A Practical EU NIS 2 Compliance Checklist for Global Organisations

NIS 2 raises expectations for how organisations manage cybersecurity. Meeting the directive starts with a set of core documents and processes that form the foundation of compliance. These materials demonstrate that risks are understood, responsibilities are defined, and critical functions can continue during disruption. They also help teams work in a structured way when incidents occur or suppliers introduce new risk.

This article outlines the mandatory steps your organisation needs to document as a checklist. Each step below links to a section that explains what to include and what your team needs to put in place.

1. Cybersecurity Risk Management Policy
2. Incident Response and Notification Procedure
3. Business Continuity and Disaster Recovery Plan
4. Supply Chain Security Policy
5. Secure Development and Maintenance Policy
6. Access Control and Asset Management Policy
7. Cryptography and Encryption Policy
8. Security Awareness and Training Program
9. EU Representative Designation (conditional)

In each section, you will also find suggestions on internal processes to help support compliance.

In addition to this, we also provide practical considerations for your organisation's internal NIS2 compliance project.

Discover how Prighter can support your organisation in managing your EU NIS2 compliance obligations. If you'd like to discuss in detail, book a free consultation today.

9-Point EU NIS 2 Compliance Checklist

Here are 9 mandatory steps your organisation should follow in order to achieve EU NIS2 compliance:

1. Cybersecurity Risk Management Policy (NIS 2 Art. 21)

NIS 2 requires organisations to have a documented policy for cybersecurity risk analysis and information system security. This policy should outline how the company identifies, assesses, and manages cyber risks. Top management is accountable for approving and overseeing these risk management measures, ensuring cybersecurity is a board-level priority.

2. Incident Response & Notification Procedure (NIS 2 Art. 21(b), Art. 23)

Prepare a formal incident response plan that details how to detect, handle, and recover from cybersecurity incidents. NIS 2 mandates that significant incidents be reported to authorities “without undue delay”, within 24 hours for an initial alert, followed by more detailed reports at 72 hours and a final report within one month. The procedure should align with these timelines and designate who will notify the national CSIRT (Computer Security Incident Response Team) and competent authority. 

3. Business Continuity & Disaster Recovery Plan (NIS 2 Art. 21(c))

Create a Business Continuity Plan (BCP) and Disaster Recovery procedures to ensure that essential operations can continue, or be restored quickly, after a disruptive incident. NIS 2 explicitly calls for measures on “business continuity... and crisis management” including backup management and disaster recovery. This document should identify critical systems and data, backup routines, emergency access to systems, and steps to take in various outage scenarios (cyber-attack, IT failure, etc.). 

4. Supply Chain Security Policy (NIS 2 Art. 21(d))

 Develop a policy addressing security requirements for the company’s suppliers and service providers. NIS 2 obliges entities to consider security across their supply chain, including the cybersecurity practices of direct suppliers (e.g. cloud or datacenter providers). The policy should set criteria for supplier due diligence, security clauses in contracts, and ongoing monitoring of third-party risk. Entities must evaluate vulnerabilities specific to each supplier and the overall strength of their security measures. 

5. Secure Development & Maintenance Policy (NIS 2 Art. 21(e))

Document your organisation’s approach to security in the acquisition, development, and maintenance of IT systems. NIS 2 requires measures for secure system development and vulnerability handling/disclosure. This policy should cover secure coding practices, change management, patch management, and how you handle discovered vulnerabilities (including a process to promptly apply security updates and a vulnerability disclosure program if applicable). 

6. Access Control & Asset Management Policy (NIS 2 Art. 21(i), (j))

Create a policy defining how access to systems and data is managed and how information assets are tracked and protected. NIS 2 expects entities to implement “human resources security, access control policies and asset management,” including, where appropriate, the use of multi-factor authentication (MFA) and secure communications. This policy should outline user account management (provisioning and deactivation), password standards, privileged access rules, and an asset inventory procedure.  

7. Cryptography & Encryption Policy (NIS 2 Art. 21(h))

 Develop a policy on the use of cryptographic controls and encryption to protect data. NIS 2 highlights the need for “policies and procedures regarding the use of cryptography and, where appropriate, encryption”. This document should specify when and how encryption is applied to data at rest and in transit, encryption key management practices, and approved cryptographic standards or protocols (e.g. TLS versions, encryption algorithms). 

8. Security Awareness & Training Program (NIS 2 Art. 21(g))

Maintain documentation of your cybersecurity awareness and training program. NIS 2 includes “basic cyber hygiene practices and cybersecurity training” as a minimum measure, recognising that people are often the weakest link. This document (or set of materials) should describe the training schedule, topics covered (phishing, password safety, incident reporting, etc.), and records of completion. It ensures the organisation can demonstrate efforts to educate staff on security. 

9. EU Representative Designation (If not established in EU, NIS 2 Art. 26) – Conditional

If your company is not established in an EU Member State but offers services within the EU that fall under the scope of NIS 2, you must formally designate an EU representative.

This requirement is similar to GDPR’s rep rule: entities outside the EU have to appoint a representative in a Member State where they operate. Document the designation by drafting an appointment letter or contract with an individual or service provider that will act as your NIS 2 representative.

Include the representative’s contact details and address in the EU, and be prepared to provide this information to regulators. 

Practical support for your internal EU NIS 2 compliance project

Below are practical steps that you can take to manage your own internal EU NIS2 compliance project, with suggested actions and simple explanations:

1. Establish NIS2 Governance & Accountability

 Kick off the compliance project by determining how NIS 2 applies to your organisation and setting up governance. Confirm if your company is within a critical sector and meets the size thresholds (medium or large entities are in scope by default) to be classified as an “essential” or “important” entity under NIS 2.

Identify your sector’s competent authority in each relevant EU country. Assign a project leader (e.g. a Chief Information Security Officer or Compliance Manager) and involve senior management from the start. NIS 2 places responsibility on the management body to approve and supervise cybersecurity risk measures, so ensure the board or top executives are aware of their accountability. 

2. Perform Risk Assessment & Asset Inventory

Conduct a thorough cybersecurity risk assessment as a foundation for compliance. NIS 2 demands an all-hazards risk-based approach to security, so evaluate risks from cyber attacks, human error, equipment failure, etc., that could affect your network and information systems. Simultaneously, create or update an inventory of critical assets (hardware, software, data, and network infrastructure) that support your essential services. The goal is to identify what needs protection and prioritise security improvements based on risk. 

3. Implement Technical and Organisational Measures

Using the results of the risk assessment, deploy the necessary security controls and document their implementation. NIS 2 expects a broad set of cybersecurity measures (technical, operational, and organisational) to be in place, from access controls and encryption to incident response and business continuity. This step is about putting those defences to work in practice, not just writing policies. It includes configuring security technologies, hardening systems, and formalising operational processes. 

4. Establish Incident Response Team & Procedures

Form an internal Incident Response Team (IRT) and equip them with clear procedures and training to handle incidents effectively. In line with NIS 2’s requirements on incident handling and reporting, the team should be prepared to triage and respond to incidents 24/7 if necessary, and to coordinate mandatory notifications to authorities. Defining this team and process is crucial to minimise damage from attacks and fulfil legal duties in a crisis. 

5. Enhance Staff Awareness and Training

Make cybersecurity awareness an ongoing effort. Even with policies in place, compliance is only effective if employees understand and follow them. NIS 2 emphasises cyber hygiene and training, so ensure that your team (from IT personnel to general staff) is well-trained to prevent, detect, and respond to cyber threats. People are often the first line of defence or the first point of failure (e.g. phishing attacks), so this task is about building a security-conscious culture. 

6. Strengthen Supply Chain & Third-Party Management

Given the increased supply chain attacks in recent years, ensure your NIS 2 compliance project extends to third-party risk management. This task involves operationalising the Supply Chain Security Policy: vetting vendors, monitoring their compliance, and establishing joint incident handling arrangements. NIS 2 obliges entities to account for supplier-specific vulnerabilities, meaning you should treat supply chain security as an integral part of your cyber resilience. 

7. Test, Audit, and Refine Continuously 

NIS 2 compliance is not a one-time project but an ongoing process. Establish a cycle of testing your defences, auditing compliance, and refining your security measures.  

Strengthen Your NIS2 Compliance with Prighter

NIS 2 introduces a more structured and accountable approach to cybersecurity. The documents and processes outlined in this checklist give your organisation a practical foundation to meet the directive’s expectations. They support stronger governance, clearer responsibilities, and a predictable way of managing incidents, suppliers, and technical risks. Most importantly, they help you demonstrate due diligence to regulators and internal stakeholders.

If you want support in building or refining any of the materials covered in this guide, our team is ready to assist. Book a free consultation with a Prighter expert to discuss your organisation’s next steps.