NIS2 Requirements Checklist: 15 Steps to Compliance

Step 1: Establish Management Accountability
☐ Designate board member(s) responsible for cybersecurity oversight
☐ Document cybersecurity in board meeting agendas
☐ Ensure management understands personal liability implications
☐ Create escalation paths from security team to board level

Step 2: Complete Management Training
☐ Provide cybersecurity training to all management board members
☐ Document training completion and content
☐ Schedule regular refresher training (at least annually)
☐ Include NIS2 specific requirements in training curriculum

Step 3: Allocate Resources
☐ Document cybersecurity budget allocation
☐ Assign dedicated personnel for compliance activities
☐ Identify external expertise needs (consultants, auditors)
☐ Plan for ongoing compliance maintenance costs

Step 4: Implement Risk Assessment Process
☐ Select and document risk assessment methodology
☐ Identify all critical assets, systems, and services
☐ Assess threats and vulnerabilities for each
☐ Calculate and prioritize risks based on likelihood and impact
☐ Schedule regular risk assessment reviews (at least annually)

Step 5: Develop Risk Treatment Plans
☐ Document risk treatment decisions (accept, mitigate, transfer, avoid)
☐ Create mitigation plans for unacceptable risks
☐ Assign owners for each risk and treatment action
☐ Track mitigation progress and effectiveness

Step 6: Create Security Policies
☐ Document information security policy approved by management
☐ Create policies for access control, data handling, acceptable use
☐ Establish procedures for policy review and updates
☐ Communicate policies to all relevant personnel
☐ Maintain evidence of policy acknowledgment

Step 7: Implement Network Security
☐ Deploy network segmentation for critical systems
☐ Implement firewall and intrusion detection/prevention
☐ Enable network monitoring and logging
☐ Consider agentless network detection for OT/IoT environments
☐ Document network architecture and security controls

Step 8: Establish Access Controls
☐ Implement multi-factor authentication for privileged access
☐ Deploy privileged access management (PAM)
☐ Create user access review process
☐ Document and enforce principle of least privilege
☐ Implement service account management

Step 9: Ensure Cryptography & Data Protection
☐ Implement encryption for data at rest where appropriate
☐ Ensure encryption for data in transit (TLS 1.2+)
☐ Document cryptographic key management procedures
☐ Implement data classification scheme
☐ Deploy data loss prevention where appropriate

Step 10: Implement Backup & Recovery
☐ Document backup policies and schedules
☐ Test backup restoration procedures regularly
☐ Ensure backups are protected from ransomware
☐ Create and test disaster recovery plans
☐ Document recovery time objectives (RTO) and recovery point objectives (RPO)

Step 11: Develop Incident Response Capability
☐ Create incident response plan with defined procedures
☐ Establish incident classification and severity levels
☐ Assign incident response team roles and responsibilities
☐ Create communication templates and contact lists
☐ Conduct regular incident response exercises
☐ Document post-incident review process

Step 12: Establish Notification Procedures
☐ Identify relevant national CSIRT and competent authority
☐ Create templates for early warning (24-hour) notification
☐ Create templates for incident notification (72-hour) report
☐ Create templates for final report (1-month deadline)
☐ Establish criteria for determining "significant" incidents
☐ Test notification procedures through exercises

Step 13: Assess Supply Chain Security
☐ Inventory all critical suppliers and service providers
☐ Assess security practices of critical suppliers
☐ Include security requirements in supplier contracts
☐ Establish supplier incident notification requirements
☐ Create supplier monitoring and review process

Step 14: Ensure Business Continuity
☐ Document business continuity plans
☐ Identify critical business processes and dependencies
☐ Create crisis management procedures
☐ Test continuity plans through exercises
☐ Maintain and update plans based on test results

Step 15: Implement Continuous Compliance
☐ Schedule regular security assessments (internal/external)
☐ Establish vulnerability management program
☐ Create security metrics and reporting
☐ Document compliance evidence systematically
☐ Plan for regulatory audit readiness
☐ Monitor for NIS2 guidance updates from authorities

Assessment: Work through each item, marking current status (complete, in progress, not started). This gives you a compliance baseline.

Prioritization: Focus first on governance (steps 1-3) and incident response (steps 11-12)—these face the most scrutiny and have the shortest deadlines.

Documentation: For every item, maintain evidence. Auditors will want proof, not promises.

Regular Review: Compliance isn't one-time. Schedule quarterly reviews of this checklist to maintain posture.

For comprehensive guidance, see our Complete NIS2 Implementation Guide.