NIS2 Compliance Checklist
A practical checklist covering all ten areas of NIS2 Article 21 compliance. Use this to identify gaps, prioritise actions, and build a roadmap to compliance readiness.
It is designed to help you understand the scope of NIS2 obligations and identify gaps before a formal assessment. For documented compliance evidence, a structured NIS2 Assessment provides the gap analysis, remediation roadmap, and readiness validation that regulators require.
The NIS2 Compliance Checklist
NIS2 Article 21 defines ten mandatory risk-management measures. This checklist covers all ten, organised into practical areas. Work through each section and note where gaps exist — each gap is a compliance risk.
Governance & Accountability
Clear cybersecurity ownership and executive accountability across the organisation.
- Cybersecurity roles formally assigned
- Board approves cybersecurity strategy
- Executive accountability documented
- Cyber budget reviewed annually
Cyber Risk Management
Identify operational cyber risks across infrastructure, users, and suppliers.
- Formal risk assessment process in place
- Risk register maintained and reviewed
- Threat landscape assessed regularly
- Risks reviewed after significant changes
→ Article 21(2)(a)
Technical Security Controls
Implement appropriate technical and operational security measures.
- Multi-factor authentication enforced
- Endpoint and email security deployed
- Data encryption in place (at rest and in transit)
- Patch management process followed
→ Article 21(2)(g)(h)(i)
Network Security
Secure network and information systems against unauthorised access and disruption.
- Network segmentation implemented
- Firewall and perimeter controls in place
- Network traffic monitored and logged
- Intrusion detection/prevention deployed
→ Article 21(2)(h)
Third-Party Risk Management
Continuously monitor supplier cyber exposure, compliance posture, and operational risk.
- Critical suppliers identified and documented
- Supplier security assessments conducted
- Contractual security requirements in place
- Supply chain risk register maintained
→ Article 21(2)(d)
Incident Response & Reporting
Prepare for cyber incidents with clear response processes and operational coordination.
- Incident response plan documented and tested
- 24-hour early warning capability in place
- 72-hour full notification process defined
- Post-incident review process established
→ Article 21(2)(b)
Security Awareness & Training
Strengthen employee awareness to reduce phishing, ransomware, and human-driven cyber risk.
- Continuous cybersecurity awareness training delivered
- Phishing simulation programme in place
- Board and management training delivered
- Training completion records maintained
→ Article 21(2)(g)
Vulnerability Handling & Disclosure
Identify, manage, and disclose vulnerabilities in systems and software.
- Vulnerability scanning performed regularly
- Patch prioritisation process in place
- Penetration testing conducted annually
- Responsible disclosure policy published
→ Article 21(2)(e)
Business Continuity & Recovery
Maintain operational resilience and recover critical systems during disruption.
- Business continuity plan documented and tested
- Backups isolated, tested, and ransomware-proof
- Recovery time and point objectives defined
- Crisis communication plan documented
→ Article 21(2)(c)
Audit & Compliance Evidence
Maintain ongoing visibility, monitoring, and documented compliance readiness.
- Continuous monitoring in place
- Audit evidence and compliance records maintained
- Control testing performed regularly
- Management reporting completed
→ Article 21(2)(f)(j)
📋 NIS2 Compliance Checklist & Readiness Workbook 2026
Download the full workbook — all ten sections with Yes / Partial / No scoring, organisation details, and a scoring guide. Print it, fill it in, share it with your board.
A structured NIS2 Assessment turns your checklist gaps into a formal gap report, prioritised remediation roadmap, and compliance validation. Magic Stone manages the technical controls. GRSee leads the compliance assessment and governance framework.
Start your NIS2 Assessment →
Related
Gaps Found? Let's Build Your Compliance Roadmap.
Book a NIS2 scoping call with Magic Stone. We'll review your checklist findings, identify your biggest compliance risks, and show you what a structured remediation roadmap looks like.
Book a NIS2 AssessmentFrequently Asked Questions
Frequently Asked Questions About the NIS2 Compliance Checklist
Answers to common questions about the NIS2 compliance checklist, cyber resilience, supplier risk, operational security, and AI-powered cybersecurity.
NIS2 applies to many organizations operating in sectors such as healthcare, manufacturing, energy, transport, digital infrastructure, logistics, managed services, and other critical industries. Even organizations that are not directly regulated may still face cybersecurity and supplier risk requirements through customers and supply chain relationships.
AI-powered cybersecurity helps organizations automate repetitive security tasks, improve visibility into supplier risks, detect threats faster, and strengthen operational resilience. This supports organizations in improving cyber readiness without significantly increasing operational workload.
NIS2 places strong emphasis on supplier and supply chain security because cyber incidents increasingly originate through third parties, software providers, cloud services, and external operational dependencies. Organizations must improve visibility into supplier risks and continuously monitor external exposure.
Organizations can strengthen cyber resilience by improving supplier oversight, implementing continuous monitoring, strengthening ransomware protection, improving incident response readiness, increasing visibility into operational risks, and adopting modern cybersecurity solutions aligned with evolving compliance requirements.