With NIS 2 being transposed into national laws across the EU, compliance has become mandatory for organizations within its scope.

Although NIS 2 addresses shortcomings in the original NIS directive by expanding scope and setting clearer security and incident reporting expectations, it can still feel demanding—especially because the directive leaves room for interpretation in how requirements translate to day-to-day execution.

This checklist clarifies the key deliverables your team should focus on to build a practical, auditable NIS 2 program.

Checklist energy

GIF via GIPHY

Key takeaways

NIS 2 is a directive: requirements become enforceable through national laws, so details can vary by Member State.
Scope comes first: determine whether you’re an essential or important entity and what systems/services are in scope.
Governance is a requirement: leadership accountability and clear ownership are prerequisites, not “nice-to-haves.”
Incident reporting needs a clock: design your incident response plan so timelines and decision points are operational, not theoretical.
Evidence wins audits: if you can’t produce documentation, controls, and records on request, you’ll struggle to demonstrate compliance.

Navigating NIS 2 and its compliance requirements

NIS 2 (the revised Network and Information Systems directive) aims to improve the resilience of covered organizations against cyber threats. Compared to its predecessor, it expands scope and raises expectations around:

Risk management measures (including supply chain security)
Governance and accountability
Incident handling and reporting
Supervision and enforcement

While much of the directive focuses on Member State obligations, in-scope organizations must implement a set of cybersecurity and reporting measures. In practice, the hard part is translating broad requirements into an operating program with owners, policies, controls, and evidence.

Who is in scope under NIS 2?

NIS 2 applies to organizations deemed critical to societal and economic stability. The legal text classifies sectors into two broad categories: essential and important entities.

Category	Definition	Example sectors (non-exhaustive)
Essential entities	Organizations providing critical services vital to economic stability, public safety, or national security	Energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space
Important entities	Organizations whose services are significant but pose a lower risk to overall societal functioning	Postal/courier, waste management, chemicals, food, manufacturing, digital providers, research

Because NIS 2 is implemented through national law, your exact scope can depend on where you operate and how Member States define thresholds and sector coverage. Start by documenting your scoping rationale, including which legal entities, services, and systems you believe are in scope.

Your practical NIS 2 compliance checklist (7 steps)

Use the seven steps below as a foundation for building a NIS 2 program you can operate—and defend—over time:

Outline your governance strategy
Develop a risk management program
Assess and update your technical controls
Implement relevant security policies
Develop business continuity and incident response plans
Ensure adequate training and support
Oversee documentation processes

Step 1: Outline your governance strategy

Without clear leadership and ownership, compliance work becomes fragmented across departments—and timelines slip.

Start by establishing a dedicated compliance working group led by a security leader (for example, a CISO, Head of Security, or designated cybersecurity officer). Then define:

Roles and responsibilities for security, IT, legal, operations, and vendor management
Decision-making pathways (who approves risk acceptance, exceptions, and emergency changes)
A compliance cadence (how often you review risk, incidents, third parties, and control effectiveness)
A realistic roadmap with milestones (gap assessment → remediation → validation → continuous monitoring)

If your security program is still maturing, treat NIS 2 governance as a forcing function to establish repeatable cybersecurity governance early.

Step 2: Develop a risk management program

NIS 2 pushes a risk-based approach that extends beyond IT. The directive also strengthens emphasis on supply chain security, meaning you need a third-party risk strategy that maps to your critical services.

Build (or mature) a risk management program that includes:

Risk appetite and criteria: what “high/medium/low” means for your organization
Threat and vulnerability identification: including business-critical services and supporting assets
Risk treatment workflows: mitigate, remediate, transfer, accept (with approvals)
Third-party risk oversight: identify critical suppliers, required controls, and monitoring expectations
Review cadence: periodic reassessments and triggers (new vendors, major releases, incidents, M&A)

A practical deliverable is a living risk register that connects risks to owners, controls, and remediation work—so it’s not just a spreadsheet graveyard.

Step 3: Assess and update your technical controls

NIS 2 references a range of technical measures (for example MFA, encryption, network security, vulnerability handling) but does not prescribe a single technical implementation.

Start by baselining your current environment:

Run vulnerability scanning and track remediation SLAs
Perform penetration testing where it’s appropriate for your risk profile
Validate identity and access management (MFA coverage, least privilege, offboarding)
Review encryption at rest/in transit and key management practices
Confirm logging and monitoring supports detection and investigation

To reduce rework, map NIS 2 requirements to a control framework you already use (for example, ISO 27001 or SOC 2) and reuse evidence where it meets intent.

Step 4: Implement relevant security policies

Policies translate “what we do” into a documented expectation—then audits test whether reality matches the policy.

At a minimum, ensure you have policies that cover:

Access management (roles, provisioning, reviews, privileged access)
Cryptography and encryption (approved methods, usage guidelines, key management)
Risk management (program governance, monitoring, reporting)
Incident response (triage, escalation, communications, reporting milestones)
Vendor/supply chain security (due diligence, contracts, monitoring, termination)
Vulnerability management (intake, prioritization, remediation, disclosure handling)

As a best practice, set an annual (or risk-triggered) review cycle and enforce ownership so policies don’t go stale.

Step 5: Develop business continuity and incident response plans

NIS 2 expects you to maintain continuity and manage incidents effectively. This is where many programs fail: plans exist, but they aren’t operational or tested.

Business continuity planning (BCP)

Make sure you can maintain or restore critical services by defining:

Critical services and dependencies (systems, vendors, people)
Recovery objectives (RTO/RPO) aligned to business impact
Backup and restoration testing evidence
Crisis communications and escalation paths

Incident response planning (IRP)

Your IRP should define workflows for detection, classification, containment, eradication, and recovery—plus a clear reporting clock.

NIS 2 introduces strict reporting expectations. While national law implementation can vary, many summaries of NIS 2 describe four reporting milestones to the relevant authority/CSIRT:

Early warning: within 24 hours of becoming aware of a significant incident (often including suspected cause and whether cross-border impact is likely)
Incident notification: within 72 hours of becoming aware, with updates such as severity and indicators
Intermediate reports: as needed or upon request, providing status updates
Final report: typically within one month, covering root cause, mitigation, and cross-border impact (if any)

Design your incident process so these timelines can be met without heroics: define decision points, evidence capture, communications templates, and who has authority to submit reports.

Step 6: Ensure adequate training and support

NIS 2 governance requirements include cybersecurity awareness and training expectations. Training should be role-aware and defensible with evidence.

Your program should cover:

Basic security hygiene (passwords, MFA, safe browsing)
Phishing and social engineering defense
Data handling and secure disposal
Remote work and device security
Role-based access control and privileged access expectations
Incident awareness (how to report, what to report, where to escalate)

At a minimum, run training annually, and require targeted refreshers after major incidents or material program changes.

Step 7: Oversee documentation processes

Compliance is easier when documentation is designed as a system—not a scavenger hunt across tickets, spreadsheets, and inboxes.

Create a documentation program that maintains:

Risk assessments and risk treatment records
Policy documents and review/approval history
Technical control evidence (logs, configs, screenshots, test results)
Incident response records and post-incident reviews
Security training completion records
Vendor due diligence artifacts and ongoing monitoring records

Aim for a “prove it in minutes” standard: if an authority requests evidence, you should be able to produce it quickly, consistently, and with an audit trail.

Get—and stay—NIS 2 compliant with SecureSlate

NIS 2 compliance isn’t a one-time project. It requires ongoing visibility, governance, and execution across your security program.

SecureSlate helps you operationalize NIS 2 by centralizing requirements, controls, and evidence—so your team spends less time chasing artifacts and more time reducing risk.

With SecureSlate, you can:

Centralize evidence for audits, internal reviews, and incident follow-ups
Assign control owners and track remediation with clear accountability
Map controls across frameworks to reuse work you’ve already done
Maintain continuous readiness as systems and vendors change

Get started for free: Create your SecureSlate account

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute legal advice. When determining your obligations and compliance approach for NIS 2 and related laws, consult qualified legal counsel.

NIS 2 compliance checklist: The ultimate 7-step approach for your organization