← Back to Blog
RESEARCH
10 min read
NIS2 Compliance Checklist: 10 Steps to Get Ready Before the Deadline
A practical 10-step checklist to prepare your organization for NIS2 compliance — from scoping and risk assessment to incident reporting and continuous improvement.
NIS2 Compliance Checklist: 10 Steps to Get Ready Before the Deadline
The NIS2 Directive is reshaping cybersecurity obligations across Europe, and the clock is ticking. With member states transposing the directive into national law and enforcement approaching, organizations need a clear, actionable roadmap to achieve compliance.
This checklist breaks NIS2 preparation into 10 concrete steps — each with specific actions you can take today. Whether you're starting from scratch or building on an existing security program, this guide will help you identify gaps and prioritize your efforts.
Step 1: Determine Whether You're In Scope
Why it matters: NIS2 dramatically expanded the number of organizations subject to cybersecurity obligations. If you assume you're not covered, you may be wrong.
Actions:
- Check your sector: NIS2 covers 18 sectors across two annexes. Annex I (essential entities) includes energy, transport, banking, health, digital infrastructure, and ICT services. Annex II (important entities) includes postal services, waste management, chemicals, food, manufacturing, and digital providers
- Check your size: The directive applies to medium-sized organizations (50+ employees OR €10M+ turnover) and large organizations (250+ employees OR €50M+ turnover) in covered sectors
- Check exceptions: Some entity types are covered regardless of size — DNS providers, TLD registries, public communications networks, and trust service providers
- Assess supply chain exposure: Even if you're not directly in scope, your clients in covered sectors may require NIS2-aligned security from their suppliers
How KENSAI helps: KENSAI's platform is designed for organizations in NIS2 scope, providing the continuous vulnerability management and reporting that the directive demands. Starting with a free scan gives you immediate visibility into your current security posture.
Step 2: Classify Your Entity Type
Why it matters: Essential entities face stricter oversight and higher penalties than important entities. Your classification determines your obligations.
Actions:
- Essential entities (Annex I sectors, large organizations): Subject to proactive regulatory supervision, including on-site inspections and regular audits. Maximum fines of €10 million or 2% of global turnover
- Important entities (Annex II sectors, medium organizations): Subject to reactive supervision (after an incident or evidence of non-compliance). Maximum fines of €7 million or 1.4% of global turnover
- Document your classification and the reasoning behind it
- Review national transposition — some member states may apply stricter criteria. Germany's NIS2UmsuCG, for example, introduces additional categories
How KENSAI helps: KENSAI's compliance reporting maps findings to the specific requirements applicable to your entity classification, ensuring your security evidence matches your obligations.
Step 3: Secure Management Buy-In and Accountability
Why it matters: NIS2 Article 20 makes management bodies personally responsible for cybersecurity. This isn't a suggestion — it's a legal requirement with personal liability implications.
Actions:
- Brief the board and C-suite on NIS2 requirements and their personal liability
- Designate a responsible executive for cybersecurity oversight (CISO, CTO, or equivalent)
- Establish a governance structure where management formally approves cybersecurity policies and reviews risk assessments
- Schedule mandatory cybersecurity training for all management body members — NIS2 explicitly requires this
- Document management involvement in cybersecurity decisions for audit purposes
- Include cybersecurity as a standing agenda item in board meetings
How KENSAI helps: KENSAI provides executive dashboards and trend reports that give management the visibility they need to fulfill their oversight responsibilities without requiring deep technical expertise.
Step 4: Conduct a Comprehensive Risk Assessment
Why it matters: NIS2 Article 21 requires "appropriate and proportionate" technical and organizational measures based on a risk assessment. Without a documented risk assessment, you can't demonstrate that your measures are proportionate.
Actions:
- Identify critical assets: Map all network and information systems that support your essential services
- Assess threats: Document the threat landscape relevant to your sector and geography (ransomware, state-sponsored attacks, supply chain compromise, insider threats)
- Evaluate vulnerabilities: Conduct technical vulnerability assessments of your infrastructure, applications, and processes
- Determine impact: For each identified risk, assess the potential impact on service continuity, data integrity, and affected parties
- Calculate risk levels: Use a consistent methodology (likelihood × impact) to prioritize risks
- Document everything: The risk assessment must be written, reviewed, and regularly updated
How KENSAI helps: KENSAI's automated vulnerability scanning provides the technical vulnerability data your risk assessment needs. Instead of relying on point-in-time manual assessments, KENSAI delivers continuous vulnerability intelligence that keeps your risk assessment current.
Step 5: Map Your Attack Surface
Why it matters: NIS2 requires security measures for your network and information systems. You can't secure what you don't know exists.
Actions:
- Inventory all external-facing assets: Web applications, APIs, mail servers, VPN endpoints, cloud services, subdomains
- Identify shadow IT: Discover unauthorized cloud services, forgotten test environments, and legacy systems
- Map third-party connections: Document all external integrations, API connections, and data flows with suppliers and partners
- Assess cloud exposure: Review IaaS, PaaS, and SaaS configurations for misconfigurations and excessive permissions
- Document your findings: Maintain a living inventory of your attack surface
How KENSAI helps: KENSAI's attack surface discovery automatically identifies your external-facing assets, including forgotten subdomains and exposed services that internal inventories miss. Run a free scan to see your attack surface from an attacker's perspective.
Step 6: Implement the 10 Minimum Security Measures
Why it matters: NIS2 Article 21(2) lists ten specific categories of security measures that all covered entities must implement. These aren't optional.
Actions for each measure:
- Develop and document an information security policy
- Establish a risk management framework with regular review cycles
b) Incident handling
- Create an incident response plan with clear roles, responsibilities, and escalation procedures
- Implement incident detection and monitoring capabilities
- Conduct regular incident response drills
c) Business continuity and crisis management
- Develop business continuity plans for critical services
- Implement and test backup and disaster recovery procedures
- Ensure offline/immutable backups exist (critical for ransomware resilience)
d) Supply chain security
- Assess cybersecurity practices of critical suppliers
- Include security requirements in procurement and contracts
- Monitor supplier security on an ongoing basis
e) Security in acquisition, development, and maintenance
- Implement secure development practices (SDLC)
- Conduct vulnerability handling and regular security testing
- Establish patch management procedures
f) Effectiveness assessment
- Schedule regular security audits and assessments
- Implement security metrics and KPIs
- Review and update measures based on assessment results
g) Cyber hygiene and training
- Deploy security awareness training for all employees
- Implement phishing simulation programs
- Establish basic cyber hygiene standards (password policies, clean desk, etc.)
h) Cryptography and encryption
- Encrypt data in transit (TLS 1.2+ for all services)
- Encrypt data at rest for sensitive information
- Manage cryptographic keys according to best practices
i) Human resources security and access control
- Implement multi-factor authentication for all critical systems
- Apply the principle of least privilege
- Establish access review processes
j) Secure communications
- Deploy encrypted communication channels for sensitive discussions
- Establish emergency communication procedures that work when primary systems are compromised
How KENSAI helps: KENSAI directly supports measures (e), (f), and the vulnerability handling aspects of (a) and (d). Continuous automated scanning ensures you're meeting the "regular testing" and "vulnerability handling" requirements with verifiable evidence.
Step 7: Establish Incident Reporting Capabilities
Why it matters: NIS2 introduces strict multi-stage incident reporting requirements. Missing the 24-hour early warning deadline can result in penalties independent of the incident itself.
Actions:
- Define "significant incident" criteria for your organization, aligned with NIS2's definition (severe operational disruption, financial loss, or considerable damage to others)
- Implement 24/7 monitoring capable of detecting significant incidents in real time — you can't report what you haven't detected
- Identify your national CSIRT and competent authority — know exactly where to report and how
- Prepare reporting templates for each stage:
- 24-hour early warning: Basic incident facts, whether it's suspected to be unlawful or malicious, potential cross-border impact
- 72-hour notification: Initial assessment, severity, impact, indicators of compromise
- 1-month final report: Detailed description, root cause analysis, mitigation measures, cross-border impact
- Designate and train incident reporters — ensure multiple team members can submit reports
- Practice the reporting process — conduct tabletop exercises that include the reporting timeline
How KENSAI helps: KENSAI's continuous monitoring means vulnerabilities are detected and reported before they become incidents. When issues are found, KENSAI's detailed technical reports provide the indicators of compromise and technical details needed for rapid incident reporting.
Step 8: Address Supply Chain Security
Why it matters: NIS2 explicitly requires organizations to manage cybersecurity risks in their supply chain. The directive recognizes that many major breaches originate through trusted suppliers.
Actions:
- Identify critical suppliers: Map suppliers with access to your systems, data, or network
- Assess supplier security posture: Request security certifications (ISO 27001, SOC 2), conduct questionnaires, or require third-party assessments
- Include security requirements in contracts: Define minimum security standards, incident notification obligations, audit rights, and termination clauses for security failures
- Monitor ongoing supplier security: Don't just assess at onboarding — conduct regular reviews
- Develop supplier incident response procedures: Know what happens when a supplier is compromised
- Diversify critical dependencies: Avoid single points of failure in your supply chain
How KENSAI helps: KENSAI can scan your suppliers' external-facing infrastructure (with their permission) to provide an objective view of their security posture. This gives you verifiable data instead of relying solely on self-reported questionnaires.
Step 9: Document Everything for Audit Readiness
Why it matters: NIS2 supervision includes the power to conduct audits, inspections, and evidence requests. If you can't demonstrate compliance through documentation, you're not compliant.
Actions:
- Maintain a compliance evidence repository with all policies, procedures, risk assessments, and test results
- Keep records of all security incidents and your response actions, regardless of whether they met the "significant" threshold
- Document management approvals — every policy approval, risk acceptance, and budget decision
- Archive security testing results with timestamps — continuous scanning provides stronger evidence than annual reports
- Track training completion for all staff, with special attention to management training
- Record supply chain assessments and contract security clauses
- Maintain change logs for all security-related policies and procedures
How KENSAI helps: KENSAI automatically generates timestamped scan reports, vulnerability tracking histories, and remediation timelines. This creates a continuous audit trail that demonstrates ongoing security testing — far more compelling to regulators than a single annual pentest report.
Step 10: Implement Continuous Improvement
Why it matters: NIS2 isn't a one-time checkbox exercise. The directive requires ongoing risk management and regular assessment of measure effectiveness. Regulators will look for evidence of continuous improvement, not static compliance.
Actions:
- Schedule quarterly security reviews to assess the effectiveness of implemented measures
- Track security metrics over time: Vulnerability counts, mean time to remediation, incident frequency, training completion rates
- Update risk assessments when the threat landscape changes, after significant incidents, or at least annually
- Benchmark against frameworks: Use ISO 27001, NIST CSF, or CIS Controls as maturity benchmarks
- Participate in information sharing: Join sector-specific ISACs (Information Sharing and Analysis Centers) and engage with your national CSIRT
- Review and update this checklist — revisit your NIS2 compliance status every quarter
- Plan for regulatory evolution: NIS2 will be reviewed and potentially updated; build flexibility into your security program
How KENSAI helps: KENSAI's continuous scanning model is inherently aligned with continuous improvement. Each scan builds on previous results, tracking which vulnerabilities have been fixed, which are new, and how your overall security posture trends over time. The platform provides the metrics and trend data that demonstrate improvement to auditors and regulators.
Your NIS2 Compliance Timeline
Here's a realistic timeline for implementing this checklist:
Month 1-2: Assessment Phase
- Steps 1-2: Scope determination and classification
- Step 3: Management briefing and buy-in
- Step 4: Begin risk assessment
- Step 5: Attack surface mapping (start with KENSAI free scan)
Month 3-4: Foundation Phase
- Step 4: Complete risk assessment
- Step 6: Begin implementing the 10 minimum measures (prioritize gaps)
- Step 7: Establish incident reporting capabilities
Month 5-6: Implementation Phase
- Step 6: Continue implementation of minimum measures
- Step 8: Address supply chain security
- Step 9: Set up documentation and evidence management
Month 7+: Continuous Phase
- Step 10: Ongoing improvement, monitoring, and assessment
- Regular reviews and updates across all steps
Common Mistakes to Avoid
- Treating NIS2 as an IT-only project: It requires management involvement and cross-functional collaboration
- Waiting for national transposition: The requirements are clear; start now
- Over-relying on certifications: ISO 27001 is a strong foundation but doesn't automatically equal NIS2 compliance
- Neglecting supply chain obligations: This is where many organizations will be caught unprepared
- One-time compliance: NIS2 requires continuous risk management, not annual exercises
- Ignoring the 24-hour reporting requirement: This requires monitoring capabilities, not just a policy document
Start With Visibility
You can't fix what you can't see. The first step to NIS2 compliance is understanding your current security posture.
👉 Get your free KENSAI security scan at kensai.app/free-scan — map your attack surface and identify vulnerabilities in minutes.
Try KENSAI Free
Scan your infrastructure for vulnerabilities in minutes — no credit card required.
Start Free Scan →
Published by KENSAI Security Research — AI-Powered Cybersecurity Platform