NIS2 Checklist: 10 Steps to Compliance

NIS2 Checklist: 10 Steps to Compliance

Implementing NIS2 requirements can seem overwhelming at first glance. Ten measure areas, tiered reporting obligations, executive liability, and supply chain requirements. Where do you start? This checklist provides a structured 10-step plan to systematically build NIS2 compliance. Each step builds on the previous one, allowing you to set priorities and measure progress.

Step 1: Conduct an Applicability Assessment

Before investing in implementation, you must clarify whether your organisation falls under NIS2 at all. The directive applies to organisations in 18 defined sectors with at least 50 employees or EUR 10 million annual turnover. Certain entities (e.g. DNS providers, TLD registries, qualified trust service providers) fall under NIS2 regardless of size.

Check systematically: Which sector do you operate in? Do you meet the size criteria? Do you provide critical services? Use the applicability check on our NIS2 Overview page to get an initial assessment.

Document the result: Even if you are not affected, you should be able to demonstrate the assessment. The burden of proof lies with you, not with the supervisory authority.

Step 2: Define Responsibilities

NIS2 explicitly holds senior management accountable. Under Art. 20, management bodies must approve risk management measures and oversee their implementation. Executives are personally liable for breaches of duty, and this liability cannot be contractually excluded.

Define clearly: Who at the executive level is responsible for cybersecurity? Who is the operational CISO or information security officer? Who handles notifications to the competent authority? Who coordinates the incident response team? Document these responsibilities in writing and communicate them throughout the organisation.

Important: Senior management must demonstrably participate in cybersecurity training. Plan for this from the outset.

Step 3: Conduct an As-Is Analysis

Before you can take action, you need to know your current security status. Systematically assess: What information security measures already exist? Which processes are documented? What tools and technologies are in use? Is there an ISMS (e.g. under ISO 27001)?

The as-is analysis covers technical, organisational, and personnel aspects. Inventory your IT assets, capture existing security policies, and assess the maturity of your processes. Interview business departments about current practices and known weaknesses.

Tip: Use the ten measures under Art. 21 as a checklist for your as-is analysis. This allows you to immediately identify where you are well positioned and where action is needed.

Step 4: Conduct a Gap Analysis

Compare your current state with the NIS2 requirements. The gap analysis systematically reveals where gaps exist. Assess each gap by criticality and effort to establish a meaningful prioritisation.

Typical gaps in organisations: missing or outdated risk analyses, no documented incident response processes, insufficient supplier assessment, lack of multi-factor authentication for admin accounts, and incomplete training records.

Document the results in a gap matrix. This serves as the basis for your action plan in the next step and as compliance evidence for the supervisory authority.

Step 5: Create a Risk Analysis per Art. 21

The risk analysis is the single most important measure under NIS2. It forms the foundation for all further security measures. Identify threats, assess probabilities and potential impacts, and derive treatment options.

Use recognised methodologies: ISO 27005, BSI Standard 200-3, or NIST SP 800-30. It is important to follow the all-hazards approach and consider not only cyber risks but also physical, personnel, and organisational risks.

The risk analysis must be updated regularly, at least annually or upon significant changes. Document the results and the decisions derived from them by senior management.

Step 6: Develop and Prioritise an Action Plan

Based on the gap analysis and risk analysis, develop a concrete action plan. Prioritise measures by risk reduction, compliance relevance, and implementation effort. Not everything needs to happen immediately, but you need a traceable plan with a timeline.

Categorise measures into quick wins (e.g. enabling MFA, tightening password policies), medium-term measures (e.g. ISMS build-out, incident response process), and strategic projects (e.g. supply chain assessment, zero-trust architecture). Details on the timeline can be found on our NIS2 Implementation page.

Assign each measure a responsible owner, a budget, and a deadline. Without clear ownership, measures often stall.

Step 7: Establish an Incident Response Process

Reporting obligations are one of the most underestimated aspects of NIS2. Within 24 hours you must issue an early warning, within 72 hours a detailed notification, and within 30 days a final report. Without prepared processes, meeting these deadlines is nearly impossible.

Set up an incident response process that includes the following elements: detection mechanisms (SIEM, monitoring), clear escalation paths, predefined roles in the incident response team, reporting templates for the competent authority, communication plans (internal and external), and a process for forensic analysis.

Test the process at least once a year through an emergency exercise. Only then can you ensure it works in a real crisis. Document every exercise and the lessons learned.

Step 8: Implement Supplier Assessment

Supply chain security is uncharted territory for many organisations. Start by inventorying all suppliers and service providers that have access to your systems or data. Classify them by criticality: Which supplier could most severely impact your business during a security incident?

Develop a standardised assessment process with security questionnaires, contractual requirements (e.g. obligation to report security incidents), and regular reviews. For critical suppliers, you should require evidence such as ISO 27001 certificates or SOC 2 reports.

Do not forget the software supply chain: Maintain an inventory of the software in use and its dependencies (Software Bill of Materials). This enables you to respond quickly when vulnerabilities become known.

Step 9: Set Up a Training Programme

NIS2 requires regular cybersecurity training for all employees, including senior management. Develop a training programme that addresses different target groups: general security awareness for all employees, in-depth technical training for IT staff, and specific compliance training for executives.

Effective training is interactive and practical. Supplement traditional training with phishing simulations, gamification elements, and regular short awareness nudges (e.g. monthly security newsletters). Measure effectiveness through simulated phishing campaigns and quizzes.

Document all training activities comprehensively: Who completed which training when? You need these records for the supervisory authority and as evidence in liability cases.

Step 10: Ensure Documentation and Evidence Management

Documentation is not an end in itself but your most important compliance evidence. The supervisory authority can request evidence of your security measures at any time. Without documentation, a measure does not exist from a regulatory perspective, no matter how well it is implemented.

Document at a minimum: risk analyses and their results, security policies and procedures, incident response protocols, training records, audit reports, supplier assessments, action plans with implementation status, and management decisions on security matters.

A GRC tool like Kopexa helps you centrally capture, manage, and quickly provide all this evidence when needed. This avoids the typical documentation sprawl of spreadsheets, SharePoint folders, and emails.

Common Pitfalls in the NIS2 Checklist

The ten steps sound logical in theory. In practice, however, many organisations fail due to recurring pitfalls. Since the NIS2UmsuCG came into force on 06.12.2025, we see these patterns particularly frequently:

Pitfall 1: Applicability Assessment Without Legal Advice

Many organisations rely on internal assessments for the applicability check. This is risky. The sector definitions in the NIS2UmsuCG are complex, and the distinction between "essential" and "important" entities has a direct impact on obligations and sanction levels. An IT service provider offering cloud services, for example, may fall under the directive as a managed service provider without being aware of it. Have the legal classification validated by a specialised lawyer or advisor. The cost is minimal compared to the consequences of a misjudgement.

Pitfall 2: Superficial As-Is Analysis

A superficial as-is analysis leads to a superficial gap analysis and thus to an incomplete action plan. Common mistake: Only the IT department is consulted, while business departments are left out. Yet critical data flows and processes often reside in areas such as production, human resources, or financial accounting. Invest in workshops with all relevant stakeholders. Two extra days of effort in the analysis phase will save you weeks during implementation.

Pitfall 3: Action Plan Without Clear Ownership

An action plan with 50 items where "IT" is listed as responsible will not get implemented. Every single measure needs a named person as owner, a concrete target date, and a defined budget. Without these three elements, measures disappear into daily workloads. Use a GRC tool or at least a structured tracking system to monitor progress.

Pitfall 4: Reporting Obligations Not Rehearsed

The tiered reporting obligations (24-hour early warning, 72-hour detailed notification, 30-day final report) sound manageable on paper. In practice, organisations fail because responsibilities are unclear, authority contact details are not on file, or internal communication breaks down during an incident. Conduct at least one tabletop exercise where you simulate a fictitious security incident from start to finish, including authority notification and crisis communication.

Checklist by Organisation Size

Not every organisation needs to work through the checklist identically. The NIS2 Directive distinguishes between "essential entities" (typically 250+ employees or EUR 50M turnover) and "important entities" (typically 50-249 employees or EUR 10-50M turnover). This distinction affects priorities, supervisory intensity, and sanction levels.

Mid-Sized Companies (50-249 Employees): Pragmatic and Focused

Companies of this size typically fall under NIS2 as "important entities". This means: supervision is reactive (not proactive), and maximum fines are EUR 7 million or 1.4% of worldwide annual turnover. This sounds reassuring, but it is not. Executive liability applies without restriction, and in the event of a security incident, the supervisory authority will investigate just as thoroughly.

Priorities for mid-sized companies: Focus on steps 1-7 of the checklist in the first six months. Applicability assessment, governance, as-is analysis, gap analysis, risk analysis, action plan, and incident response are the core obligations. The supplier assessment (Step 8) can start with a simplified questionnaire limited to critical suppliers. Training (Step 9) should begin immediately but can start with cost-effective online formats. Invest early in proper documentation (Step 10), as it is your most important shield.

Typical resources: A dedicated NIS2 project manager (can also be part-time, e.g. the IT director with 50% allocation), a project team of 3-5 people from various departments, and a budget of EUR 50,000-150,000 for external consulting, tools, and training in the first year. More on resource planning can be found on our NIS2 Implementation page.

Large Enterprises (250+ Employees): Comprehensive and Accountable

Organisations with 250 or more employees frequently fall under NIS2 as "essential entities". This means: proactive supervision by the authority, higher fines (up to EUR 10 million or 2% of worldwide annual turnover), and stricter accountability requirements. The supervisory authority can order audits and conduct security scans at any time.

Priorities for large enterprises: All ten steps of the checklist should be started in parallel. Set up a dedicated NIS2 project office. The supplier assessment (Step 8) must be comprehensive and include all suppliers with access to critical systems or data. Invest in a professional GRC tool, as manual management is no longer practical given the volume of controls, evidence, and suppliers. Plan emergency exercises (Step 7) quarterly rather than annually. Large enterprises should also consider whether ISO 27001 certification makes sense, as it covers approximately 70% of NIS2 requirements and significantly simplifies evidence management.

Typical resources: A full-time project manager, a CISO (internal or external), a project team of 5-10 people, an annual budget of EUR 200,000-500,000 for consulting, tools, training, and technical measures. Organisations with an existing ISMS under ISO 27001 can manage with significantly less effort, as many foundations are already in place.

Common Mistakes in NIS2 Implementation

When advising organisations on NIS2 compliance, we see the same mistakes repeatedly. Avoid these typical pitfalls:

Mistake 1: Treating NIS2 as a Pure IT Project

NIS2 affects the entire organisation, not just the IT department. Senior management must be actively involved, business departments must adapt processes, and the supply chain assessment involves procurement. Treat NIS2 as a company-wide compliance project with a steering committee and cross-departmental team.

Concrete example: A manufacturing company with 300 employees had delegated NIS2 implementation entirely to the IT director. After six months, technical measures like MFA and logging were in place, but security policies, executive training records, and the supplier assessment had not even been started. The restart as a company-wide project cost additional months. Establish a steering committee from the beginning that includes management, IT, legal, procurement, and HR.

Mistake 2: Starting Too Late

The NIS2UmsuCG has been in force since 06.12.2025. Building a NIS2-compliant security level takes 12 to 18 months. Organisations that have not yet started are already behind schedule and risk sanctions. Start immediately with the applicability assessment and the as-is analysis. A detailed roadmap can be found on our NIS2 Implementation page.

Mistake 3: Neglecting Documentation

Many organisations implement measures but fail to document them adequately. In an audit, only what can be proven counts. Invest in structured documentation from the start. This saves considerable effort in a crisis and protects executives from personal liability.

What "structured documentation" specifically means: Every measure needs evidence showing it was planned, implemented, and reviewed. For a risk analysis, this means the completed risk register with date, participant list, and sign-off by senior management. For training, it means attendance lists with signatures, training content, and effectiveness assessments. For the incident response process, it means exercise protocols and lessons learned. A GRC tool like Kopexa automates this evidence management and ensures no gaps arise.

Mistake 4: Ignoring the Supply Chain

Supply chain security is one of the most demanding NIS2 requirements. Many organisations underestimate the effort required for supplier assessment and start too late. Begin early with classifying and assessing your critical suppliers.

The effort is regularly underestimated: Inventorying all suppliers with access to systems or data alone can yield 50-200 entries for a mid-sized company. For each critical supplier, you need a security questionnaire, contractual adjustments (reporting obligations, audit rights), and regular reviews. Plan at least three months for building the process and the first assessment round. Start with the top 10 suppliers by criticality and work your way through the list.

Mistake 5: Treating Executive Training as a Formality

The NIS2UmsuCG obliges senior management to participate in cybersecurity training. Many organisations book a one-hour webinar and tick the box. That is not enough. Executives must be able to approve risk management measures and oversee their implementation. This requires a solid understanding of the threat landscape, their own security architecture, and regulatory requirements. Invest in multi-hour, practice-oriented workshops for executives tailored to the specific context of your organisation. This evidence is invaluable in a liability case.