Checklist NIS2 Readiness

Self-assess your readiness against the key NIS2 areas. Operational checklist with 40+ controls. Printable as PDF.

Fill in the form to access the checklist. You will also receive it by email along with an interpretation guide.

40+ controls organised by NIS2 area
Printable — optimised A4 format
No commercial commitment required
Based on official ENISA/ACN measures

By submitting you accept our Privacy Policy. No spam. Data used only for this request.

For each control, verify whether it is implemented (tick the box), partially implemented (add a note) or absent. Use the Print button to save as PDF.

A — Classification and scope
The organisation has formally verified whether it qualifies as an essential or important NIS2 entity
A classification document signed by management exists
The essential services provided have been identified
Critical suppliers have been mapped (supply chain)
B — Governance and risk management
The governing body has approved the information security policy
A formalised cyber risk management process exists
A documented risk assessment has been conducted in the last year
Residual risks have been formally accepted by management
Management participates in cybersecurity training (at least annually)
C — Technical security measures
The network is segmented between critical and non-critical systems
MFA (Multi-Factor Authentication) is active on all remote access
MFA is active on privileged accounts (admin, root)
An EDR or advanced antivirus solution is deployed on all endpoints
Security patches are applied within 30 days of release
Encryption is applied to sensitive data at-rest and in-transit
Security logs are centralised and retained for at least 12 months
A formalised vulnerability management process exists
At least one penetration test is conducted annually
D — Business continuity and backup
A documented Business Continuity Plan (BCP) exists
A Disaster Recovery Plan (DRP) with defined RTO and RPO exists
Backups are performed at least daily for critical data
Backups are stored offline or on storage isolated from the main network
Backup restoration is tested at least every six months
A tabletop exercise on the ransomware scenario has been conducted in the last year
E — Incident response and notification
A documented and approved Incident Response Plan (IRP) exists
The CSIRT Contact Point (liaison with CSIRT-IT) has been appointed
The CSIRT Contact Point is reachable 24/7
Written procedures exist for the early warning notification to CSIRT-IT (within 24h)
Written procedures exist for the formal notification (within 72h)
The threshold for a 'significant incident' has been defined for the organisation
F — Supply chain and suppliers
Critical suppliers for security have been identified and classified
A supplier security assessment process (TPRM) exists
Contracts with critical suppliers include cybersecurity clauses
Remote access by suppliers is monitored and restricted to only the necessary systems
G — Training and awareness
All employees receive cybersecurity awareness training at least annually
IT staff receive up-to-date technical training
Periodic phishing simulations are conducted
A clear procedure exists for employees to report suspected incidents