ChecklistEU

EU NIS2 Directive (EU) 2022/2555 Checklist

A checklist you can assign to owners and verify with evidence.

Use this as a readiness review: each line item should produce an artefact, a control metric, or an operational workflow.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

Compliance checklists fail when they're generic. This one is designed for execution: each step includes what "done" means and what evidence you should be able to produce under supervision.

Section 1

1) Scope and classification (the output is a defensible scope memo)

Start by scoping per legal entity and per service. Without a scope memo, downstream controls and reporting workflows are misaligned.

  • Map your sector/subsector to Annex I or Annex II; document any borderline cases.
  • Apply size-cap rules and any regardless-of-size triggers; keep an SME classification note where relevant.
  • Classify as essential or important (Article 3) and record the rationale and jurisdiction assumptions.
  • Identify sector-specific EU acts that may apply (Article 4) and document equivalence decisions.
  • Done looks like: a scope memo with entity list, sector mapping, size logic, classification, and national transposition assumptions.
Section 2

2) Article 20 governance (management approval, oversight, and training)

NIS2 explicitly pulls cybersecurity into the management body. Treat this as a governance system, not a policy signature.

  • Management body approves the cybersecurity risk management measures and oversees implementation.
  • Management body training: define curriculum, cadence, attendance tracking, and update loop after incidents.
  • Define a governance cadence: monthly metrics, quarterly risk reviews, annual crisis exercises.
  • Done looks like: board/management minutes, training evidence, and an accountability/RACI model.
Section 3

3) Article 21 control baseline (owned controls with KPIs and evidence)

Build a control register that maps Article 21(2) a-j to concrete controls with owners, metrics, and evidence.

  • Risk analysis + policies: risk method, asset/service inventory, treatment plans, risk acceptance decisions.
  • Incident handling: runbooks, escalation paths, forensic readiness, post-incident review cadence.
  • BC/DR: backup strategy, restore tests, DR exercises, crisis management playbooks.
  • Supply chain: vendor tiering, security clauses, onboarding/offboarding, supplier incident comms.
  • Secure development + vulnerability handling: secure SDLC, patching SLAs, disclosure process.
  • Effectiveness: audits, scans, control tests, corrective action tracking.
  • Done looks like: a control register + evidence vault (links to policies, logs, tests, audits, and training).
Section 4

4) Article 23 incident reporting (a workflow you can execute at 02:00)

Implement reporting as a pipeline with triggers, templates, and evidence capture so you can meet 24h/72h deadlines under uncertainty.

  • Define "significant incident" triage thresholds and keep a decision log (who decided, when, and why).
  • 24h early warning; 72h notification with initial assessment and IoCs; final report within 1 month.
  • Recipient communications playbook for incidents likely to adversely affect service provision.
  • Done looks like: templates, runbooks, authority contact paths, evidence capture process, and a tabletop exercise result.
Recommended next step

Turn EU NIS2 Directive (EU) 2022/2555 Checklist into an operational assessment

Assessment Autopilot can take EU NIS2 Directive (EU) 2022/2555 Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on EU NIS2 Directive (EU) 2022/2555 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU NIS2 Directive (EU) 2022/2555 Checklist

Start from EU NIS2 Directive (EU) 2022/2555 Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU NIS2 Directive (EU) 2022/2555

Review your current process, evidence gaps, and next steps for EU NIS2 Directive (EU) 2022/2555 Checklist.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

Applicability Test | EU NIS2 Directive (EU) 2022/2555 | In Scope? Essential vs Important?
A grounded NIS2 applicability test: map each legal entity to Annex I or Annex II, apply the NIS2 size-cap rule and regardless-of-size triggers.
Article 21 Control Baseline | EU NIS2 Directive (EU) 2022/2555 | Cybersecurity Risk Management Measures
A practical Article 21 control baseline for NIS2: translate Article 21(2)(a) to (j) into owned controls, KPIs, tests, and evidence.
Compliance Guide | EU NIS2 Directive (EU) 2022/2555 | Build an Audit-Ready Program
A practical EU NIS2 compliance guide: how to run scope and classification, build Article 21 controls, implement Article 23 reporting workflows.
Deadlines and Compliance Calendar | EU NIS2 Directive (EU) 2022/2555 | 16 January 2023, 17 October 2024, 17 April 2025
A practical EU NIS2 deadlines and compliance calendar with the legal anchor dates that matter: entry into force on 16 January 2023.
FAQ | EU NIS2 Directive (EU) 2022/2555 | Scope, Essential vs Important, Article 21, Article 23 (24h/72h)
High-intent EU NIS2 FAQ: who is in scope, how essential vs important works, what Article 21 requires.
Incident Reporting Workflow | EU NIS2 Directive (EU) 2022/2555 | 24h Early Warning, 72h Notification, Final Report (1 Month)
A practical NIS2 incident reporting workflow grounded in Article 23 and Commission Implementing Regulation (EU) 2024/2690: define significant incidents.
Management Body Accountability | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Training, Liability
A practical Article 20 governance guide for EU NIS2: what the management body must approve and oversee, how liability and training work.
National Transposition Tracker | EU NIS2 Directive (EU) 2022/2555 | How to Track Local Laws, Authorities, Portals
A practical NIS2 national transposition tracker: monitor Member State implementation, find competent authority and CSIRT routes.
NIS2 vs ISO/IEC 27001 | How to Reuse Your ISMS for EU NIS2 Directive (EU) 2022/2555
A practical NIS2 vs ISO/IEC 27001 mapping: how to reuse an ISMS (risk assessment, policies, internal audits, management review.
NIS2 vs ISO/IEC 27017 | Cloud Security Mapping for EU NIS2 Directive (EU) 2022/2555
A practical mapping for cloud teams: how NIS2 Article 21 controls and Article 23 reporting apply to cloud service providers and cloud-dependent organisations.
NIS2 vs NIS1 | Directive (EU) 2022/2555 vs Directive (EU) 2016/1148 | Scope, Supervision, Reporting
A practical comparison of NIS2 vs NIS1: what changed in scope and sectors, how essential vs important works.
Penalties and Fines | EU NIS2 Directive (EU) 2022/2555 | Article 32-34 Enforcement + Fine Thresholds
A practical NIS2 enforcement guide: how supervision works for essential vs important entities (Articles 32-33), what enforcement measures authorities can use.
Requirements | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Article 21 Controls, Article 23 Reporting
A practical EU NIS2 requirements breakdown grounded in Articles 20 to 23, the Article 3 and Article 4 guidelines, and Implementing Regulation (EU) 2024/2690.
Scope: Essential vs Important | EU NIS2 Directive (EU) 2022/2555 | Article 3 Classification + What Changes
A practical guide to NIS2 scope classification: how essential vs important entities work (Article 3).
Supply Chain Security Program | EU NIS2 Directive (EU) 2022/2555 | Article 21(d) Supplier Risk + Evidence
A practical NIS2 supply chain security program (Article 21(d)): vendor tiering, security requirements, onboarding/offboarding controls, continuous assurance.