How often should I use this checklist?

Perform a full assessment at least annually, or after significant changes to your organization, systems, or threat landscape. Quarterly reviews of high-risk areas are recommended.

Do I need all items to be compliant?

Not necessarily. What's required depends on your NIS2 classification (Essential vs Important) and your risk profile. This checklist covers comprehensive requirements - some may not apply to your organization.

What if I'm missing many items?

That's normal when starting out. Focus on high-impact, quick-win items first: incident response plan, MFA, and backup testing. Build from there systematically.

Should I hire a consultant for the assessment?

For initial assessments, doing it internally helps you understand your organization. Consider external help for validation, complex technical areas, or if you lack internal expertise.

How does this relate to CyberFundamentals?

This checklist aligns with NIS2 Article 21 requirements. CyberFundamentals provides the specific controls to implement. Use this checklist to identify gaps, then CyberFundamentals to close them.

NIS2 Compliance Checklist: Your Complete Guide

How to Use This Checklist

Go through each category and honestly assess your current state. Mark items as:

Done Fully implemented and documented

Partial Started but not complete

Not Started Not yet addressed

N/A Not applicable to your organization

1. Governance & Accountability

NIS2 requires management accountability. Leadership must be involved in cybersecurity decisions.

Board/management formally responsible for cybersecurity Cybersecurity policy approved by management Regular cybersecurity reporting to leadership Budget allocated for security measures Named person responsible for NIS2 compliance Management trained on cybersecurity risks

2. Risk Management

You must identify, assess, and manage cybersecurity risks systematically.

Risk assessment methodology defined Asset inventory maintained Risks identified and documented Risk treatment plan in place Regular risk reviews scheduled Risk appetite defined by management

3. Incident Handling

NIS2 mandates 24-hour initial notification and structured incident response.

Incident response plan documented Incident classification criteria defined Response team roles assigned 24-hour notification process established 72-hour detailed report process ready Post-incident review procedure in place Incident logging system active

4. Business Continuity

Ensure critical operations can continue during and after security incidents.

Business impact analysis completed Critical services/processes identified Recovery time objectives (RTO) defined Recovery point objectives (RPO) defined Backup procedures documented Backup testing performed regularly Disaster recovery plan in place Crisis communication plan ready

5. Supply Chain Security

Your security is only as strong as your weakest supplier.

Critical suppliers identified Supplier security requirements defined Security clauses in supplier contracts Supplier security assessments performed Supplier incident notification requirements Regular supplier security reviews

6. Network & Systems Security

Protect your infrastructure from unauthorized access and attacks.

Network segmentation implemented Firewall configured and maintained Intrusion detection/prevention active Vulnerability scanning performed Patch management process active Secure configuration baselines defined Endpoint protection deployed Security monitoring in place

7. Access Control

Ensure only authorized people access sensitive systems and data.

Access control policy documented Least privilege principle applied User access reviews performed Multi-factor authentication deployed Privileged access management in place Account lifecycle management active Remote access secured

8. Cryptography

Protect sensitive data with appropriate encryption.

Encryption policy documented Data at rest encrypted Data in transit encrypted (TLS/HTTPS) Key management procedures defined Certificate management process active

9. Human Resources Security

People are often the weakest link. Address human factors.

Security awareness training provided Training records maintained Background checks performed (where legal) Security responsibilities in job descriptions Offboarding security procedures defined Acceptable use policy signed by staff

10. Asset Management

You can't protect what you don't know you have.

Hardware inventory maintained Software inventory maintained Data classification scheme defined Asset owners assigned End-of-life procedures defined Shadow IT discovery process active

Scoring Your Assessment

After completing the checklist, calculate your readiness:

80-100%

Ready — You're well prepared. Focus on maintaining and documenting.

60-79%

Almost There — Good progress. Address remaining gaps systematically.

40-59%

Work Needed — Significant gaps exist. Prioritize high-risk areas.

0-39%

Getting Started — Major work ahead. Consider external help to accelerate.

Next Steps

Based on your assessment:

1 Prioritize gaps by risk level and effort
2 Create an action plan with deadlines
3 Assign owners to each action item
4 Track progress weekly
5 Re-assess quarterly

Want a Guided Assessment?

Easy Cyber Protection walks you through each checkpoint with clear guidance on what "good" looks like. Get a structured compliance roadmap based on your specific gaps.