The NIS 2 Compliance Checklist
With NIS 2 becoming part of national laws, compliance is becoming mandatory for organizations within its scope.
Although NIS 2 improves on its predecessor by expanding scope and clarifying security and reporting expectations, it can still be demanding for security and compliance teams.
To help you navigate NIS 2 with confidence, this checklist turns the directive into concrete deliverables you can assign, track, and evidence.
This guide covers:
- How to confirm scope (essential vs important entities)
- The 7 workstreams most teams need to operationalize
- What evidence to collect so compliance is demonstrable (not just “we do this”)
- How to build incident reporting timelines into your incident response process
GIF via GIPHY
Related guides:
- What is NIS 2? A guide to navigating compliance requirements
- From NIS to NIS 2: How to navigate the updated directive
- NIS 2 compliance checklist: The ultimate 7-step approach for your organization
- DORA vs NIS 2: Importance and key differences explained
Key takeaways
- NIS 2 is a directive: requirements are transposed into national law, so details can vary by country.
- Scope is broader than NIS: NIS 2 covers many “essential” and “important” entities across 18 sectors.
- Start with governance and risk: clear accountability plus a risk management program make the rest of the work executable.
- Operationalize incident reporting: build the 24h/72h/30d reporting cadence into your incident response program.
- Document everything: evidence is what turns security work into demonstrable compliance.
Navigating NIS 2 and its compliance requirements
NIS 2 is the successor to the original NIS (Network and Information Systems) Directive.
Its goal is to improve resilience of critical organizations against cyber threats by raising baseline expectations for governance, risk management, incident handling, and supply chain security.
NIS 2 expands scope, tightens enforcement, and introduces clearer cybersecurity and reporting requirements.
At the same time, the directive is often less prescriptive for organizations than teams expect.
That leaves a common challenge: translating broad requirements into concrete, owned, and repeatable work.
Who NIS 2 applies to (essential vs important entities)
NIS 2 applies to organizations deemed critical to societal and economic stability.
The legal text classifies 18 sectors across two categories: essential entities and important entities.
| Category | Definition | In-scope sectors (examples) |
|---|---|---|
| Essential entities | Organizations that provide critical services vital to economic stability, public safety, or national security | Energy; transport; banking; financial market infrastructures; health; drinking water; waste water; digital infrastructure; ICT service management; public administration; space |
| Important entities | Organizations whose services are significant but pose a lower risk to overall societal functioning | Postal and courier services; waste management; manufacture/production/distribution of chemicals; production/processing/distribution of food; manufacturing; digital providers; research |
Because NIS 2 is implemented through national law, scoping can be nuanced.
As a best practice, validate applicability with counsel and document the basis for your determination.
Your practical NIS 2 compliance checklist (7 key steps)
The hardest part of NIS 2 is rarely “knowing the rule.”
It’s turning requirements into a program with clear owners, artifacts, and proof.
Below are seven practical steps many teams use to translate NIS 2 into deliverables.
| Checklist step | Typical owner | “Good enough” evidence to keep current |
|---|---|---|
| Governance strategy | CISO / Head of Security + Legal/Compliance | Governance charter, RACI, management reporting cadence, risk acceptance workflow |
| Risk management program | GRC / Risk owner | Risk register, treatment plans, review cadence, risk decisions and approvals |
| Technical controls | Security + IT | MFA coverage report, vuln scan results, patch SLAs, pen test summary, logging/monitoring evidence |
| Security policies | Security + Legal/Compliance | Approved policy set, review history, exception process and register |
| BCP + IRP + reporting | Security + Ops | Tested backups, BCP scenarios, IRP playbooks, tabletop results, incident reporting templates and timelines |
| Training | HR + Security | Training curriculum, completion reports, role-based modules, refresh triggers |
| Documentation (evidence) | Program owner | Evidence inventory, audit trail, retention rules, “prove-it-fast” process for authority requests |
1) Outline your governance strategy
Start with governance.
Without clear leadership, compliance work fragments across teams and timelines slip.
Focus on deliverables such as:
- A dedicated compliance team led by a cybersecurity officer (or equivalent) with decision-making authority
- Defined roles and responsibilities across security, IT, risk, legal, and operations
- A governance framework aligned to NIS 2 expectations, including review cadence and reporting lines
2) Develop a risk management program
NIS 2 takes a broad view of risk management.
Accountability isn’t limited to IT—multiple business functions must implement risk-based and preventive measures.
Build a risk management program that covers:
- Risk appetite and response strategy
- Threat and vulnerability identification
- Risk mitigation/remediation planning with owners and due dates
- Periodic review and updates as your environment changes
Include third-party and supply chain risk
NIS 2 places stronger emphasis on supply chain security.
Common deliverables include mapping critical suppliers and services, reviewing access paths, and validating controls for high-risk vendors.
3) Assess and update your technical controls
NIS 2 expects practical security measures, including controls such as MFA, encryption, and network security.
Start by reviewing your current technical controls against your risk landscape and documented requirements.
Then operationalize regular security reviews, such as:
- Vulnerability scanning
- Penetration testing
- Configuration review and hardening
NIS 2 is not a step-by-step technical implementation guide.
Many teams streamline execution by mapping NIS 2 requirements to established standards like ISO 27001.
4) Implement relevant security policies
NIS 2 requires in-scope entities to implement and maintain security policies.
Common policy families include:
- Access management policies (roles, permissions, provisioning, review)
- Cryptography policies (encryption requirements, key management, response to compromise)
- Risk management policies (monitoring, reporting, governance)
- Incident response policies (triage, escalation, communication, reporting SLAs)
Even where NIS 2 isn’t granular, your policies should be effective and auditable.
As a best practice, management reviews and updates policies at least annually.
5) Develop business continuity and incident response plans
Business continuity planning is a baseline expectation across most cybersecurity regulations.
For NIS 2, it’s foundational because essential and important entities must sustain critical services during disruption.
Deliverables to prioritize:
- A business continuity plan (BCP) with scenarios, dependencies, and recovery objectives
- An incident response plan (IRP) with clear workflows for detection, containment, eradication, and recovery
Operationalize incident reporting timelines
NIS 2 introduces strict reporting expectations.
Embed the following report cadence into your IRP and practice it through tabletop exercises:
- First report: within 24 hours of discovery (including likely cause)
- Follow-up report: within 72 hours of becoming aware (severity assessment and updates)
- Intermediate report: as needed or upon CSIRT request (status updates)
- Final report: within 30 days of the follow-up (full details, mitigation, cross-border impact if any)
If the incident is ongoing at the time of the final report, you may need a progress report and then a final report within one month after resolution.
6) Ensure adequate training and support
NIS 2 governance expectations include cybersecurity training for employees of essential and important entities.
Build a training program that includes:
- Basic cybersecurity hygiene
- Role-based access control awareness
- Protection from social engineering attacks
- Secure handling and disposal of sensitive data
- Remote device security
- Incident reporting and response awareness
While NIS 2 doesn’t prescribe exact frequency, a practical baseline is annual training, plus refreshers after major incidents or meaningful security changes.
7) Oversee documentation processes
As NIS 2 is transposed into national law, in-scope organizations can face more SecureSlateiny from relevant authorities.
That makes documentation a core compliance deliverable, not an afterthought.
Prioritize evidence such as:
- Risk assessments
- Security reports and testing outputs
- Incident response logs and communications
- Training completion records
- Access reviews and audit trails
If you’re collecting evidence across spreadsheets, email threads, and shared drives, administrative burden rises quickly.
Many teams adopt compliance tooling to centralize evidence collection and make readiness easier to maintain.
Get—and stay—NIS 2 compliant with SecureSlate
NIS 2 compliance isn’t a one-time effort.
It requires ongoing visibility, governance, and execution across your security program.
SecureSlate helps you stay ahead with automation, expert-built guidance, and cross-mapped frameworks so you can move faster with less rework.
As your NIS 2 compliance partner, SecureSlate:
- Automates key compliance workflows with integrations and pre-built evidence collection
- Provides policy and document templates aligned to areas like incident response, third-party risk, business continuity, and governance
- Turns NIS 2 requirements into a practical checklist with owners, due dates, and evidence expectations
- Cross-maps controls with frameworks like ISO 27001, SOC 2, and GDPR to reduce duplication
- Streamlines vendor risk oversight to support NIS 2’s supply chain security requirements
- Supports continuous monitoring and ongoing evidence collection to reduce manual upkeep
If you’re building NIS 2 readiness, SecureSlate can help you operationalize the program without living in spreadsheets.
Get started for free: Create your SecureSlate account
FAQ: NIS 2 compliance
Is NIS 2 compliance the same in every EU country?
No. NIS 2 is a directive and is implemented through national law, so details can vary by jurisdiction.
What should we do first for NIS 2?
Start by confirming applicability and scope, then establish governance (owners and accountability) and build a risk management program that translates requirements into deliverables.
What are the incident reporting timelines in NIS 2?
In practice, teams commonly operationalize 24-hour initial reporting, a 72-hour follow-up, intermediate updates as needed, and a final report within 30 days of the follow-up.
Does NIS 2 require supply chain security?
Yes. NIS 2 increases emphasis on third-party and supply chain risk, which often means mapping critical suppliers/services and validating vendor controls and access paths.
Disclaimer (legal note)
SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
May 1, 2026 · NIS 2DORA
DORA vs NIS 2: Importance and key differences explained
SecureSlate Team
May 1, 2026 · NIS 2
From NIS to NIS 2: How to navigate the updated directive
SecureSlate Team
May 1, 2026 · NIS 2ISO 27001
ISO 27001 and NIS 2: Key differences explained (and how to use them together)
SecureSlate Team