← Back to Blog
RESEARCH 10 min read

NIS2 Compliance Checklist: 10 Steps to Get Ready Before the Deadline

A practical 10-step checklist to prepare your organization for NIS2 compliance — from scoping and risk assessment to incident reporting and continuous improvement.


NIS2 Compliance Checklist: 10 Steps to Get Ready Before the Deadline

The NIS2 Directive is reshaping cybersecurity obligations across Europe, and the clock is ticking. With member states transposing the directive into national law and enforcement approaching, organizations need a clear, actionable roadmap to achieve compliance.

This checklist breaks NIS2 preparation into 10 concrete steps — each with specific actions you can take today. Whether you're starting from scratch or building on an existing security program, this guide will help you identify gaps and prioritize your efforts.

Step 1: Determine Whether You're In Scope

Why it matters: NIS2 dramatically expanded the number of organizations subject to cybersecurity obligations. If you assume you're not covered, you may be wrong.

Actions:

How KENSAI helps: KENSAI's platform is designed for organizations in NIS2 scope, providing the continuous vulnerability management and reporting that the directive demands. Starting with a free scan gives you immediate visibility into your current security posture.

Step 2: Classify Your Entity Type

Why it matters: Essential entities face stricter oversight and higher penalties than important entities. Your classification determines your obligations.

Actions:

How KENSAI helps: KENSAI's compliance reporting maps findings to the specific requirements applicable to your entity classification, ensuring your security evidence matches your obligations.

Step 3: Secure Management Buy-In and Accountability

Why it matters: NIS2 Article 20 makes management bodies personally responsible for cybersecurity. This isn't a suggestion — it's a legal requirement with personal liability implications.

Actions:

How KENSAI helps: KENSAI provides executive dashboards and trend reports that give management the visibility they need to fulfill their oversight responsibilities without requiring deep technical expertise.

Step 4: Conduct a Comprehensive Risk Assessment

Why it matters: NIS2 Article 21 requires "appropriate and proportionate" technical and organizational measures based on a risk assessment. Without a documented risk assessment, you can't demonstrate that your measures are proportionate.

Actions:

How KENSAI helps: KENSAI's automated vulnerability scanning provides the technical vulnerability data your risk assessment needs. Instead of relying on point-in-time manual assessments, KENSAI delivers continuous vulnerability intelligence that keeps your risk assessment current.

Step 5: Map Your Attack Surface

Why it matters: NIS2 requires security measures for your network and information systems. You can't secure what you don't know exists.

Actions:

How KENSAI helps: KENSAI's attack surface discovery automatically identifies your external-facing assets, including forgotten subdomains and exposed services that internal inventories miss. Run a free scan to see your attack surface from an attacker's perspective.

Step 6: Implement the 10 Minimum Security Measures

Why it matters: NIS2 Article 21(2) lists ten specific categories of security measures that all covered entities must implement. These aren't optional.

Actions for each measure:

a) Risk analysis and information security policies

b) Incident handling

c) Business continuity and crisis management

d) Supply chain security

e) Security in acquisition, development, and maintenance

f) Effectiveness assessment

g) Cyber hygiene and training

h) Cryptography and encryption

i) Human resources security and access control

j) Secure communications

How KENSAI helps: KENSAI directly supports measures (e), (f), and the vulnerability handling aspects of (a) and (d). Continuous automated scanning ensures you're meeting the "regular testing" and "vulnerability handling" requirements with verifiable evidence.

Step 7: Establish Incident Reporting Capabilities

Why it matters: NIS2 introduces strict multi-stage incident reporting requirements. Missing the 24-hour early warning deadline can result in penalties independent of the incident itself.

Actions:

How KENSAI helps: KENSAI's continuous monitoring means vulnerabilities are detected and reported before they become incidents. When issues are found, KENSAI's detailed technical reports provide the indicators of compromise and technical details needed for rapid incident reporting.

Step 8: Address Supply Chain Security

Why it matters: NIS2 explicitly requires organizations to manage cybersecurity risks in their supply chain. The directive recognizes that many major breaches originate through trusted suppliers.

Actions:

How KENSAI helps: KENSAI can scan your suppliers' external-facing infrastructure (with their permission) to provide an objective view of their security posture. This gives you verifiable data instead of relying solely on self-reported questionnaires.

Step 9: Document Everything for Audit Readiness

Why it matters: NIS2 supervision includes the power to conduct audits, inspections, and evidence requests. If you can't demonstrate compliance through documentation, you're not compliant.

Actions:

How KENSAI helps: KENSAI automatically generates timestamped scan reports, vulnerability tracking histories, and remediation timelines. This creates a continuous audit trail that demonstrates ongoing security testing — far more compelling to regulators than a single annual pentest report.

Step 10: Implement Continuous Improvement

Why it matters: NIS2 isn't a one-time checkbox exercise. The directive requires ongoing risk management and regular assessment of measure effectiveness. Regulators will look for evidence of continuous improvement, not static compliance.

Actions:

How KENSAI helps: KENSAI's continuous scanning model is inherently aligned with continuous improvement. Each scan builds on previous results, tracking which vulnerabilities have been fixed, which are new, and how your overall security posture trends over time. The platform provides the metrics and trend data that demonstrate improvement to auditors and regulators.

Your NIS2 Compliance Timeline

Here's a realistic timeline for implementing this checklist:

Month 1-2: Assessment Phase - Steps 1-2: Scope determination and classification - Step 3: Management briefing and buy-in - Step 4: Begin risk assessment - Step 5: Attack surface mapping (start with KENSAI free scan)

Month 3-4: Foundation Phase - Step 4: Complete risk assessment - Step 6: Begin implementing the 10 minimum measures (prioritize gaps) - Step 7: Establish incident reporting capabilities

Month 5-6: Implementation Phase - Step 6: Continue implementation of minimum measures - Step 8: Address supply chain security - Step 9: Set up documentation and evidence management

Month 7+: Continuous Phase - Step 10: Ongoing improvement, monitoring, and assessment - Regular reviews and updates across all steps

Common Mistakes to Avoid


Start With Visibility

You can't fix what you can't see. The first step to NIS2 compliance is understanding your current security posture.

👉 Get your free KENSAI security scan at kensai.app/free-scan — map your attack surface and identify vulnerabilities in minutes.

Try KENSAI Free

Scan your infrastructure for vulnerabilities in minutes — no credit card required.

Start Free Scan →

Published by KENSAI Security Research — AI-Powered Cybersecurity Platform

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →