Prices
Free Trial

NIS2 Requirements | Checklist

The Network and Information Security Directive 2 (NIS2) is an EU Directive concerning the cybersecurity of network and information systems.

Table of Contents

The Network and Information Security Directive 2 (NIS2) is an EU Directive concerning the cybersecurity of network and information systems. Organisations categorised as either essential or important in the NIS2 Directive must comply with its rules. 

Who must comply with NIS2?

Organisation categorised as either essential or important are basically the organisations delivering services or products which the well-functioning of society relies upon. This could be organisations within sectors like transport, water supply, energy supply, waste management, and so on. 

As a general rule, it is only the organisations categorised as essential or important and with at least 50 employees or has an annual turnover or balance sheet of more than 10 million euros, which are subject to the NiS2. Smaller organisations can also fall under NIS2 if they are of particular importance for society or the economy, e.g., a sole provider of a critical service.

Risk Management

NIS2 Article 21(1) requires you to take a risk-based approach and implement the necessary security measures to protect your important services corresponding to the risk they face. It is therefore the specific circumstances of your organisation that determine which security measures you must implement. 

Risk management therefore becomes the foundation of your NIS2 compliance, and you should develop and implement a risk assessment methodology suitable for your organisation. Regardless of your risk assessment you must implement the minimum requirements.

NIS2 Minimum Requirements

NIS2 Article 21(2) has a set of minimum requirements that all organisations must follow regardless of their risk assessment. In the following you get a brief introduction to these minimum requirements.

Risk Management and Information Security Policy

Your organisation must have a clear, risk-based policy for information security. This policy sets the framework for how you manage security and ensures that your measures are appropriate to your risks, business goals, and legal obligations.

Read NIS2 guide: Risk Management and Information Security Policy.

Incident Handling

You must be able to detect, report, and respond to incidents. This means having clear procedures for identifying incidents, analysing their impact, restoring operations, and learning from what happened to avoid similar issues in the future.

Read NIS2 guide: Incident Handling.

Business Continuity

NIS2 requires you to prepare for disruptions. Business continuity planning ensures your critical operations can continue during a crisis and that systems and services can be restored in a controlled and timely way.

Read NIS2 guide: Business Continuity.

Supply Chain Security

Your suppliers and service providers can be a weak link if not managed properly. You need to assess risks in your supply chain, set clear security requirements in contracts, and make sure suppliers cooperate with you in case of incidents.

Read NIS2 guide: Supply Chain Security.

Acquisition, Development and Maintenance

Security must be built into your IT systems and services throughout their lifecycle—from procurement and development to daily operation and eventual disposal. This includes patching, secure configuration, and applying best practices such as Security by Design.

Read NIS2 guide: Acquisition, Development and Maintenance.

Effectiveness of Measures

It’s not enough to have security measures in place—they must also work. You must regularly test and assess the effectiveness of your measures, including through technical testing, reviews, and audits, and improve them when weaknesses are found.

Read NIS2 guide: Effectiveness of Measures.

Cyber Hygiene and Cybersecurity Training

Basic security practices—such as patching, backups, malware protection, and strong authentication—must be part of your daily operations. Your employees also need regular training so they understand risks, follow best practices, and know how to act in case of incidents.

Read NIS2 guide: Cyber Hygiene and Cybersecurity Training.

Cryptography

Your organisation must protect the confidentiality, integrity, and authenticity of data with strong cryptographic measures. This means setting clear rules on encryption standards, key management, and secure use of cryptography in line with risk assessments and asset classification.

Read NIS2 guide: NIS2 & Cryptography.

Human Resources Security, Access Control, and Asset Management

People, access, and assets are at the core of security. Your employees must understand their responsibilities, access must be controlled and reviewed, and your assets must be classified, tracked, and protected throughout their lifecycle.

Read NIS2 guide: Human Resources Security, Access Control, and Asset Management.

Multi-Factor Authentication and Emergency Communication Systems

To reduce the risk of unauthorised access, you must protect critical systems and data with multi-factor authentication. You must also ensure reliable communication at all times, including in emergencies, with confidentiality, integrity, and availability preserved.

Read NIS2 guide: Multi-Factor Authentication and Emergency Communication Systems.

NIS2 Cybersecurity Governance

Cybersecurity measures have historically been neglected by top management and left to IT personnel to handle.

NIS2 Article 20(1) changes this by requiring top management to approve the cybersecurity risk-management measures taken by the organisation. Top management must ensure that these measures are sufficient and effective in reducing risks to an acceptable level. They are also required to oversee the implementation of these measures and can be held liable for non-compliance.

Read NIS2 guide: NIS2 Cybersecurity Governance.

NIS2 Management Training

NIS2 goes further in Article 20(2), which requires top management to receive training in cybersecurity. This training should give them the skills to identify risks, assess cybersecurity risk-management practices, and understand their impact on critical services.

Read NIS2 guide: NIS2 Management Training.

Reporting Obligations

Your organisation must report incidents which have a significant impact on the provision of its critical services to the national CSIRT, and as soon as possible. Initially an early warning can be made within 24 hours, and within 72 hours an initial assessment should be reported. A final incident report must be handed in to the CSIRT within 1 month of the incident happening.  

The organisation must also notify the recipients of this service of how the incident might affect the provisioning of the service, and which measures or remedies they could take in response to the incident. 

Penalties and Liability

Finally, it is important to follow the requirements of the NIS2, because it is law. Though, you should also know that top management can be held personally liable for non-compliance with NIS2. Your organisation can be fined up to 10 million euros or 2% of worldwide turnover for essential organisations, and up to 7 million euros or 1.4% of worldwide turnover for important organisations.

To comply with the NIS2 you will great help in the guides referenced in this article.

GDPR Test

See how well you know the GDPR.

  • You'll answer 13 questions about GDPR.
  • It only takes 1-2 minutes.
  • Experts typically answer all 13 questions correctly.
Start Test

Free Trial

We will get back to you via email as soon as possible.