NIS2 checklist: key steps for structured implementation

A NIS2 checklist gives teams a practical way to organize the work ahead. It helps clarify who is responsible for which tasks, which measures need to be documented, and where evidence may be needed for reviews or audits.

Contents

1. NIS2 checklist at a glance
2. NIS2 checklist in detail
3. Further NIS2 resources

NIS2 checklist at a glance

NIS2 implementation usually touches several parts of the organisation, from management and IT to legal, procurement and communications. The table below groups the main tasks into workstreams so that teams can see what needs to be planned, assigned and documented.

Use the overview as a starting point before moving into the detailed checklist. It can help you spot gaps, align stakeholders and decide which areas need attention first.

Before assigning owners and deadlines, it is worth checking which NIS2 topics are already covered and where your organisation still has gaps.

NIS2 check in 3 minutes

Go to the NIS2 assessment

Not sure where your organisation stands on NIS2? Our free assessment can help spot gaps, prioritise next steps and prepare more confidently.

Preparing for NIS2

The new requirements call for more than a policy update. Organisations need a realistic view of where they stand, what is still missing, and where action cannot wait.

Read more

Glossary

NIS2 directive: requirements, deadlines and implementation in 2026

Read more

Glossary

NIS2: Who does NIS2 apply to? A clear overview for businesses

Read more

Glossary

NIS2 compliance: how to build it effectively

NIS2 checklist in detail

The following NIS2 checklist translates the legal requirements of the directive into concrete work items. The goal is simple: keep the implementation manageable and build evidence from the start instead of afterwards.

A. Governance and responsibilities

1. Define scope and responsibilities

What this is about:

Clear responsibilities are the base layer of any NIS2 checklist. If roles, scope and decision paths are vague, requirements get applied unevenly and are hard to defend in an audit.

To-dos:

• Name the key roles: management, IT and security, compliance and legal, procurement, communications.
• Define and document the scope: services, locations, critical processes, essential service providers.
• Set reporting cycles and escalation paths that work in practice.

2. Conduct and document a risk analysis

What this is about:

Risk analysis is one of the core elements in a NIS2 checklist. It links the broad wording of the directive to concrete measures, priorities and, in some cases, justified exceptions.

To-dos:

• Fix the method and criteria you use to assess risks.
• Identify, assess and prioritise risks, then derive suitable measures.
• Record risk acceptance and exceptions, including the reasoning and the approvals.

3. Establish security policies and minimum standards

What this is about:

Policies and minimum standards turn requirements from the NIS2 checklist into binding rules for daily work. They explain how security is handled and provide important evidence during supervision or audits.

To-dos:

• Define relevant policies, for example on access control, patch management, backups, logging and supplier management.
• Set review and approval processes so that documents stay current.
• Document versions, responsible owners and important changes over time.

B. Awareness and human risk management

4. Set up training programmes for management bodies and employees

What this is about:
Under the NIS2 checklist, awareness is not optional. Training for management bodies and employees is treated as part of governance and risk management, not as a side project.

To-dos:

• Define the target groups, including management, high‑risk teams and general staff.
• Plan training formats and learning goals that reflect the risks identified earlier in the NIS2 checklist.
• Make participation and results traceable so they can be used as audit evidence.

5. Measure awareness activities and improve them over time

What this is about:
A NIS2 checklist that only lists training dates misses the point. Effectiveness depends on measurement, analysis and adjustments based on real behaviour.

To-dos:

• Prepare reporting for management and audits that shows how awareness and human risk indicators develop over time.
• Plan campaigns and simulations that reveal concrete human risk, for example around phishing or password use.
• Use the results to update content, frequency and focus of your awareness measures.

Your roadmap for meeting security training obligations

Implement NIS2 training and awareness duties in a structured way. This guide walks you through planning, delivering and documenting training for management bodies and employees so that it stands up in an audit.

C. Technical measures and baseline protection

6. Maintain an asset inventory and define protection needs

What this is about:
Technical parts of a NIS2 checklist rest on a simple question: which systems, services and data are you actually protecting. Without an up-to-date asset view, protection needs and priorities stay guesswork.

To-dos:

• Maintain an inventory of systems, services, identities and relevant data flows.
• Classify assets by protection needs and criticality.
• Assign asset owners who are responsible for keeping information current.

7. Implement access control and identity management

What this is about:
Controlled access is one of the basic building blocks in every NIS2 checklist. It reduces the impact of compromises and limits who can reach critical systems and data.

To-dos:

• Define roles and permission concepts, including separation of duties.
• Set up joiner, mover and leaver processes so access follows people’s roles.
• Regulate and log admin access separately and keep logs in a way that can be used as evidence.

8. Introduce strong authentication and secure communication

What this is about:
Strong authentication protects critical systems and privileged accounts, which is a recurring theme in NIS2 checklists and supervisory guidance.

To-dos:

• Roll out multi‑factor authentication for critical systems and administrative access.
• Define secure communication channels for incidents and crisis situations.
• Document rollout status and configurations so changes and gaps remain visible.

9. Establish vulnerability, patch and change management

What this is about:
From a NIS2 checklist perspective, technical security is not a one‑off project but an ongoing process. Vulnerabilities, patches and changes need a clear routine.

To-dos:

• Define a vulnerability management process, including detection, assessment, remediation and documented exceptions.
• Set patch cycles, priorities and timeframes for different systems.
• Record significant changes, including approvals and rollback options.

10. Apply cryptography and encryption in a structured way

What this is about:
Encryption protects data and communication, but only if keys, algorithms and use cases are managed in a controlled way. A NIS2 checklist should therefore look beyond „encryption on/off“.

To-dos:

• Define a crypto policy that links data classes and use cases to required protection levels.
• Set rules for key management, including roles, storage and rotation.
• Document how cryptographic measures are implemented so they can be reviewed and tested.

D. Incidents and reporting channels

11. Set up an incident response process

What this is about:

Serious incidents are one of the key moments where a NIS2 checklist gets tested. If the process is unclear, people improvise, information gets lost and potential notification duties slip through the cracks.

To-dos:

• Decide what you treat as an incident and which types might fall under NIS2 reporting.
• Write down the basic steps: spot the issue, analyse it, contain the impact, fix the cause and review the lessons learned.
• Assign clear roles for coordination, technical handling, communication and documentation.
• Store runbooks, contact lists and playbooks somewhere that is still reachable during an outage, not only on the main network.

12. Define reporting channels and prepare for NIS2 notifications

What this is about:

NIS2 adds formal reporting for certain incidents. A practical NIS2 checklist therefore needs fixed reporting paths, not case‑by‑case guessing once pressure is already high.

To-dos:

• List the internal and external reporting channels you have to use, including authorities, sector bodies and, where relevant, key customers or partners.
• Set simple criteria for when an incident is treated as a potential NIS2 case and who makes that call.
• Create report templates that collect the usual data for initial and follow‑up reports, without hard‑wiring them to one specific country’s law.
• Check that logs, incident notes and important technical evidence can be found and exported fast enough to support timely reporting.

E. Resilience and evidence of effectiveness

13. Prove backup, restore and recovery capability

What this is about:

From a NIS2 checklist point of view, resilience only counts if it works in practice and can be shown. Backup and restore concepts therefore need more than a storage product; they need planning, testing and documentation.

To-dos:

• Define backup and restore concepts for key systems and data, including recovery time and order of restoration as internal targets, not legal promises.
• Document regular restore tests and note which systems, time ranges and scenarios were covered.
• Consider dependencies, for example identity services, network components or cloud platforms that must be in place before restoration is possible.

14. Operationalise business continuity and crisis management

What this is about:

Business continuity and crisis plans are a natural extension of the technical resilience elements in a NIS2 checklist. Plans on paper are not enough; they have to be known, practised and adjusted.

To-dos:

• Create business continuity and crisis management plans, including responsibilities and decision structures.
• Run exercises for realistic scenarios and record what worked, what failed and where you needed ad‑hoc workarounds.
• Track follow‑up actions from exercises and real incidents until they are completed.

15. Test and evidence the effectiveness of measures

What this is about:

NIS2 expects that measures from your NIS2 checklist are not only implemented but also tested for effectiveness. Authorities and auditors will look for proof that controls actually work in practice.

To-dos:

• Define an annual testing and audit plan that covers technical, organisational and awareness‑related controls.
• Prioritise findings, decide on remediation steps and monitor progress.
• Prepare management reporting that summarises results, major risks and important trends over time.

F. Supply chain and service provider management

16. Manage supplier and service provider risks in a structured way

What this is about:

External service providers and suppliers are part of the overall risk picture under any NIS2 checklist. If they fail, your essential services may fail with them. The aim is not to ban outsourcing, but to understand and steer dependencies.

To-dos:

• Identify which services and providers are critical for delivering your essential or important services.
• Classify suppliers by criticality and risk level and link them to the assets and processes they support.
• Record who owns each key relationship and how performance, security and availability are monitored.

17. Anchor security requirements in contracts and operations

What this is about:

For a NIS2 checklist, security obligations towards service providers should not rely on trust alone. They need to be visible in contracts and in day‑to‑day interaction.

To-dos:

• Review key contracts for security‑relevant clauses, for example around incident reporting, access control, data protection and subcontractors.
• Define minimum security expectations for critical suppliers and check them during onboarding and regular reviews.
• Make sure operational processes support the contracts, for example by integrating providers into incident response, change management and maintenance windows.

18. Monitor supply chain security on an ongoing basis

What this is about:

Supply chain risk in a NIS2 checklist is not a one‑time assessment. Conditions, providers and attack patterns change. Monitoring has to reflect that.

To-dos:

• Set up a simple schedule for reviewing critical suppliers, using input from audits, incidents, test results and market information.
• Track issues and agreed improvement measures per provider and follow up until they are closed or consciously accepted.
• Adjust your supplier portfolio, contracts or technical safeguards where repeated problems or new risks appear.

Further NIS2 resources for your organisation

NIS2 is more than a checklist. The articles below cover some key questions that often come up once the first structure is in place.

• An overview of the NIS2 directive and what it changes compared to NIS1.

• A closer look at who falls under NIS2 and how to check if your organisation is in scope.

• Guidance on planning NIS2 implementation projects and aligning NIS2 compliance efforts with the security and compliance work you already have in place.

For a more complete view of NIS2, use this checklist together with our articles and the assessment. Taken together, they give you a clearer sense of where you stand today and which next steps actually make sense.

Note: This article does not constitute legal advice. It is for general informational purposes only and does not replace a review of your specific situation. For binding guidance on your obligations under the NIS2 directive, please consult qualified legal counsel or the competent authorities.