A Practical EU NIS 2 Compliance Checklist for Global Teams

NIS 2 raises expectations for how organisations manage cybersecurity. Meeting the directive starts with a set of core documents and processes that form the foundation of compliance. These materials demonstrate that risks are understood, responsibilities are defined, and critical functions can continue during disruption. They also help teams work in a structured way when incidents occur or suppliers introduce new risk.

This article outlines the mandatory steps your organisation needs to document as a checklist. Each step below links to a section that explains what to include and what your team needs to put in place.

1. Cybersecurity Risk Management Policy
2. Incident Response and Notification Procedure
3. Business Continuity and Disaster Recovery Plan
4. Supply Chain Security Policy
5. Secure Development and Maintenance Policy
6. Access Control and Asset Management Policy
7. Cryptography and Encryption Policy
8. Security Awareness and Training Program
9. EU Representative Designation (conditional)

In each section, you will also find suggestions on internal processes to help support compliance.

Discover how Prighter can support your organisation in managing your EU NIS2 compliance obligations. If you'd like to discuss in detail, book a free consultation today.

9-Point EU NIS 2 Compliance Checklist

Here are 9 mandatory steps your organisation should follow in order to achieve EU NIS2 compliance:

1. Cybersecurity Risk Management Policy (NIS 2 Art. 21)

NIS 2 requires organisations to have a documented policy for cybersecurity risk analysis and information system security. This policy should outline how the company identifies, assesses, and manages cyber risks. Top management is accountable for approving and overseeing these risk management measures, ensuring cybersecurity is a board-level priority.

The information you provide should include:  

• Definition of scope (e.g., systems, services, assets covered) 
• Risk assessment methodology (e.g., ISO 27005) 
• Roles and responsibilities (e.g., risk owner, CISO) 
• Risk criteria and scoring system 
• Risk treatment plan (accept, transfer, mitigate, avoid) 
• Schedule for risk assessments and updates 
• Linkage to other policies (BCP, supplier security, etc.) 

Your organisation should: 

• Assign responsibility to a named role (e.g., Security or Compliance Officer) 
• Schedule periodic reviews (e.g., annually or after incidents) 
• Ensure board-level sign-off is documented 
• Conduct and document risk workshops involving key teams 
• Store the policy in a version-controlled system with access logs

2. Incident Response & Notification Procedure (NIS 2 Art. 21(b), Art. 23)

Prepare a formal incident response plan that details how to detect, handle, and recover from cybersecurity incidents. NIS 2 mandates that significant incidents be reported to authorities “without undue delay”, within 24 hours for an initial alert, followed by more detailed reports at 72 hours and a final report within one month. The procedure should align with these timelines and designate who will notify the national CSIRT (Computer Security Incident Response Team) and competent authority. 

The information you provide should include:

• Definition of a reportable incident (aligned with NIS 2 scope) 
• Classification levels (e.g., minor, major, critical) 
• Notification timelines and templates for 24h, 72h, 1 month 
• Incident response team roles and responsibilities 
• Escalation path and decision trees 
• Internal communication channels and external contacts (e.g., CSIRT, authorities) 

Your organisation needs to:

• Conduct regular table-top exercises and technical simulations 
• Train staff in detection and escalation procedures 
• Store contact details for competent authorities and CSIRTs 
• Maintain a breach register  
• Align internal ticketing or alerting systems with incident classification tiers 

3. Business Continuity & Disaster Recover Plan (NIS 2 Art. 21(c))

Create a Business Continuity Plan (BCP) and Disaster Recovery procedures to ensure that essential operations can continue, or be restored quickly, after a disruptive incident. NIS 2 explicitly calls for measures on “business continuity... and crisis management” including backup management and disaster recovery. This document should identify critical systems and data, backup routines, emergency access to systems, and steps to take in various outage scenarios (cyber-attack, IT failure, etc.). 

The information you provide should include:  

• Business impact analysis (identifying critical functions) 
• Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) 
• Backup schedule and media (e.g., daily, offsite, encrypted) 
• DR (Disaster Recovery) procedures for each major system or service 
• Crisis communication plan (internal + public) 
• BCP testing and review logs 

Your organisation needs to:

• Nominate BCP/DR leads for each business unit 
• Test recovery procedures at least annually (include logs and outcomes) 
• Document emergency access mechanisms (e.g., paper-based recovery plans) 
• Integrate with incident response processes (who triggers BCP?) 
• Keep an updated BCP copy offline and securely stored 

4. Supply Chain Security Policy (NIS 2 Art. 21(d))

 Develop a policy addressing security requirements for the company’s suppliers and service providers. NIS 2 obliges entities to consider security across their supply chain, including the cybersecurity practices of direct suppliers (e.g. cloud or datacenter providers). The policy should set criteria for supplier due diligence, security clauses in contracts, and ongoing monitoring of third-party risk. Entities must evaluate vulnerabilities specific to each supplier and the overall quality of their security measures. 

The information you provide should:

• Definition of “critical” or high-risk suppliers 
• Risk assessment criteria for suppliers (e.g., security certifications, access to data) 
• Onboarding due diligence requirements 
• Contractual clauses required for cybersecurity (e.g., breach notification, audits) 
• Monitoring and reassessment frequency 

Your organisation needs to:

• Maintain a supplier risk register 
• Include cybersecurity due diligence in procurement workflows 
• Regularly review supplier SLAs and contracts for compliance 
• Assign ownership of supplier risk to procurement, legal, and IT/security 
• Integrate with incident response plan in case of supply chain compromise 

5. Secure Development & Maintenance Policy (NIS 2 Art. 21(e))

Document your organisation’s approach to security in the acquisition, development, and maintenance of IT systems. NIS 2 requires measures for secure system development and vulnerability handling/disclosure. This policy should cover secure coding practices, change management, patch management, and how you handle discovered vulnerabilities (including a process to promptly apply security updates and a vulnerability disclosure program if applicable). 

The information you provide should:  

• Secure software development lifecycle (SDLC) steps 
• Code review and testing procedures  
• Third-party software/library vetting and tracking 
• Change control process (review, test, deploy) 
• Vulnerability disclosure and response procedures 

Your organisation also needs to:

• Define who owns secure coding standards (e.g., DevOps, security team) 
• Maintain a list of assets requiring updates and track patch status 
• Implement version control and CI/CD pipeline security checks 
• Document software changes and approvals 
• Collaborate with vendors on vulnerability advisories and updates 

6. Access Control & Asset Management Policy (NIS 2 Art. 21(i), (j))

Create a policy defining how access to systems and data is managed and how information assets are tracked and protected. NIS 2 expects entities to implement “human resources security, access control policies and asset management,” including, where appropriate, the use of multi-factor authentication (MFA) and secure communications. This policy should outline user account management (provisioning and deactivation), password standards, privileged access rules, and an asset inventory procedure.  

The information you provide should:

• User provisioning and de-provisioning process 
• Role-based access controls (RBAC) and segregation of duties 
• Use of MFA for administrative and remote access 
• Password policy and authentication requirements 
• Hardware/software asset inventory templates 
• Access review schedule and documentation 

Your organisation also needs to:

• Assign responsibility for IAM (IT admin, HR, etc.) 
• Automate provisioning/deprovisioning where possible 
• Regular access reviews (e.g., quarterly for privileged accounts) 
• Maintain up-to-date asset registry with owner assignments 
• Integrate asset records with configuration management tools (CMDB) 

7. Cryptography & Encryption Policy (NIS 2 Art. 21(h))

 Develop a policy on the use of cryptographic controls and encryption to protect data. NIS 2 highlights the need for “policies and procedures regarding the use of cryptography and, where appropriate, encryption”. This document should specify when and how encryption is applied to data at rest and in transit, encryption key management practices, and approved cryptographic standards or protocols (e.g. TLS versions, encryption algorithms). 

The information you provide should include:

• List of data categories requiring encryption (at rest/in transit) 
• Approved encryption standards  
• Key management lifecycle: generation, storage, rotation, revocation 
• Encryption practices for portable devices and cloud environments 

Your organsation also needs to:

• Designate a key custodian or encryption officer 
• Maintain documentation for cryptographic tools and configurations 
• Periodic audits of key usage and access controls 
• Train staff in correct use of encryption tools 
• Include encryption checks in development and deployment pipelines 

8. Security Awareness & Training Program (NIS 2 Art. 21(g))

Maintain documentation of your cybersecurity awareness and training program. NIS 2 includes “basic cyber hygiene practices and cybersecurity training” as a minimum measure, recognising that people are often the weakest link. This document (or set of materials) should describe the training schedule, topics covered (phishing, password safety, incident reporting, etc.), and records of completion. It ensures the organisation can demonstrate efforts to educate staff on security. 

The information you provide should include:

• Annual training schedule for all staff 
• Curriculum covering phishing, password hygiene, reporting incidents, etc. 
• Role-based modules (e.g., for IT, legal, dev teams) 
• Records of attendance and assessment scores 
• Materials used (presentations, videos, e-learning links) 
• Evaluation and feedback mechanisms 

Your organisation also needs to:

• Assign a training coordinator or HR liaison 
• Track completion  
• Simulate phishing or social engineering tests regularly 
• Include training as part of onboarding and major change rollouts 
• Communicate changes or new threats via email or posters 

9. EU Representative Designation (If not established in EU, NIS 2 Art. 26) – Conditional

 *The client is already supported with this conditional point.  

If your company is not established in an EU Member State but offers services within the EU that fall under NIS 2 scope, you must formally designate an EU representative.

This requirement is similar to GDPR’s rep rule: entities outside the EU have to appoint a representative in a Member State where they operate. Document the designation by drafting an appointment letter or contract with an individual or service provider that will act as your NIS 2 representative.

Include the representative’s contact details and address in the EU, and be prepared to provide this information to regulators. 

Practical support for your internal EU NIS 2 compliance project

Below are practical steps that you can take to manage your own internal EU NIS2 compliance project, with suggested actions and simple explanations:

1. Establish NIS2 Governance & Accountability

 Kick off the compliance project by determining how NIS 2 applies to your organisation and setting up governance. Confirm if your company is within a critical sector and meets the size thresholds (medium or large entities are in scope by default) to be classified as an “essential” or “important” entity under NIS 2.

Identify your sector’s competent authority in each relevant EU country. Assign a project leader (e.g. a Chief Information Security Officer or Compliance Manager) and involve senior management from the start. NIS 2 places responsibility on the management body to approve and supervise cybersecurity risk measures, so ensure the board or top executives are aware of their accountability. 

Suggested actions: 

• Assess whether your company qualifies as a medium (≥50 employees and ≥€10M turnover) or large (≥250 employees and ≥€50M turnover) entity.  
• Check if your sector is listed in Annex I (Essential Entities, e.g., energy, transport, health, digital infrastructure) or Annex II (Important Entities, e.g., manufacturing, postal, digital services). please refer to Annex I (Essential Entities) and Annex II (Important Entities) of the Directive:  NIS 2 Directive – Full Text on EUR-Lex (Annex I & II at the end) 
• Identify the competent authority in each EU country where your services operate. 
• Assign a senior project lead (e.g., CISO or compliance manager) to coordinate NIS 2 implementation. 
• Ensure board-level accountability and approval of cybersecurity strategies and risk policies. 
• Record scoping analysis and sector classification to demonstrate due diligence. 
• Create internal documentation showing project structure, reporting lines, and responsibilities. 

2. Perform Risk Assessment & Asset Inventory

Conduct a thorough cybersecurity risk assessment as a foundation for compliance. NIS 2 demands an all-hazards risk-based approach to security, so evaluate risks from cyber attacks, human error, equipment failure, etc., that could affect your network and information systems. Simultaneously, create or update an inventory of critical assets (hardware, software, data, and network infrastructure) that support your essential services. The goal is to identify what needs protection and prioritise security improvements based on risk. 

Suggested actions: 

• Use a recognised methodology (e.g., ISO 27005) to identify risks and vulnerabilities to your services. 
• Identify all assets (hardware, software, networks, data flows) critical to the continuity of essential/important services. 
• Score risks based on likelihood and impact; maintain a risk register. 
• Prioritise risks that could lead to service disruption, financial loss, legal breach, or safety concerns. 
• Update the assessment at least annually or after any major system changes or incidents. 
• Use the assessment to guide the implementation of technical and organisational measures. 

3. Implement Technical and Organisational Measures

Using the results of the risk assessment, deploy the necessary security controls and document their implementation. NIS 2 expects a broad set of cybersecurity measures (technical, operational, and organisational) to be in place, from access controls and encryption to incident response and business continuity. This step is about putting those defences to work in practice, not just writing policies. It includes configuring security technologies, hardening systems, and formalising operational processes. 

Suggested actions: 

• Implement controls covering risk analysis, incident handling, business continuity, supply chain security, system development, access management, encryption, testing, and staff training. 
• Tailor measures to the complexity and risk level of your services and environment. 
• Document implementation of each Article 21 requirement, noting links to specific risks. 
• Use industry standards (ISO 27001) for structured implementation. 
• Review effectiveness periodically and update controls as threats evolve. 
• Prepare to demonstrate compliance during inspections by competent authorities. 

4. Establish Incident Response Team & Procedures

Form an internal Incident Response Team (IRT) and equip them with clear procedures and training to handle incidents effectively. In line with NIS 2’s requirements on incident handling and reporting, the team should be prepared to triage and respond to incidents 24/7 if necessary, and to coordinate mandatory notifications to authorities. Defining this team and process is crucial to minimise damage from attacks and fulfil legal duties in a crisis. 

Suggested actions: 

• Create a cross-functional incident response team (IT, legal, compliance). 
• Define a triage process and escalation criteria for incidents that affect service continuity, safety, or have cross-border impact. 
• Report qualifying incidents to authorities: 
  • Initial notification: within 24 hours of becoming aware 
  • Intermediate update: within 72 hours 
  • Final report: within 1 month 
• Prepare templates for each reporting phase and ensure clarity on who is responsible. 
• Conduct regular simulations and training. 
• Maintain an incident log and review lessons learned after each event. 

5. Enhance Staff Awareness and Training

Make cybersecurity awareness an ongoing effort. Even with policies in place, compliance is only effective if employees understand and follow them. NIS 2 emphasises cyber hygiene and training, so ensure that your team (from IT personnel to general staff) is well-trained to prevent, detect, and respond to cyber threats. People are often the first line of defence or the first point of failure (e.g. phishing attacks), so this task is about building a security-conscious culture. 

Suggested actions: 

• Provide mandatory cybersecurity awareness training for all staff (e.g. phishing, secure practices, breach reporting). 
• Offer advanced, role-specific training for IT, developers, legal, and executives. 
• Run annual phishing simulations and track results. 
• Keep records of attendance and performance in a training log. 
• Include training in onboarding and during system or policy changes. 
• Continuously update content based on emerging threats and regulatory updates. 

6. Strengthen Supply Chain & Third-Party Management

Given the increased supply chain attacks in recent years, ensure your NIS 2 compliance project extends to third-party risk management. This task involves operationalising the Supply Chain Security Policy: vetting vendors, monitoring their compliance, and establishing joint incident handling arrangements. NIS 2 obliges entities to account for supplier-specific vulnerabilities, meaning you should treat supply chain security as an integral part of your cyber resilience. 

Suggested actions: 

• Identify critical suppliers and assess their security posture (certifications, audit reports, incident history). 
• Require suppliers to comply with NIS 2-aligned contractual clauses (e.g., incident reporting, audit rights, technical measures). 
• Perform risk-based supplier reviews regularly (e.g. annually). 
• Develop fallback plans for key vendors (e.g. backups, secondary suppliers). 
• Integrate supplier risk into the overall security and incident response framework. 
• Monitor regulatory trends; NIS 2 encourages inclusion of supply chain actors in compliance scope. 

7. Test, Audit, and Refine Continuously 

NIS 2 compliance is not a one-time project but an ongoing process. Establish a cycle of testing your defences, auditing compliance, and refining your security measures.  

Suggested actions: 

• Conduct annual internal audits against NIS 2 Article 21 requirements. 
• Perform external vulnerability scans and penetration tests. 
• Keep logs of test outcomes, action items, and timelines for remediation. 
• Review control effectiveness after each test or real incident. 
• Establish a continuous improvement loop with version-controlled documentation.