NIS2 Compliance Checklist

NIS2 Directive & NIS2 Compliance Checklist

The NIS2 Directive (Directive on Security of Network and Information Systems) is a key regulatory framework aimed at strengthening cybersecurity across the European Union. Building on its predecessor (NIS), NIS2 enhances cybersecurity measures by expanding sector coverage, imposing stricter risk management obligations, and introducing stronger enforcement mechanisms. The directive places specific obligations on essential and important entities, particularly those involved in critical infrastructure, digital services, and supply chains, to ensure they adopt proactive cybersecurity measures.

The following article provides some steps to a NIS2 Compliance Checklist which can be a helpful tool to identify if you are affected by the directive and what measures need to be implemented.

Is My Organization Affected by NIS2?

The first step of the NIS2 Compliance Checklist is to identify if your organization is affected. NIS2 poses two different entity categories in which it is applicable. These two categories are:

• Essential Entities (EE), with a threshold: generally 250 employees, annual turnover of € 50 million or balance sheet of € 43 million.
• Important Entities (IE), with a threshold: generally 50 employees and annual turnover of € 10 million or balance sheet of € 10 million.

NIS2 entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases such as when it is the sole provider of a critical service for societal or economic activity in a Member State. Look at the figure below to see which sectors belong to the entities.

NIS2 10 Minimum Measures

Secondly, the NIS2 Compliance Checklist focuses on minimum security measures. NIS2 mandates that essential and important entities implement baseline security measures to address specific risks posed to the systems. These measures include:

1. Risk assessments and security policies for information systems. Companies maintain a proactive security posture by identifying and addressing potential cybersecurity threats before they materialize.
2. Regular cybersecurity audits and assessments. Organisations must identify weaknesses in their security framework and validate its compliance with NIS2 requirements. Audits help improve organizational security posture by conducting vulnerability assessments, penetration testing and compliance checks.
3. Incident detection, response, and recovery procedures. Identifying and responding to cybersecurity incidents quickly helps reduce downtime, minimize damage and ensures overall easier recovery. Well-structured playbooks help concentrate focus on important areas during the entire lifecycle of an incident. These procedures also enhance coordination between technical teams, management and even external entities like press or regulatory agencies.
4. Encryption and data protection protocols. To ensure data confidentiality and integrity it is important to protect sensitive data from unauthorized access, theft and tampering. This also helps organizations to be compliant with the General Data Protection Regulation(GDPR).
5. Access control and identity management. Implementing multi-factor authentication and least privilege principles is essential to reduce the risk of insider threats and unauthorized access within critical systems.
6. Secure software development practices. To prevent security vulnerabilities in applications and software used within the organization, it is important to implement secure coding principles, conduct regular code reviews and vulnerability testing to mitigate software-related risks.
7. Incident reporting mechanisms. Ensuring compliance with NIS2 by mandating timely reporting of cybersecurity incidents to authorities. It is important to have proficient coordination and intelligence sharing when responding to a cyber threat.
8. Network and information systems security. Keeping your network infrastructure secure is fundamental to prevent unauthorized access, data breaches and other cyberattacks. Implementing strong firewalls, monitoring, and robust intrusion detection/prevention helps detect anomalies early and act before damage is done.
9. Business continuity and disaster recovery plans. Having these plans in place ensures that critical services remain operational even after a cyber incident or system failure. These plans can be tested by conducting regular table-top exercises for C-level executives and board members as they are expected to lead during distress.
10. Employee cybersecurity awareness training. Employees are oftentimes called the weakest link in cybersecurity, but that conclusion is not necessarily fair. Proper training helps employees recognize and report threats encountered like phishing and social engineering. Creating a security-first mindset is helpful for deterring these kinds of threats and ensures employees who handle sensitive data follow the best practices.

Consequences for Non-Compliance with NIS2

Thirdly, the NIS2 Compliance Checklist focuses on consequences for non-compliance with NIS2. Organizations that fail to comply with the NIS2 Directive may face severe consequences which can be financial or operational.

Financial and Operational Penalties

NIS2 introduces a structured penalty system, with fines based on the entity category. Essential entities can face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities can be fined up to €7 million or 1.4% of global turnover, whichever is higher. These fines are designed to enforce strict compliance and emphasize the necessity of cybersecurity prioritization.

Beyond financial penalties, non-compliance can result in significant operational disruptions. Regulators have the authority to suspend business activities until an organization meets compliance requirements. This can halt critical operations, which cause financial loss and reputational harm. In regulated industries, authorities may revoke operating licenses, preventing the organization from continuing its services. The NIS2 Directive also holds natural persons in senior management positions within covered entities accountable for cybersecurity measures. In some cases, a temporary ban from management positions can also be implemented for responsible executives, enforcing corporate accountability.

Enforcement Mechanisms in EU Member States

EU Member States enforce NIS2 through National Competent Authorities (NCAs), conducting audits, inspections, and investigations. Organizations must report cyber incidents within 24 hours and submit a full report within a month. Failure to comply may result in corrective action orders, fines, and operational restrictions. Regulators have the authority to impose immediate security improvements, ensuring cybersecurity risks are addressed swiftly. Public disclosure of non-compliance, or “naming and shaming,” can harm an organization’s reputation. Compliance checks may be routine or triggered by security incidents, leading to further regulatory scrutiny. These measures reinforce the directive’s goal of strengthening cybersecurity resilience across essential and important sectors.

Reputational Risks of Non-Compliance

Beyond legal penalties, non-compliance poses serious reputational risks. Customers expect secure services, and failing to meet cybersecurity standards can erode trust, damage brand reputation, and drive customers to competitors. Regulatory fines and breaches often lead to negative media coverage, attracting scrutiny from industry stakeholders and the public. Business partners and suppliers may terminate contracts or refuse to engage with non-compliant companies due to security concerns. Organizations can also be disqualified from government tenders and procurement opportunities, reducing growth potential. In contrast, companies that comply with NIS2 can market themselves as trusted, secure service providers, gaining a competitive advantage in industries where cybersecurity is a key differentiator.

Tools & Resources

Finally, the NIS2 Compliance Checklist focuses on 2 key training areas to ensure adherence to the requirements.

Cyber Awareness Trainings for NIS2

RiskSight provides tailored cyber awareness training programs designed to educate employees on the latest cybersecurity threats and best practices. These programs align with NIS2’s emphasis on basic cyber hygiene and regular training, helping organizations meet compliance requirements. To get started with a customized cyber awareness programme, visit our Cyber Security Awareness Trainings page.

Table-Top Exercises for NIS2

To enhance incident response capabilities, RiskSight facilitates table-top exercises that simulate cyber incidents. These exercises allow organizations to test and refine their response strategies, ensuring preparedness for real-world scenarios. This proactive approach supports NIS2’s mandate for effective incident handling and business continuity planning. To get started with planning table-top exercises, visit our Strategic Cybersecurity Exercises page or the specific NIS2 Cybersecurity Exercises page.