation (EU) 2024/2690. Applies to both essential and important entities.

The NIS2 compliance deadline has passed, and enforcement is underway across the EU. Whether you are starting your implementation programme or stress-testing work already done, having a structured NIS2 compliance checklist is the difference between a defensible compliance posture and a gap-filled programme that won’t survive a supervisory inspection.

This guide breaks NIS2 implementation into seven sequential phases covering all requirements from initial governance setup through to ongoing testing and continuous improvement. Each phase contains specific, actionable checklist items with direct references to Article 21 measures, the CIR 2024/2690 chapters, and the NIS2 compliance document templates that evidence each control. All 59 items map to legal requirements in the directive itself.

This is the most comprehensive free NIS2 compliance checklist available. For the downloadable PDF version — formatted for printing and team use — see the end of this guide.

Who this is for: Compliance officers, CISOs, and NIS2 project leads at essential or important entities. Work through each phase in order. For each completed item, record the evidence document in your compliance register. NIS2 supervisory authorities review documentation — “we do this already” without a document trail is not a defensible position.

Before You Start: Does NIS2 Apply to You?

Before building a compliance programme, confirm your NIS2 status. The checklist below assumes you are already in scope — if you haven’t formally verified this, use the quick flowchart first. Getting your classification wrong (essential vs. important entity) misdirects significant resources.

Quick NIS2 Applicability Check

1. Is your organisation in an Annex I or Annex II sector?

   Annex I: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space.

   Annex II: postal/courier, waste management, chemicals, food, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networks), research organisations.

   → If neither: NIS2 does not apply directly. You may still face indirect obligations as a supplier to in-scope entities.

2. Does your organisation have 50+ employees OR €10M+ annual turnover/balance sheet?

   → If below both thresholds: generally exempt, unless you are a trust service provider, DNS service provider, TLD name registry, or public electronic communications provider (in scope regardless of size).

3. What is your entity classification?

   Large entity (250+ employees or €50M+ turnover) in an Annex I sector → likely essential entity.

   Medium entity (50–249 employees) in Annex I or II → likely important entity.

   Large entity in Annex II → likely important entity.

Your classification matters: essential entities face proactive supervisory inspections and fines up to €10M or 2% of global turnover; important entities face reactive supervision with fines up to €7M or 1.4%. See the full NIS2 scope guide for sector-by-sector analysis and national registration requirements. For enforcement detail, see the NIS2 penalties guide.

How to Use This NIS2 Compliance Checklist

Work through each phase sequentially. For each checklist item you complete, record the evidence document in your compliance register: the policy name, system name, test date, or audit report reference. Each item shows the relevant Article 21 measure (a–j), the CIR 2024/2690 chapter, and a link to the corresponding document template. Phases are designed to be completed in order — Phase 2 (risk assessment) inputs directly drive Phase 3 (implementation).

Phase 1: Governance and Project Setup

Compliance doesn’t happen without organisational commitment. Phase 1 establishes the governance foundation — management buy-in, defined ownership, a scoped project, and a governance structure. These items are prerequisites for everything that follows. Programmes that skip Phase 1 routinely stall midway through Phase 3 when budget runs out or ownership becomes unclear.

Article reference: All measures (prerequisite). Article 20 (management accountability). Estimated time: 2–4 weeks.

• Obtain formal management commitment and a dedicated NIS2 compliance budget. Management body approval is required under Article 20 — not just awareness, but formal sign-off. Document the approval decision (board resolution or executive sign-off). Without ring-fenced budget, subsequent phases cannot be resourced. Document: NIS2 Project Charter

• Appoint a NIS2 Officer or CISO with defined responsibilities and authority. Someone must own the compliance programme with clear accountability. Define the role in writing: scope of authority, escalation rights, reporting line to the management body, and budget approval threshold. Document: NIS2 RACI Matrix

• Define compliance scope: legal entities, covered services, and in-scope systems. Establish exactly which business units, services, and systems fall under NIS2. Document the scope boundary — what is in, what is out, and why. Scope creep mid-programme is expensive; ambiguity about scope is one of the most common programme failures. Document: NIS2 Scope Definition Document

• Create a project plan with phases, milestones, deadlines, and assigned owners. A compliance programme without a plan is a hope. Build a milestone-based plan covering all seven phases. Set realistic deadlines, assign an owner to each phase, and establish a governance rhythm (fortnightly steering meetings recommended). Document: NIS2 Project Plan

• Establish a security governance structure with reporting lines to the management body. Define who receives cybersecurity reports, how often, and what decisions require escalation to the management body. Establish a cybersecurity steering committee if one doesn’t exist. Create a regular cadence of management reporting on cybersecurity status and programme progress. Document: Security Governance Framework

Phase 2: Risk Assessment

Article 21(a) requires a risk-based approach: all cybersecurity measures must be “appropriate and proportionate” to the risks your organisation actually faces. Phase 2 establishes the risk management framework and produces the risk assessment that drives your Article 21 implementation priorities. Without it, you’re implementing controls without knowing whether they address your actual risk exposure — a compliance-by-checkbox approach that NIS2 was specifically designed to prevent.

For a detailed methodology, see the NIS2 risk assessment guide.

Article 21 reference: (a) Risk analysis and information security policies. CIR 2024/2690: Chapter 2. Estimated time: 4–8 weeks depending on organisational complexity.

• Establish a risk management methodology aligned to an accepted framework. Document the methodology you will use — ISO 27005, ENISA’s recommended approach, or an equivalent. Define risk scoring criteria (likelihood, impact, risk appetite thresholds). Obtain management approval of the methodology before starting the assessment. Document: Risk Management Framework

• Identify and classify all information assets (IT, OT, cloud services, and data). Build a complete asset inventory covering hardware, software, cloud services, data repositories, and operational technology (OT) systems where applicable. Classify assets by criticality and sensitivity. This inventory also satisfies Article 21(i) asset management requirements. Document: Asset Register

• Perform a risk assessment covering all in-scope IT and OT environments. Identify threats and vulnerabilities for each critical asset, assess likelihood and impact, and calculate risk scores. Cover supply chain risks (Article 21(d)), human factors, and the sector-specific threat landscape for your organisation. Document: Risk Assessment Table

• Create a risk treatment plan mapping identified risks to Article 21 controls. For each high and critical risk, define the treatment option (mitigate, accept, transfer, or avoid) and the specific Article 21 control that addresses it. This plan drives the implementation sequence in Phase 3 — address the highest-risk gaps first. Document: Risk Treatment Plan

• Obtain documented management acceptance of residual risks. After treatment, some residual risk will remain. Management must formally accept these risks — not just be informed of them. Document this acceptance with signatures and dates. This is both a legal requirement and your primary due-diligence defence during enforcement. Document: Risk Acceptance Register

Phase 3: Implement Article 21 Measures

This is the core of NIS2 compliance. Article 21 sets out 10 cybersecurity risk-management measures that all essential and important entities must implement. The checklist below provides specific action items for each measure, with document template references and CIR 2024/2690 chapter links for detailed technical requirements.

Use your risk treatment plan from Phase 2 to prioritise which measures to tackle first. If your risk assessment identified incident handling and supply chain as the highest-risk gaps — the most common finding for organisations new to NIS2 — start with measures (b) and (d).

(a) Risk Analysis and Information Security Policies — Art. 21(a)

CIR 2024/2690: Chapter 1 (NIS Policy) + Chapter 2 (Risk Management)

• Draft and approve a documented Information Security Policy covering NIS2 scope, security objectives, roles, and responsibilities. Obtain management body approval. Commit to annual review. Document: Information Security Policy

• Establish a formal annual risk analysis process using the methodology from Phase 2. Schedule the first review date. Document the process — who runs it, what inputs it uses, and how results feed back into the risk treatment plan. Document: Risk Management Procedure

• Define measurable security objectives aligned to your risk appetite. Objectives should be specific and owned (e.g., “patch critical vulnerabilities within 72 hours”), assigned to named owners, and reviewed at management level quarterly. Document: Security Objectives Register

(b) Incident Handling — Art. 21(b)

CIR 2024/2690: Chapter 3 (Incident Management). See also Phase 4 and NIS2 incident reporting guide.

• Develop and approve an Incident Response Plan (IRP) covering detection, analysis, containment, eradication, and recovery. Define what constitutes a “significant incident” under Article 23 specific to your organisation. Document: Incident Response Plan

• Define incident severity classification criteria mapping to the NIS2 “significant incident” definition (severe operational disruption, financial loss, harm to third parties). These thresholds trigger the 24h notification workflow. Document: Incident Severity Classification Matrix

• Establish the 24h/72h/1-month notification workflow with named roles and prepared notification templates. See Phase 4 for the full incident management setup. Document: Incident Notification Forms

• Test the Incident Response Plan with at least one tabletop exercise. Record the exercise date, scenario, findings, and corrective actions. Document: Tabletop Exercise Report

(c) Business Continuity and Crisis Management — Art. 21(c)

CIR 2024/2690: Chapter 4 (Business Continuity & Crisis Management)

• Create a documented Business Continuity Plan (BCP) with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for critical services. Document: Business Continuity Plan

• Implement backup management covering regular backups, tested restores, off-site/offline copies, and immutable backups for ransomware resilience. Document backup schedules and retention periods. Document: Backup Policy

• Document a Disaster Recovery Plan with specific technical recovery procedures and RTO targets for each critical system. Include manual workarounds for extended outages. Document: Disaster Recovery Plan

• Test BCP and DR plans at least annually via tabletop exercise, simulation, or live failover test. Document results and update plans based on findings. Document: BCP/DR Test Report

(d) Supply Chain Security — Art. 21(d)

CIR 2024/2690: Chapter 5 (Supply Chain Security). See full supply chain checklist in Phase 5.

• Map and document all critical third-party suppliers and service providers that could affect your NIS2-covered services: cloud providers, managed service providers, software vendors, and logistics partners. Document: Supplier Register

• Conduct security assessments of critical suppliers using questionnaires or review of their security certifications (ISO 27001, SOC 2, Cyber Essentials Plus). Assign a risk rating to each. Document: Supplier Security Assessment Questionnaire

• Add NIS2-aligned security clauses to supplier contracts: incident notification obligations, right to audit, security requirements, and termination rights for material security breaches. Apply immediately to new contracts and at renewal for existing ones. Document: Supplier Contract Security Addendum

(e) Security in Acquisition, Development, and Maintenance — Art. 21(e)

CIR 2024/2690: Chapter 6 (Security Testing) + Chapter 7 (Patch Management)

• Define a Secure Software Development Lifecycle (SSDLC) policy covering security requirements in the acquisition and development of new systems, including security testing gates and approval criteria. Document: Secure Development Policy

• Implement a vulnerability management process with defined SLAs: critical vulnerabilities remediated within 72 hours, high within 7 days, medium within 30 days. Adjust thresholds to your risk appetite. Document: Vulnerability Management Policy

• Establish a patch management policy and process for all in-scope systems. Track open patches with ages and risk scores. Report patch compliance metrics to management monthly. Document: Patch Management Policy

(f) Effectiveness Assessment — Art. 21(f)

CIR 2024/2690: Chapter 6 (Security Testing)

• Define cybersecurity KPIs and metrics that measure the effectiveness of your Article 21 controls. Examples: mean time to detect (MTTD), mean time to respond (MTTR), patch compliance rate, training completion rate, open critical vulnerabilities count. Document: Security KPI Dashboard

• Schedule regular penetration testing — at least annual for essential entities, proportionate for important entities. Engage a qualified third-party tester. Scope should include network, application, and social engineering. Document: Security Testing Policy

• Implement continuous vulnerability scanning using an automated tool across all in-scope systems. Integrate findings into your vulnerability management process from measure (e). Document: Vulnerability Scanning Procedure

(g) Cyber Hygiene and Training — Art. 21(g)

CIR 2024/2690: Chapter 11 (Cyber Hygiene & Training). See full training checklist in Phase 6.

• Implement baseline cyber hygiene controls: strong password/passphrase policy with enforced complexity, endpoint protection (AV/EDR), automatic screen locks, encrypted storage on endpoints, and regular patch application. Document these as minimum security standards. Document: Cyber Hygiene Policy

• Deliver mandatory security awareness training to all staff (minimum annual frequency, including phishing simulation). Track completion in training records. Document: Training Records Template

• Create role-specific technical training for security-sensitive roles. See Phase 6 for the full training programme structure. Document: Technical Training Plan

(h) Cryptography and Encryption — Art. 21(h)

CIR 2024/2690: Chapter 9 (Cryptography)

• Define a Cryptography Policy specifying approved algorithms (AES-256, RSA-2048+, TLS 1.2 minimum), prohibited algorithms (MD5, SHA-1, DES), and minimum key lengths. Align with BSI, ENISA, or NIST cryptographic recommendations. Document: Cryptography Policy

• Implement encryption for data at rest in all systems containing sensitive or personal data: databases, file servers, endpoints, backups, and removable media. Document: Data Classification and Encryption Standard

• Implement encryption for data in transit: TLS 1.2+ for all web services, encrypted email for sensitive communications, VPN for remote access. Prohibit cleartext protocols (HTTP, FTP, Telnet) on production systems. Document: Network Security Policy

• Establish key management procedures covering key generation, storage (HSM or equivalent), rotation schedules, and secure destruction. Document key custodians and emergency recovery procedures. Document: Key Management Procedure

(i) HR Security, Access Control, and Asset Management — Art. 21(i)

CIR 2024/2690: Chapter 12 (Access Control) + Chapter 13 (HR Security) + Chapter 14 (Asset Management)

• Create and maintain a complete asset inventory covering all hardware, software, cloud services, and data assets in NIS2 scope. Assign an owner, classification level, and criticality rating to each asset. Review quarterly at minimum. Document: Asset Register

• Implement role-based access control (RBAC) on the least-privilege principle for all critical systems. Review and recertify user access rights at least annually. Automate provisioning and deprovisioning via HR system integration where possible. Document: Access Control Policy

• Define HR security procedures for onboarding (access provisioning, security briefing), role changes (access review), and offboarding (immediate revocation of all access on departure). Document: HR Security Policy

• Implement background vetting/screening for roles with access to critical systems or sensitive data. Define minimum screening requirements by role category and document results. Document: HR Security Policy

(j) Multi-Factor Authentication and Secure Communications — Art. 21(j)

CIR 2024/2690: Chapter 9 (Network Security) + Chapter 12 (Access Control)

• Deploy MFA for all privileged accounts, remote access, and admin interfaces. Privileged access without MFA is one of the most exploited attack vectors and is non-negotiable under NIS2. Use TOTP apps, hardware tokens, or FIDO2/passkeys. Avoid SMS-based MFA for high-risk access. Document: Access Control Policy

• Extend MFA to all user accounts for business-critical and cloud-hosted systems. Document a rollout plan with completion milestones and report progress monthly to the steering committee. Document: MFA Rollout Plan

• Implement secure communications for sensitive business communications: end-to-end encrypted messaging, secure video conferencing, and signed/encrypted email for security-critical notifications. Document: Secure Communications Policy

• Document approved communication channels and authentication requirements by system and data classification level. Prohibit the use of unapproved channels for classified or sensitive communications. Document: Secure Communications Policy

Phase 4: Incident Management Setup

The 24-hour early warning deadline under Article 23 is one of NIS2’s most operationally demanding requirements. Phase 4 focuses exclusively on making your incident notification process operationally ready — not just documented, but tested, staffed, and ready to execute under real incident pressure at 2am on a Sunday.

Article 21 reference: (b) Incident handling. CIR 2024/2690: Chapter 3. Estimated time: 2–4 weeks.

• Establish documented incident handling procedures covering the full lifecycle: detection, triage, escalation, containment, investigation, recovery, and post-incident review. Assign named roles to each stage with backup contacts. Document: Incident Response Plan

• Set up the 24h / 72h / 1-month notification workflow with named individuals responsible at each stage. Stage 1 (24h early warning) requires rapid escalation — your mean time to detect (MTTD) must support this. Stage 2 (72h notification) requires initial impact assessment. Stage 3 (1-month final report) requires root cause analysis. Document: Incident Notification Forms

• Identify your national CSIRT and establish contact details. Every EU Member State has a designated CSIRT that receives NIS2 notifications. Locate yours via the ENISA CSIRT inventory. Add the contact details as an appendix to your Incident Response Plan. Document: Incident Response Plan (Appendix: CSIRT Contacts)

• Prepare pre-written notification templates for each reporting stage. The 24h early warning, 72h incident notification, and 1-month final report each have different content requirements. Prepare draft templates in advance so your team is not writing from scratch during an active incident. Document: Incident Notification Forms

• Test the full notification process with a tabletop exercise. Simulate a significant incident and run the notification workflow end-to-end, including producing a draft 24h early warning. Measure total time. Identify and fix gaps before a real incident exposes them. Document: Tabletop Exercise Report

• Define “significant incident” thresholds specific to your organisation. Translate Article 23 criteria (“severe operational disruption,” “financial loss,” “harm to third parties”) into concrete, quantified thresholds for your business. Example: “more than 30% of users unable to access [critical service] for more than 4 hours.” Clear thresholds prevent both under-reporting and notification fatigue. Document: Incident Severity Classification Matrix

Phase 5: Supply Chain Security

Supply chain attacks are the fastest-growing threat vector in the NIS2 threat landscape, and Article 21(d) makes supply chain security a first-class legal obligation. Phase 5 builds the quick supplier mapping from Phase 3 into a full, documented supply chain security programme. This is consistently the area where organisations underestimate the effort required — start early.

Article 21 reference: (d) Supply chain security. CIR 2024/2690: Chapter 5. Estimated time: 4–8 weeks for initial implementation; ongoing thereafter.

• Map all critical suppliers and service providers with a documented supply chain register. Include cloud providers, managed service providers, software vendors, hardware vendors, and any third party with access to your systems or data. Rate each by criticality to your NIS2-covered services (critical / significant / low). Document: Supplier Register

• Assess each critical supplier’s security posture using a structured questionnaire or by reviewing their security certifications (ISO 27001, SOC 2, Cyber Essentials Plus). Assign a risk rating. Flag suppliers with inadequate controls for remediation or replacement planning. Document: Supplier Security Assessment Questionnaire

• Add NIS2-aligned security clauses to contracts with all critical suppliers: incident notification obligation (supplier must notify you within a defined timeframe of any breach affecting your data or services), right to audit, minimum security requirements, and termination rights for material security failures. Apply immediately to new contracts; negotiate into existing contracts at renewal. Document: Supplier Contract Security Addendum

• Establish ongoing supplier monitoring and an annual review cadence. Schedule annual reassessments of all critical suppliers, monitor for supplier security incidents via breach notification services and public disclosures, and track contract renewal dates for clause enforcement. Document: Supplier Risk Register

• Document completed assessments and risk ratings in your compliance register. Supervisory authorities can request evidence of your supply chain security programme during inspections. Maintain records of questionnaire dates and responses, risk ratings assigned, and any remediation actions agreed with suppliers. Document: Supply Chain Security Policy

Phase 6: Training and Awareness

Article 21(g) requires cyber hygiene practices and training for all staff. Article 20 goes further: management body members must “undergo training” to gain sufficient knowledge to identify cybersecurity risks and assess risk-management practices — and they bear personal liability for failures. Phase 6 builds the training programme that satisfies both requirements.

Article 21 reference: (g) Cyber hygiene and training. Article 20 (management accountability). CIR 2024/2690: Chapter 11. Estimated time: 2–4 weeks to set up; ongoing delivery thereafter.

• Deliver an Article 20 management briefing to the board and executive leadership. This briefing must cover: personal liability for NIS2 infringements, the organisation’s NIS2 classification (essential or important), Article 21 measures being implemented, current cybersecurity risk posture, and the board’s ongoing oversight responsibilities. Record attendance — this is evidence of compliance with Article 20’s training requirement. Document: Board Cybersecurity Briefing Deck, Attendance Record

• Deliver mandatory security awareness training to all staff. Minimum annual frequency. Content: phishing recognition, password and MFA best practices, the internal incident reporting process (how to report a suspected incident to the security team), and data handling obligations. Include at least one phishing simulation per year. Document: Security Awareness Training Plan, Training Records

• Deliver role-specific technical training for security-sensitive roles. IT administrators, security operations staff, incident responders, and developers each require training beyond generic awareness. Map training content to the specific Article 21 measures relevant to each role (e.g., incident responders need IRP-specific training; developers need secure coding training). Document: Technical Training Plan

• Establish training records and completion tracking. Maintain documented evidence of who completed which training and when. Track completion rates by department and follow up on non-completions within 30 days. Completion records are required evidence during supervisory inspections. Document: Training Records Template

• Plan and schedule annual refresher training for all staff and management. NIS2 is an ongoing obligation. Update training content annually to reflect new threats, changes to your risk profile, and lessons learned from incidents or exercises. Document: Annual Training Schedule

Phase 7: Testing and Continuous Improvement

NIS2 compliance is not a one-time project — it is an ongoing management system. Phase 7 establishes the processes that keep your compliance posture current as threats evolve, systems change, and the regulatory environment develops. This phase is also what transforms a compliance exercise into genuine security improvement: the feedback loops that make your programme measurably better over time.

Article 21 reference: (f) Effectiveness assessment. All measures for continuous improvement. CIR 2024/2690: Chapter 6. Estimated time: Ongoing; initial setup 2–4 weeks.

• Schedule regular risk reviews — at least annually, and after trigger events. The Phase 2 risk assessment is not static. Schedule an annual full review and define trigger events that prompt an ad-hoc review: significant incidents, major system changes, new threat intelligence, material changes to your business, or regulatory updates. Document each review cycle. Document: Risk Review Schedule, updated Risk Assessment Table

• Plan and execute BC/DR tabletop and live exercises at least annually. Test your business continuity and disaster recovery capabilities in practice, not just on paper. Escalate from tabletop (discussion-based, lower cost) to simulation or live failover exercises as maturity increases. Record all exercises, findings, and plan updates. Document: BCP/DR Test Report, Tabletop Exercise Report

• Establish a KPI measurement and management reporting programme. Report cybersecurity metrics to the management body at least quarterly. Include the KPIs defined in Phase 3(f): patch compliance rate, mean time to detect, mean time to respond, training completion rate, open critical vulnerabilities, and audit finding closure rate. Use metrics to demonstrate programme effectiveness and identify early degradation. Document: Security KPI Dashboard

• Set up an internal audit programme for NIS2 compliance. Conduct at least annual internal audits against all Article 21 measures. Use audit findings to identify gaps, track remediation, and produce evidence of your continuous improvement programme for supervisory authorities. External audits by qualified third parties add additional credibility. Document: Internal Audit Programme, Audit Checklist

• Document lessons learned and corrective actions from incidents, exercises, and audits. Every incident, tabletop exercise, and audit finding is an improvement opportunity. Assign corrective actions to named owners with completion dates. Track open actions as risk register items. Close the loop — a programme with many open corrective actions and no completion dates signals systematic non-compliance. Document: Corrective Actions Register

Frequently Asked Questions

How long does NIS2 compliance take?

For a medium-sized organisation starting from scratch, expect 6–12 months for a complete NIS2 compliance programme. Phases 1–2 (governance and risk assessment) typically take 6–12 weeks. Phase 3 (implementing all 10 Article 21 measures) is the longest phase at 3–6 months, depending on existing security maturity. Organisations with ISO 27001 certification already have 60–70% of controls in place and can typically complete NIS2 compliance in 3–4 months. Using pre-built NIS2 compliance templates rather than writing all documentation from scratch can cut the timeline by 30–50%.

Do I need to register with my national NIS2 authority?

Yes. Article 27 requires essential and important entities to register with their national competent authority. Registration procedures vary by Member State — some have online portals, others are still establishing processes. Check your national NIS2 authority’s website for current registration deadlines and requirements. Failure to register can trigger enforcement action independently of any Article 21 compliance issues.

What documentation does NIS2 require?

NIS2 does not specify a fixed document list, but supervisory inspections typically review evidence for each Article 21 measure. At minimum: Information Security Policy, Risk Assessment and Treatment Plan, Incident Response Plan, Business Continuity Plan, Disaster Recovery Plan, Backup Policy, Supply Chain Security Policy, Asset Register, Access Control Policy, Cryptography Policy, HR Security Policy, Training Records, and management approval records. The NIS2 document template library provides ready-to-use versions of all 52 required documents.

What is the first step to NIS2 compliance?

Confirm your scope — whether NIS2 applies and whether you are essential or important. Many organisations proceed based on assumption rather than verification against the Annex I/II sector lists and size thresholds. After confirming scope, obtain formal management commitment and a dedicated compliance budget (Phase 1 of this checklist). No compliance programme survives without board-level buy-in. See the NIS2 scope guide for a full applicability assessment.

Can ISO 27001 certification count towards NIS2 compliance?

ISO 27001 provides significant overlap — ENISA’s Technical Implementation Guidance maps ISO 27001 controls to each CIR 2024/2690 measure. But ISO 27001 alone is not sufficient for full NIS2 compliance. Key gaps: the specific 24h/72h/1-month incident notification process (NIS2-specific), supply chain security requirements (more explicit in NIS2), and management body personal accountability under Article 20 (no direct ISO 27001 equivalent). Use ISO 27001 as a strong baseline, then complete a gap analysis against NIS2-specific requirements.

This checklist provides general guidance only and does not constitute legal or regulatory advice. NIS2 requirements vary by jurisdiction and sector. Consult a qualified legal professional or compliance specialist for advice specific to your organisation.

Sources

1. “Directive (EU) 2022/2555 (NIS2) — Official Text” — EUR-Lex, Full text
2. “Commission Implementing Regulation (EU) 2024/2690 — Official Text” — EUR-Lex, Full text
3. “NIS2 Technical Implementation Guidance” — ENISA, Publication page
4. “NIS2 Directive Articles 20, 21, 23, 27” — nis-2-directive.com
5. “ENISA NIS Investments 2024 Report” — ENISA, Publication page