---
title: "Checklist"
canonical_url: "https://www.sorena.io/artifacts/eu/nis2-directive/checklist"
source_url: "https://www.sorena.io/artifacts/eu/nis2-directive/checklist"
author: "Sorena AI"
description: "An audit-ready EU NIS2 compliance checklist: scope (Annex I/II + size-cap rules), essential vs important classification, Article 21 control baseline."
published_at: "2026-02-23"
updated_at: "2026-02-23"
keywords:
  - "EU NIS2 checklist"
  - "NIS2 compliance checklist"
  - "NIS2 readiness checklist"
  - "NIS2 audit checklist"
  - "Directive (EU) 2022/2555 checklist"
  - "Article 21 checklist"
  - "Article 23 incident reporting checklist 24h 72h 1 month"
  - "Article 20 management accountability checklist"
  - "essential entity vs important entity checklist"
  - "NIS2 evidence pack checklist"
  - "NIS2"
  - "Checklist"
  - "Audit readiness"
  - "Article 21"
  - "Article 23"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Checklist

An audit-ready EU NIS2 compliance checklist: scope (Annex I/II + size-cap rules), essential vs important classification, Article 21 control baseline.

*Checklist* *EU*

## EU NIS2 Directive (EU) 2022/2555 Checklist

A checklist you can assign to owners and verify with evidence.

Use this as a readiness review: each line item should produce an artefact, a control metric, or an operational workflow.

Compliance checklists fail when they're generic. This one is designed for execution: each step includes what "done" means and what evidence you should be able to produce under supervision.

## 1) Scope and classification (the output is a defensible scope memo)

Start by scoping per legal entity and per service. Without a scope memo, downstream controls and reporting workflows are misaligned.

- Map your sector/subsector to Annex I or Annex II; document any borderline cases.
- Apply size-cap rules and any regardless-of-size triggers; keep an SME classification note where relevant.
- Classify as essential or important (Article 3) and record the rationale and jurisdiction assumptions.
- Identify sector-specific EU acts that may apply (Article 4) and document equivalence decisions.
- Done looks like: a scope memo with entity list, sector mapping, size logic, classification, and national transposition assumptions.

## 2) Article 20 governance (management approval, oversight, and training)

NIS2 explicitly pulls cybersecurity into the management body. Treat this as a governance system, not a policy signature.

- Management body approves the cybersecurity risk management measures and oversees implementation.
- Management body training: define curriculum, cadence, attendance tracking, and update loop after incidents.
- Define a governance cadence: monthly metrics, quarterly risk reviews, annual crisis exercises.
- Done looks like: board/management minutes, training evidence, and an accountability/RACI model.

## 3) Article 21 control baseline (owned controls with KPIs and evidence)

Build a control register that maps Article 21(2) a-j to concrete controls with owners, metrics, and evidence.

- Risk analysis + policies: risk method, asset/service inventory, treatment plans, risk acceptance decisions.
- Incident handling: runbooks, escalation paths, forensic readiness, post-incident review cadence.
- BC/DR: backup strategy, restore tests, DR exercises, crisis management playbooks.
- Supply chain: vendor tiering, security clauses, onboarding/offboarding, supplier incident comms.
- Secure development + vulnerability handling: secure SDLC, patching SLAs, disclosure process.
- Effectiveness: audits, scans, control tests, corrective action tracking.
- Done looks like: a control register + evidence vault (links to policies, logs, tests, audits, and training).

## 4) Article 23 incident reporting (a workflow you can execute at 02:00)

Implement reporting as a pipeline with triggers, templates, and evidence capture so you can meet 24h/72h deadlines under uncertainty.

- Define "significant incident" triage thresholds and keep a decision log (who decided, when, and why).
- 24h early warning; 72h notification with initial assessment and IoCs; final report within 1 month.
- Recipient communications playbook for incidents likely to adversely affect service provision.
- Done looks like: templates, runbooks, authority contact paths, evidence capture process, and a tabletop exercise result.

*Recommended next step*

*Placement: after the checklist block*

## Turn EU NIS2 Directive (EU) 2022/2555 Checklist into an operational assessment

Assessment Autopilot can take EU NIS2 Directive (EU) 2022/2555 Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on EU NIS2 Directive (EU) 2022/2555 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Assessment Autopilot for EU NIS2 Directive (EU) 2022/2555 Checklist](/solutions/assessment.md): Start from EU NIS2 Directive (EU) 2022/2555 Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints.
- [Talk through EU NIS2 Directive (EU) 2022/2555](/contact.md): Review your current process, evidence gaps, and next steps for EU NIS2 Directive (EU) 2022/2555 Checklist.

## Primary sources

- [Directive (EU) 2022/2555 (NIS2) - Official Journal text (EUR-Lex)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Primary source for scope, classification, governance (Article 20), controls (Article 21), and reporting (Article 23).
- [European Commission - NIS2 Directive overview (policy page)](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io) - Context and links to guidelines and implementation resources.

## Related Topic Guides

- [Applicability Test | EU NIS2 Directive (EU) 2022/2555 | In Scope? Essential vs Important?](/artifacts/eu/nis2-directive/applicability-test.md): A grounded NIS2 applicability test: map each legal entity to Annex I or Annex II, apply the NIS2 size-cap rule and regardless-of-size triggers.
- [Article 21 Control Baseline | EU NIS2 Directive (EU) 2022/2555 | Cybersecurity Risk Management Measures](/artifacts/eu/nis2-directive/article-21-control-baseline.md): A practical Article 21 control baseline for NIS2: translate Article 21(2)(a) to (j) into owned controls, KPIs, tests, and evidence.
- [Compliance Guide | EU NIS2 Directive (EU) 2022/2555 | Build an Audit-Ready Program](/artifacts/eu/nis2-directive/compliance.md): A practical EU NIS2 compliance guide: how to run scope and classification, build Article 21 controls, implement Article 23 reporting workflows.
- [Deadlines and Compliance Calendar | EU NIS2 Directive (EU) 2022/2555 | 16 January 2023, 17 October 2024, 17 April 2025](/artifacts/eu/nis2-directive/deadlines-and-compliance-calendar.md): A practical EU NIS2 deadlines and compliance calendar with the legal anchor dates that matter: entry into force on 16 January 2023.
- [FAQ | EU NIS2 Directive (EU) 2022/2555 | Scope, Essential vs Important, Article 21, Article 23 (24h/72h)](/artifacts/eu/nis2-directive/faq.md): High-intent EU NIS2 FAQ: who is in scope, how essential vs important works, what Article 21 requires.
- [Incident Reporting Workflow | EU NIS2 Directive (EU) 2022/2555 | 24h Early Warning, 72h Notification, Final Report (1 Month)](/artifacts/eu/nis2-directive/incident-reporting-workflow.md): A practical NIS2 incident reporting workflow grounded in Article 23 and Commission Implementing Regulation (EU) 2024/2690: define significant incidents.
- [Management Body Accountability | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Training, Liability](/artifacts/eu/nis2-directive/management-body-accountability.md): A practical Article 20 governance guide for EU NIS2: what the management body must approve and oversee, how liability and training work.
- [National Transposition Tracker | EU NIS2 Directive (EU) 2022/2555 | How to Track Local Laws, Authorities, Portals](/artifacts/eu/nis2-directive/national-transposition-tracker.md): A practical NIS2 national transposition tracker: monitor Member State implementation, find competent authority and CSIRT routes.
- [NIS2 vs ISO/IEC 27001 | How to Reuse Your ISMS for EU NIS2 Directive (EU) 2022/2555](/artifacts/eu/nis2-directive/nis2-vs-iso-27001.md): A practical NIS2 vs ISO/IEC 27001 mapping: how to reuse an ISMS (risk assessment, policies, internal audits, management review.
- [NIS2 vs ISO/IEC 27017 | Cloud Security Mapping for EU NIS2 Directive (EU) 2022/2555](/artifacts/eu/nis2-directive/nis2-vs-iso-27017.md): A practical mapping for cloud teams: how NIS2 Article 21 controls and Article 23 reporting apply to cloud service providers and cloud-dependent organisations.
- [NIS2 vs NIS1 | Directive (EU) 2022/2555 vs Directive (EU) 2016/1148 | Scope, Supervision, Reporting](/artifacts/eu/nis2-directive/nis2-vs-nis1.md): A practical comparison of NIS2 vs NIS1: what changed in scope and sectors, how essential vs important works.
- [Penalties and Fines | EU NIS2 Directive (EU) 2022/2555 | Article 32-34 Enforcement + Fine Thresholds](/artifacts/eu/nis2-directive/penalties-and-fines.md): A practical NIS2 enforcement guide: how supervision works for essential vs important entities (Articles 32-33), what enforcement measures authorities can use.
- [Requirements | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Article 21 Controls, Article 23 Reporting](/artifacts/eu/nis2-directive/requirements.md): A practical EU NIS2 requirements breakdown grounded in Articles 20 to 23, the Article 3 and Article 4 guidelines, and Implementing Regulation (EU) 2024/2690.
- [Scope: Essential vs Important | EU NIS2 Directive (EU) 2022/2555 | Article 3 Classification + What Changes](/artifacts/eu/nis2-directive/scope-essential-vs-important.md): A practical guide to NIS2 scope classification: how essential vs important entities work (Article 3).
- [Supply Chain Security Program | EU NIS2 Directive (EU) 2022/2555 | Article 21(d) Supplier Risk + Evidence](/artifacts/eu/nis2-directive/supply-chain-security-program.md): A practical NIS2 supply chain security program (Article 21(d)): vendor tiering, security requirements, onboarding/offboarding controls, continuous assurance.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/nis2-directive/checklist