Answer a handful of practical questions to see how prepared your organisation is and get simple tips to strengthen your defences right away.
NIS2 checklist: Implementing obligations and managing compliance in a structured way
This NIS2 checklist shows you how to implement NIS2 obligations in Germany in a practical way – from governance and awareness to technology, including the implementation act and evidence.
Contents
NIS2 checklist at a glance
This NIS2 checklist provides a compact guide for NIS2 implementation.
| Chapter | Area | Content focus | Detailed points covered |
| A | Governance & responsibilities | Responsibilities, scope, risk analysis, policies, management reporting | 1 to 3 |
| B | Awareness & human risk management | Training for management bodies and employees, effectiveness measurement, reporting | 4 and 5 |
| C | Technical measures & basic protection | Asset inventory, protection requirements, IAM, access, MFA, vulnerability and patch management, cryptography | 6 to 10 |
| D | Incidents & reporting channels | Incident response, reporting process and deadlines according to NIS-2 | 11 and 12 |
| E | Resilience & proof of effectiveness | Backup and recovery, BCM and crisis management, tests, audits, follow-up | 13 to 15 |
| F | Supply chain & service provider management | Supplier risks, contractual requirements, ongoing monitoring, secure procurement, development and maintenance | 16 to 18 |
The following sections explain these areas in detail and show which specific measures, processes and evidence are required for NIS2-compliant implementation.
Before you get into the detailed implementation, a quick assessment with our NIS2 Check can help you set the right priorities.
Test your NIS2 readiness now
Check NIS2 readiness
NIS2 checklist in detail
This NIS2 checklist translates the legal requirements of the NIS2 Directive into concrete, actionable work steps.
The NIS2 checklist follows a practical implementation logic and helps you to document technical, organisational and personnel-related NIS2 measures in a traceable manner.
A) Governance & responsibilities
1. Define scope and responsibilities
What it’s about:
Clear responsibilities are the foundation of any NIS2 implementation. Requirements can only be implemented and proven consistently if roles, scope and decision-making paths are defined.
To-dos:
- Assign roles: Management, IT and security, compliance and legal, procurement, communications.
- Define and document scope: Services, locations, critical processes, essential service providers.
- Define reporting cadences and escalation paths.
2. Conduct and document risk analysis (Art. 21(2))
What it’s about:
Risk analysis is a central element of the NIS2 checklist.
To-dos:
- Establish methodology and evaluation criteria.
- Assess and prioritise risks and derive measures.
- Approve and document risk acceptances and exceptions.
3. Establish security policies and minimum standards (Art. 21(2))
What it’s about:
Policies make the NIS2 requirements binding in day-to-day work.
To-dos:
- Define relevant policies, for example on access, patch management, backups, logging and suppliers.
- Establish review and approval processes.
- Document versioning, responsibilities and change histories.
B) Awareness & human risk management
4. Implement training programmes for management bodies and employees (Art. 20(2))
What it’s about:
Awareness is part of the governance obligations under NIS2 and therefore an integral part of NIS2 implementation.
To-dos:
- Define target groups, including management and high-risk teams.
- Establish training plans and learning objectives.
- Document participation and results in an audit-proof manner.
5. Measure and continuously improve awareness measures (Art. 21(2))
What it’s about:
Effectiveness is achieved through measurement, evaluation and adaptation.
To-dos:
- Prepare reporting for audits and management.
- Plan campaigns and exercises.
- Derive improvements from results.
C) Technical measures & basic protection
6. Maintain asset inventory and protection requirements (Art. 21(2))
What it’s about:
You need to know which systems, services and data you are protecting.
To-dos:
- Maintain an inventory of systems, services, identities and relevant data flows.
- Document protection requirements and criticality.
- Appoint asset owners.
7. Implement access controls and identity management (Art. 21(2))
What it’s about:
Controlled access reduces risks and is a core component of technical NIS2 measures.
To-dos:
- Define role and authorisation concepts.
- Establish joiner, mover and leaver processes.
- Manage and log administrative access separately and traceably.
8. Introduce strong authentication and secure communication (Art. 21(2))
What it’s about:
Strong authentication protects critical systems and privileged access as part of NIS2 implementation.
To-dos:
- Introduce MFA for critical systems and administrative access.
- Define secure communication channels for incidents and crisis situations.
- Document rollout status and configurations.
9. Establish vulnerability, patch and change management (Art. 21(2))
What it’s about:
Technical security is not a state, but an ongoing process in the context of NIS2.
To-dos:
- Define vulnerability management: Detection, assessment, remediation, exceptions.
- Establish patch cycles, priorities and deadlines.
- Document changes, including rollback options.
10. Implement cryptography and encryption appropriately (Art. 21(2))
What it’s about:
Encryption protects data and communication, but it must be regulated in a traceable manner.
To-dos:
- Establish a cryptography policy for data classes and areas of application.
- Regulate key management, including roles and rotation.
- Document the technical implementation in an auditable manner.
D) Incidents & reporting channels
11. Establish an incident response process (Art. 21(2))
What it’s about:
A structured approach to handling security incidents is a mandatory part of NIS2 implementation.
To-dos:
- Create incident response plans and playbooks.
- Define roles, contact lists and escalation levels.
- Conduct exercises and document findings.
12. Integrate the reporting process according to NIS2 (Art. 23)
What it’s about:
The reporting obligations under NIS2 are time-critical and must be clearly regulated in advance.
To-dos:
- Establish deadlines and responsibilities for each reporting stage.
- Define standardised documentation packages.
- Ensure coordination with legal, communications and management.
E) Resilience & proof of effectiveness
13. Demonstrate backup, restore and recoverability (Art. 21(2))
What it’s about:
Resilience must work in practice and be demonstrable.
To-dos:
- Define backup and restore concepts, including test plans.
- Document recovery tests.
- Consider dependencies, such as identity services or cloud components.
14. Operationalise business continuity and crisis management (Art. 21(2))
What it’s about:
Crisis plans must be rehearsed in order to be effective in an emergency.
To-dos:
- Create BCM and DR plans and appoint responsible persons.
- Practise scenarios and document results.
- Systematically track improvements.
15. Test and demonstrate the effectiveness of measures (Art. 21(2))
What it’s about:
NIS2 requires proof that the NIS2 measures implemented are effective.
To-dos:
- Define audit and test plans.
- Prioritise findings and track measures.
- Establish management reporting.
F) Supply chain & service provider management
16. Systematically manage supplier and service provider risks (Art. 21(2))
What it’s about:
External dependencies are part of your own risk situation under NIS2.
To-dos:
- Identify critical services and service providers.
- Define risk and criticality classes.
- Integrate information and reporting obligations.
17. Embed security requirements contractually and operationally
What it’s about:
Contracts are a key control instrument for NIS2 implementation.
To-dos:
- Establish minimum requirements and audit rights.
- Define onboarding and re-onboarding processes.
- Ensure ongoing monitoring.
18. Secure procurement, development and maintenance (Art. 21(2))
What it’s about:
Secure procurement and development are closely linked to the supply chain and are part of the NIS2 checklist.
To-dos:
- Establish requirements for updates, support and vulnerability communication.
- Request security certificates.
- Document exception processes.
NIS2 Implementation Act: Status in Germany
Note: This section is for guidance only and does not constitute legal advice.
The NIS2 implementation in Germany is complete. The national NIS Implementation Act was announced in the Federal Law Gazette on 5 December 2025 and came into force on 6 December 2025.
The requirements of the NIS2 Directive have thus been bindingly transposed into German law and must be implemented by the organisations concerned.
What does the implementation of the NIS2 Directive in Germany mean in practice?
With the national implementation of the NIS2 Directive, cybersecurity becomes a mandatory management task. Organisations must introduce appropriate technical and organisational measures, regularly check their effectiveness and report significant incidents in a timely manner.
The NIS2 checklist helps to map these obligations in a structured manner and to design the NIS2 implementation to be auditable from the outset.
Obligations, supervision and possible sanctions
NIS2 gives rise to three key requirements that you should consider in your NIS2 checklist:
- Risk management and measures: Introduction, operation and continuous improvement of appropriate technical and organisational measures, including proof of effectiveness.
- Reporting obligations for significant incidents: Clearly defined reporting channels, responsibilities and decision-making processes under time pressure.
- Governance obligations: Responsibility of the governing bodies, including information, management and participation in training.
In practice, the focus is less on abstract sanctions and more on supervision, audits and solid evidence. Those who establish and maintain evidence at an early stage significantly reduce risks in audits and with authorities.
Further information about NIS2 and your company
If there are two more things you want to clarify after going through the NIS2 checklist, these two glossary articles are the most useful next steps:
- Am I affected? Quickly check if you are affected by NIS2
The article explains which companies and organisations fall under NIS2. It guides you through relevant criteria such as sector, company size and role in the supply chain. - NIS2 explained simply: Objectives, obligations and timetable
This overview contextualises NIS2, explains the objectives of the Directive and summarises the key obligations. These include risk management, reporting requirements and governance, including management responsibility.
Both articles complement your NIS2 checklist: First, check whether your company is affected, then embed the requirements in a structured way in your NIS2 implementation.
Note: This article does not constitute legal advice. It is for general information purposes only and is not a substitute for an individual legal review. For binding information on your obligations under the Cyber Resilience Act, please contact qualified legal advisors or the competent authorities.
Scale your security
culture with ease
Reports 
Guides 
Blog 
Glossary 
Perks 
Customer stories 
Webinars 
Replays 
Podcast 
All events 
Human Firewall Conference 
Danger Lab 
Why SoSafe 
Careers 
Product news 
News & press 
Contact 