NIS2 Readiness: The 12-Point Checklist EU Operations Teams Are Using

NIS2 enforcement is not theoretical anymore. BSI in Germany and equivalent authorities in other member states have begun receiving NIS2 registration notifications and, in some sectors, active audits. If your organisation falls under the directive and has not assessed its position, the time available for orderly preparation is shrinking.

This checklist covers the ten minimum measures in Article 21 — and two areas that are often overlooked but consistently cause problems when regulators or enterprise clients look closely.

Before the checklist: confirm you are in scope

NIS2 applies to medium and large organisations in "essential" and "important" sectors. Essential sectors include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important sectors add postal services, waste management, chemicals, food production, manufacturing, digital providers, and research.

Size thresholds matter: medium means 50+ employees or €10M+ annual turnover; large means 250+ employees or €50M+ turnover. Micro and small enterprises are generally excluded unless they are the sole provider of a critical service in a member state.

One frequently missed point: NIS2 may apply to your organisation even if you are not directly in a covered sector, because your enterprise clients' NIS2 obligations extend to their supply chain. This means they may require you to demonstrate compliance as a condition of doing business.

The 12-point checklist

The ten minimum measures in Article 21(2) are the foundation. We have added two supplementary areas that consistently surface in assessments.

1. Risk analysis and information security policies — A documented risk assessment that identifies your critical assets, threats, and treatment decisions. Not a template; a document that reflects your actual environment.
2. Incident handling — A tested procedure for identifying, classifying, containing, and reporting incidents. NIS2 requires notification to the relevant CSIRT or competent authority within 24 hours of becoming aware of a significant incident, with a full report within 72 hours.
3. Business continuity and crisis management — Documented recovery objectives and tested backup procedures for critical systems. "We have backups" is not sufficient — what matters is whether you can demonstrate recovery capability.
4. Supply chain security — A process for assessing the security posture of your key suppliers and sub-processors. This does not require auditing every vendor, but it does require a risk-based approach with documented decisions.
5. Security in network and information systems acquisition and maintenance — Processes for managing security in software development and procurement. This includes vulnerability management for systems you buy as well as build.
6. Effectiveness assessment of security measures — Evidence that you regularly test and evaluate your security controls. This could be annual penetration testing, vulnerability assessments, or structured review processes — but it must be documented and recurring.
7. Cyber hygiene practices and training — Documented basic security practices (MFA, patch management, access control policies) and evidence that staff receive security awareness training.
8. Cryptography and encryption policies — A documented policy on when encryption is required, what standards are used, and how keys are managed.
9. Human resources security, access control, and asset management — Onboarding and offboarding procedures that address access rights, and an asset inventory of systems that process significant data.
10. Multi-factor authentication — MFA deployed for access to critical systems, with documented scope and exceptions process.
11. Management body accountability (supplementary) — NIS2 introduces personal liability for senior management. You need evidence that your board or management team has been briefed on NIS2 obligations and has formally approved your risk management approach.
12. Incident notification documentation (supplementary) — The 24-hour and 72-hour notification requirements mean you need a template and decision process ready before an incident occurs, not during one.

Where most organisations have gaps

In assessments we have run since NIS2 enforcement began, the most consistent gaps are not technical — they are documentation gaps. Companies have reasonable controls in place but cannot demonstrate them in a form that satisfies a regulator or a client security questionnaire.

The second most common gap is supply chain. Most organisations have not formally assessed their critical suppliers' security posture and cannot produce documentation of that assessment. This is particularly problematic when an enterprise client asks for it as a condition of contract renewal.

The third is incident handling. Organisations have informal processes for responding to IT problems, but not a documented incident response procedure that maps to NIS2 reporting requirements. The 24-hour notification window for significant incidents is tight enough that it requires a pre-existing template and clear internal escalation path.

Practical next steps

If you are starting from scratch, prioritise in this order: first, confirm whether you are in scope and in which member state; second, produce a risk assessment that reflects your actual environment; third, document your incident response and notification procedure before you need it; fourth, work through the remaining controls in order of your risk assessment.

If you already have ISO 27001 or are working toward it, your gap against NIS2 is likely smaller than you think — but it is worth checking the specific Article 21 requirements against what you have documented, particularly on supply chain security and management accountability.