ChecklistEU

NIS2 Compliance Checklist

A practical NIS2 checklist for confirming whether an entity is in scope, how it is classified, which governance and cybersecurity measures apply, and what evidence should be ready.

Grounded in Directive (EU) 2022/2555, Commission implementation material, Implementing Regulation (EU) 2024/2690, and ENISA technical implementation guidance.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
11

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

Use this checklist to turn NIS2 into a reviewable operating file. It is designed for legal, security, compliance, risk, operations, and management-body teams that need to document scope, obligations, controls, incident-reporting readiness, and reassessment triggers without mixing NIS2 with adjacent regimes.

Section 1

1. Confirm NIS2 scope before assigning controls

Start with the legal scope test. NIS2 applies to public or private entities of a type listed in Annex I or Annex II that meet the Directive's size rule and provide services or carry out activities in the Union, with specific size-independent cases.

Do not treat sector labels as enough on their own. The checklist record should identify the entity, service, Member States, Annex sector or subsector, size-rule conclusion, and any special scope trigger or exclusion.

  • Record the legal entity, service line, Member States served, and whether services are carried out within the Union.
  • Map the activity to Annex I sectors of high criticality or Annex II other critical sectors.
  • Document whether the entity is medium-sized or larger, or whether a size-independent Article 2 trigger applies.
  • Check special cases for public electronic communications, trust services, DNS services, top-level domain name registries, domain name registration services, sole-provider status, systemic or public-safety impact, critical-entity status, and public administration.
  • Record any exclusion or Member State exemption basis separately from the scope conclusion.
Sources for this answer
Directive (EU) 2022/2555, Article 2 and Annexes I-II
Primary legal text for NIS2 scope, size-independent cases, exclusions, and covered sectors.
European Commission - NIS2 Directive overview
Commission overview explaining the wider NIS2 scope and sector coverage.
Section 2

2. Classify the entity and registration evidence

After scope, classify the entity as essential or important. This drives supervision and enforcement handling, so the classification should be traceable to Article 3 rather than copied from an internal risk tier.

Keep registration information ready because Member States must establish lists of essential and important entities and entities providing domain name registration services, and may operate national registration mechanisms.

  • Classify essential entities under Article 3, including Annex I entities above the medium-sized ceilings and listed size-independent categories such as qualified trust service providers, top-level domain name registries, and DNS service providers.
  • Classify important entities where the entity is in Annex I or Annex II but does not qualify as essential under Article 3.
  • Prepare registration data: legal name, address, up-to-date contact details, relevant sector and subsector, and Member States where in-scope services are provided.
  • Add a change process so updates to submitted registration details are notified without delay and within the Directive's two-week outer limit.
  • Keep the classification rationale, sector mapping, and registration evidence with the compliance file.
Sources for this answer
Directive (EU) 2022/2555, Article 3
Defines essential and important entities and minimum information for Member State entity lists.
European Commission - NIS2 Directive overview
Explains that NIS2 divides entities into essential and important categories with different supervisory regimes.
Section 3

3. Put management-body governance on the checklist

NIS2 compliance is not only a security-team task. Article 20 requires management bodies of essential and important entities to approve cybersecurity risk-management measures, oversee implementation, and follow training.

The checklist should therefore include governance evidence that links board or executive approval to the Article 21 measure set and to the services affected by NIS2.

  • Identify the management body responsible for approving NIS2 cybersecurity risk-management measures.
  • Keep approval records for the Article 21 control baseline, material exceptions, remediation plans, and residual-risk acceptance.
  • Schedule management-body training and keep attendance or completion evidence.
  • Brief management on significant incidents, control-effectiveness results, and material supplier or service changes.
  • Assign named owners for legal interpretation, security implementation, operations, supplier risk, incident reporting, and evidence storage.
Sources for this answer
Directive (EU) 2022/2555, Article 20
Sets management-body approval, oversight, liability, and training requirements for essential and important entities.
ENISA NIS2 Technical Implementation Guidance
Provides implementation guidance and evidence examples for governance, awareness, roles, responsibilities, and management reporting under the implementing regulation.
Section 4

4. Build the Article 21 cybersecurity measure baseline

Article 21 requires appropriate and proportionate technical, operational, and organisational measures to manage risks to network and information systems and to prevent or minimise incident impact.

Use one checklist row per measure family. Each row should show the risk it addresses, the control owner, implementation status, evidence, exceptions, review date, and management approval where needed.

  • Risk analysis and information system security policies: keep risk assessments, treatment plans, and residual-risk approvals.
  • Incident handling: document detection, analysis, containment, response, recovery, reporting, and lessons-learned procedures.
  • Business continuity, backup management, disaster recovery, and crisis management: keep plans, test records, recovery results, and updates after significant incidents or major changes.
  • Supply chain security: assess direct suppliers and service providers, supplier-specific vulnerabilities, product quality, cybersecurity practices, and secure development procedures.
  • Secure acquisition, development, and maintenance: include vulnerability handling and disclosure in product, system, and change workflows.
  • Control-effectiveness assessment: define what is measured, how it is measured, who is responsible, and when results are reported.
  • Cyber hygiene, cybersecurity training, cryptography, encryption where appropriate, human resources security, access control, asset management, multi-factor or continuous authentication where appropriate, and secure communications: keep implementation and exception evidence.
Sources for this answer
Directive (EU) 2022/2555, Article 21
Primary legal text for NIS2 cybersecurity risk-management measures and the minimum Article 21(2) measure families.
Commission Implementing Regulation (EU) 2024/2690
Technical and methodological Article 21 requirements for specified digital infrastructure, ICT service management, digital provider, and trust service entities.
ENISA NIS2 Technical Implementation Guidance
Non-binding guidance for applying the implementing regulation, including practical advice and examples of evidence.
Section 5

5. Prepare the Article 23 incident-reporting path

The checklist should make incident reporting operational before an incident occurs. Article 23 requires notification of significant incidents to the CSIRT or competent authority and sets staged reporting points tied to awareness of the significant incident.

Keep the reporting workflow separate from public communications, customer communications, law-enforcement escalation, and sector-specific reporting until the responsible owner has checked whether those paths also apply.

  • Define who can decide that an incident is significant because it has caused or is capable of causing severe operational disruption, financial loss, or considerable material or non-material damage to others.
  • Map the CSIRT or competent authority route, portal, backup contact, and internal approvers for each relevant Member State.
  • Prepare an early-warning template for submission within 24 hours of becoming aware of a significant incident, including malicious or unlawful cause and cross-border impact where applicable.
  • Prepare a 72-hour incident-notification template covering updated information, initial severity and impact assessment, and available indicators of compromise.
  • Prepare intermediate-report, final-report, and ongoing-incident progress-report templates, including severity, impact, likely threat type or root cause, mitigation measures, and cross-border impact where applicable.
  • Add a separate recipient-communication check for significant incidents or significant cyber threats that may affect recipients of the entity's services.
Sources for this answer
Directive (EU) 2022/2555, Article 23
Sets significant-incident criteria, notification recipients, 24-hour early warning, 72-hour incident notification, intermediate report, final report, and ongoing-incident reporting.
European Commission - NIS2 Directive FAQs
Commission Q&A explaining the multi-stage incident reporting approach and relationship to authorities.
Section 6

6. Close only with evidence and reassessment triggers

A NIS2 checklist is durable only if each conclusion has a source-linked reason and each action has evidence. Close the review when scope, classification, governance, control baseline, incident reporting, and source records agree.

Reopen the checklist when business facts change, not only on an annual calendar. New services, Member States, suppliers, infrastructure, incidents, acquisitions, or national transposition changes can alter the file.

  • Keep source URLs, short source quotes, article references, and approval notes with the checklist record.
  • Attach the entity scope memo, essential-or-important classification, registration information, Article 21 control matrix, Article 23 reporting workflow, and management-body approvals.
  • Track corrective measures without undue delay where an Article 21 gap is identified.
  • Set reassessment triggers for new or retired services, new Member States, supplier changes, major architecture changes, significant incidents, changes in national registration requirements, and authority feedback.
  • Verify that every public source URL is external, HTTPS, stable, and includes the Sorena reference parameter.
Sources for this answer
Directive (EU) 2022/2555, Articles 3, 20, 21, and 23
Primary source for entity lists, governance, corrective measures, cybersecurity measures, and reporting obligations.
ENISA NIS2 Technical Implementation Guidance
Supports evidence planning, monitoring, review, and update practices for the implementing regulation's technical requirements.
Recommended next step

Use this NIS2 checklist to assign owners, evidence, and review triggers

Sorena can help convert this checklist into a source-linked NIS2 scope memo, Article 21 control matrix, Article 23 reporting workflow, and management-body evidence pack.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about NIS2 scope, Article 21 measures, Article 23 reporting, and implementation evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through NIS2 implementation

Review your NIS2 checklist, source gaps, control evidence, and incident-reporting workflow with Sorena.

Explore next step
Primary sources

References and citations

Commission Implementing Regulation (EU) 2024/2690
eur-lex.europa.eu
Referenced sections
  • Technical and methodological Article 21 requirements for specified digital infrastructure, ICT service management, digital provider, and trust service entities.
"technical and methodological requirements"
Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Primary legal text for NIS2 scope, entity classification, governance, Article 21 cybersecurity measures, and Article 23 reporting obligations.
"high common level of cybersecurity across the Union"
Directive (EU) 2022/2555, Article 20
eur-lex.europa.eu
Referenced sections
  • Sets management-body approval, oversight, liability, and training requirements for essential and important entities.
"approve the cybersecurity risk-management measures"
Directive (EU) 2022/2555, Article 21
eur-lex.europa.eu
Referenced sections
  • Primary legal text for NIS2 cybersecurity risk-management measures and the minimum Article 21(2) measure families.
"appropriate and proportionate technical, operational and organisational measures"
Directive (EU) 2022/2555, Article 23
eur-lex.europa.eu
Referenced sections
  • Sets significant-incident criteria, notification recipients, 24-hour early warning, 72-hour incident notification, intermediate report, final report, and ongoing-incident reporting.
"within 72 hours"
Directive (EU) 2022/2555, Article 3
eur-lex.europa.eu
Referenced sections
  • Defines essential and important entities and minimum information for Member State entity lists.
"Essential and important entities"
Directive (EU) 2022/2555, Articles 3, 20, 21, and 23
eur-lex.europa.eu
Referenced sections
  • Primary source for entity lists, governance, corrective measures, cybersecurity measures, and reporting obligations.
"all necessary, appropriate and proportionate corrective measures"
ENISA NIS2 Technical Implementation Guidance
enisa.europa.eu
Referenced sections
  • Supports evidence planning, monitoring, review, and update practices for the implementing regulation's technical requirements.
"planned intervals"
European Commission - NIS2 Directive FAQs
digital-strategy.ec.europa.eu
Referenced sections
  • Commission Q&A explaining the multi-stage incident reporting approach and relationship to authorities.
"multiple-stage approach"
European Commission - NIS2 Directive overview
digital-strategy.ec.europa.eu
Referenced sections
  • Explains that NIS2 divides entities into essential and important categories with different supervisory regimes.
"essential and important entities"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.