NISDESK · Free Reference
NIS2 Compliance Checklist
Last updated: 2026-07-08
The NIS2 Directive (EU) 2022/2555 has applied across the EU since 17 October 2024. It covers essential and important entities — medium and large organisations (generally 50+ staff or €10M+ turnover) — across 18 sectors, from energy and transport to digital infrastructure, healthcare, and managed IT services. Non-compliance can carry fines of up to €10 million or 2% of global annual turnover, whichever is higher, for essential entities.
This checklist walks through the core obligations: the 10 risk-management measures of Article 21(2), the governance duties of Article 20, and the incident-reporting timeline of Article 23. Use it to do a quick self-assessment, or print it for a working session with your team.
Not sure if you're in scope? Run the free 30-second scope check →
Risk-management measures — Article 21(2)
Article 21(2) requires entities to implement all-hazards, proportionate technical, operational and organisational measures across all 10 areas below.
(a) Risk analysis & information system security policies Art. 21(2)(a)
Maintain a documented risk-analysis methodology and security policies covering your information systems, updated as risk changes.
(b) Incident handling Art. 21(2)(b)
Have a defined process to detect, triage, respond to and log security incidents — this feeds directly into your 24h/72h/1-month reporting duty.
(c) Business continuity & crisis management Art. 21(2)(c)
Keep backup management, disaster recovery and crisis-management plans that let critical services keep running through an incident.
(d) Supply chain security Art. 21(2)(d)
Assess and manage the cybersecurity risk introduced by direct suppliers and service providers, including their own security practices.
(e) Security in acquisition, development & maintenance; vulnerability disclosure Art. 21(2)(e)
Apply secure-development and vulnerability-handling practices, including a process for coordinated vulnerability disclosure.
(f) Policies to assess effectiveness Art. 21(2)(f)
Regularly evaluate whether your cybersecurity risk-management measures are actually working, not just documented.
(g) Basic cyber hygiene & training Art. 21(2)(g)
Run baseline cyber-hygiene practices and security awareness training for staff, including management.
(h) Cryptography & encryption Art. 21(2)(h)
Define and apply policies and procedures for the use of cryptography and, where appropriate, encryption.
(i) HR security, access control & asset management Art. 21(2)(i)
Cover personnel security (e.g. joiner/leaver processes), access control policies and an inventory of assets.
(j) MFA, secure communications & emergency comms Art. 21(2)(j)
Use multi-factor or continuous authentication, secured voice/video/text communications, and secured emergency communication systems where appropriate.
Governance — Article 20
Management body approval & oversight Art. 20
The management body must formally approve the cybersecurity risk-management measures, oversee their implementation, and undergo relevant training. Members can be held personally liable for non-compliance with these duties.
Incident reporting timeline — Article 23
For significant incidents, three deadlines apply in sequence. See our full reporting-deadlines guide for details.
T+24h — Early warning
Notify your national CSIRT / competent authority that a significant incident occurred.
T+72h — Incident notification
Submit a fuller notification: severity, impact, initial cause assessment, indicators of compromise.
T+1 month — Final report
Submit a detailed final report: root cause, mitigation taken, cross-border impact.
Official sources
- NIS2 Directive (EU) 2022/2555 — EUR-Lex
- DORA Regulation (EU) 2022/2554 — EUR-Lex
- ENISA — EU Agency for Cybersecurity
Last reviewed: 2026-07-03
This checklist is guidance, not legal advice. Exact obligations depend on how each EU member state has transposed the directive; consult qualified legal counsel for a binding assessment.