Skip to content

NIS2 Checklist

Deadline: 11.11.2026

Part B: NIS2 Compliance

#	Activity	Reference	Phase	Description
B1	NIS2 Scope Determination	Art. 2, 3, Annex I/II	Preparation	Do we fall under NIS2? Which regime? (Essential/Important)
B1.1	— Service categorisation	Art. 3, Annex I/II	Preparation	Cloud computing, ICT service, DNS, email, or other?
B1.2	— Size threshold analysis	Art. 2(1)	Preparation	Number of employees, turnover (medium/large enterprise)
B1.3	— Registration with national authority	Art. 3(4)	Preparation	Register with the competent authority (if applicable)
B2	GAP Analysis	Art. 21	Analysis	Assessment of current state vs. NIS2 requirements
B2.1	— Current state assessment	Art. 21	Analysis	Audit of current security measures
B2.2	— Gap identification	Art. 21(2)	Analysis	Identify gaps vs. the 10 baseline measures
B2.3	— Remediation roadmap	Art. 21	Analysis	Remediation plan with priorities
B3	Governance & Management	Art. 20	Governance	Management accountability for cybersecurity
B3.1	— Management accountability	Art. 20(1)	Governance	Board approval of the security policy
B3.2	— Management training	Art. 20(2)	Governance	Cybersecurity training for management
B3.3	— Security committee	Art. 20	Governance	Security committee with regular reporting
B4	ISMS Setup	Art. 21	Implementation	Establish security management per NIS2 + ISO 27001
B4.1	— Security policy	Art. 21(2)(a)	Implementation	Information security policy
B4.2	— Asset Inventory	Art. 21(2)(a)	Implementation	Inventory: HW, SW, data, networks --- what is critical?
B4.3	— Risk Assessment	Art. 21(2)(a)	Implementation	Risk assessment per NIS2 methodology
B4.4	— Risk Treatment Plan	Art. 21(2)(a)	Implementation	Mitigate/Avoid/Accept/Transfer + timeline
B5	Technical Controls (10 measures)	Art. 21(2)	Implementation	Implement the 10 baseline security measures
B5.1	— Risk management policies	Art. 21(2)(a)	Implementation	Policies and procedures for risk management
B5.2	— Incident handling	Art. 21(2)(b)	Implementation	Incident resolution processes
B5.3	— Business continuity	Art. 21(2)(c)	Implementation	BCP, DRP, crisis management
B5.4	— Supply chain security	Art. 21(2)(d)	Implementation	Supply chain security
B5.5	— Network security	Art. 21(2)(e)	Implementation	Network and information system security
B5.6	— Vulnerability handling	Art. 21(2)(e)	Implementation	Vulnerability management, disclosure
B5.7	— Security effectiveness	Art. 21(2)(f)	Implementation	Measuring security measure effectiveness
B5.8	— Cyber hygiene & training	Art. 21(2)(g)	Implementation	Basic cyber hygiene, training
B5.9	— Cryptography	Art. 21(2)(h)	Implementation	Cryptography and encryption policies
B5.10	— HR security	Art. 21(2)(i)	Implementation	Human resources security, access control
B5.11	— MFA & secure auth	Art. 21(2)(j)	Implementation	Multi-factor authentication, secure communications
B6	Technical Controls Detail	Art. 21(2)	Implementation	Specific technical controls
B6.1	— Encryption at rest	Art. 21(2)(h)	Implementation	AES-256 for data at rest
B6.2	— Encryption in transit	Art. 21(2)(h)	Implementation	TLS 1.3 for data in transit
B6.3	— Access Control (MFA + RBAC)	Art. 21(2)(i,j)	Implementation	MFA for all admin accounts, RBAC
B6.4	— Patch Management	Art. 21(2)(e)	Implementation	Patch SLA <30 days for critical
B6.5	— Monitoring & Logging (SIEM)	Art. 21(2)(b)	Implementation	SIEM, 1-year retention
B6.6	— Backup & Recovery	Art. 21(2)(c)	Implementation	3-2-1 backup, tested quarterly
B6.7	— Firewall & IDS/IPS	Art. 21(2)(e)	Implementation	Perimeter and internal firewall, IDS/IPS
B6.8	— Endpoint protection	Art. 21(2)(e)	Implementation	EDR/XDR on all endpoints
B6.9	— Network segmentation	Art. 21(2)(e)	Implementation	Network segmentation, microsegmentation
B7	Incident Response	Art. 21(2)(b), 23	Implementation	Incident Response Plan and processes
B7.1	— Incident Response Plan	Art. 21(2)(b)	Implementation	Documented IRP
B7.2	— Incident Response Team	Art. 21(2)(b)	Implementation	Defined IRT with roles
B7.3	— On-call rotation	Art. 21(2)(b)	Implementation	24/7 availability for critical incidents
B7.4	— Incident classification	Art. 23(3)	Implementation	Incident severity classification
B7.5	— Evidence preservation	Art. 21(2)(b)	Implementation	Forensics, chain of custody
B8	Incident Reporting	Art. 23	Reporting	Incident reporting per NIS2 timeline
B8.1	— Early warning (24h)	Art. 23(4)(a)	Reporting	Preliminary report within 24 hours
B8.2	— Incident notification (72h)	Art. 23(4)(b)	Reporting	Incident report within 72 hours
B8.3	— Final report (1 month)	Art. 23(4)(d)	Reporting	Final report within 1 month
B8.4	— Authority contact established	Art. 23	Reporting	Contact with national authority, portal registration
B9	Business Continuity	Art. 21(2)(c)	Implementation	BCM/DRP plans
B9.1	— Business Impact Analysis	Art. 21(2)(c)	Implementation	BIA for critical services
B9.2	— Business Continuity Plan	Art. 21(2)(c)	Implementation	BCP documentation
B9.3	— Disaster Recovery Plan	Art. 21(2)(c)	Implementation	DRP with RTO/RPO
B9.4	— RTO/RPO defined	Art. 21(2)(c)	Implementation	RTO <4h, RPO <1h for critical
B9.5	— DR testing (annual)	Art. 21(2)(c)	Testing	Annual DR plan testing
B10	Supply Chain Security	Art. 21(2)(d)	Implementation	Supplier and third-party security
B10.1	— Vendor risk assessment	Art. 21(2)(d)	Implementation	Risk assessment for all critical vendors
B10.2	— Security questionnaire	Art. 21(2)(d)	Implementation	Standardised security questionnaire
B10.3	— Vendor certifications (ISO/SOC)	Art. 21(2)(d)	Implementation	Requirement for ISO 27001 / SOC 2
B10.4	— Vendor access control	Art. 21(2)(d)	Implementation	Vendor access management, JIT access
B10.5	— Vendor monitoring	Art. 21(2)(d)	Implementation	Ongoing vendor monitoring
B11	Vulnerability Management	Art. 21(2)(e)	Testing	Vulnerability management
B11.1	— Vulnerability scanning	Art. 21(2)(e)	Testing	Monthly vulnerability scanning
B11.2	— Penetration testing	Art. 21(2)(e)	Testing	Annual penetration tests
B11.3	— Patch SLA defined	Art. 21(2)(e)	Implementation	Critical <7d, High <30d, Medium <90d
B11.4	— Vulnerability disclosure	Art. 21(2)(e)	Governance	Coordinated vulnerability disclosure policy
B12	Training & Awareness	Art. 21(2)(g)	Training	Employee cybersecurity training
B12.1	— Security awareness programme	Art. 21(2)(g)	Training	Regular awareness training
B12.2	— Phishing simulations	Art. 21(2)(g)	Training	Quarterly phishing tests
B12.3	— Role-specific training	Art. 21(2)(g)	Training	Specialised training for IT, developers
B12.4	— Training records	Art. 21(2)(g)	Training	Records of completed training
B13	Continuous Monitoring (SOC)	Art. 21(2)(b,e)	Monitoring	24/7 security monitoring
B13.1	— SOC capability	Art. 21(2)(b)	Monitoring	Internal SOC or managed SOC
B13.2	— Threat detection	Art. 21(2)(b)	Monitoring	Threat detection (SIEM, EDR, NDR)
B13.3	— Security metrics	Art. 21(2)(f)	Monitoring	Security KPIs
B13.4	— Threat intelligence	Art. 21(2)(b)	Monitoring	Threat intelligence feed integration
B14	Security Audits	Art. 21(2)(f)	Audit	Internal and external audits
B14.1	— Internal audits	Art. 21(2)(f)	Audit	Monthly internal audits
B14.2	— External audits	Art. 21(2)(f)	Audit	Bi-annual external audits
B14.3	— Audit findings tracking	Art. 21(2)(f)	Audit	Tracking findings and remediation
B15	ISO 27001 Certification	Recommended	Certification	Formal certification (strongly recommended)
B15.1	— ISO 27001 gap analysis	ISO 27001	Certification	GAP analysis vs. ISO 27001
B15.2	— ISO 27001 Stage 1 audit	ISO 27001	Certification	Documentation audit
B15.3	— ISO 27001 Stage 2 audit	ISO 27001	Certification	Implementation audit
B15.4	— Certification	ISO 27001	Certification	Obtain certificate

Technical Controls

Control	Requirement	Reference
Encryption at rest	AES-256	Art. 21(2)(h)
Encryption in transit	TLS 1.3	Art. 21(2)(h)
Access Control	MFA + RBAC	Art. 21(2)(i,j)
Patch Management	<30 days	Art. 21(2)(e)
Monitoring & Logging	SIEM, 1y retention	Art. 21(2)(b)
Incident Response	IRP written, tested	Art. 21(2)(b)
Backup & Recovery	Weekly, tested quarterly	Art. 21(2)(c)
Vendor Security	Due diligence	Art. 21(2)(d)

Critical Path

B1 NIS2 Scope -> complete by 31.1.2026
B2 GAP Analysis -> complete by 28.2.2026
B7 Incident Response Plan -> complete by 28.2.2026
B4.3-B4.4 Risk Assessment + Treatment -> complete by 30.4.2026
B9 Business Continuity -> complete by 30.4.2026
B15 ISO 27001 -> certification by 30.9.2026

Implementation Phases

Resources