NIS2 Compliance Checklist: 70+ Action Items for the 2026 Deadline

The NIS2 Directive enforcement deadline is approaching fast. If your organization operates in one of the 18 regulated sectors, you need a systematic approach to compliance—not guesswork.

We’ve compiled a comprehensive checklist covering all 8 NIS2 requirement domains. This isn’t a high-level overview. It’s 70+ specific, actionable items your team can implement.

Why You Need a Structured Checklist

NIS2 isn’t like GDPR where you could wait for the first enforcement wave to see what regulators focused on. The penalties are too significant:

• Essential entities: Up to €10 million or 2% of global turnover
• Important entities: Up to €7 million or 1.4% of global turnover
• Management liability: Executives can be held personally responsible

A systematic checklist ensures you don’t miss critical requirements and provides documentation of your compliance efforts.

Domain 1: Risk Management & Governance

These foundational items establish accountability and create the framework for everything else.

Must-do items:

• Establish a cybersecurity risk management framework aligned with NIS2 requirements
• Designate a responsible person for cybersecurity at management level
• Conduct regular risk assessments of network and information systems
• Implement risk mitigation measures proportionate to identified risks
• Document and maintain an up-to-date inventory of all assets
• Establish incident response procedures and escalation paths
• Create a business continuity plan for cyber incidents
• Define roles and responsibilities for cybersecurity across the organization

Why it matters: Without documented governance, regulators will question whether you took compliance seriously. The designated person at management level is a NIS2 requirement, not a nice-to-have.

Domain 2: Incident Detection & Reporting

NIS2 introduces strict reporting timelines that catch many organizations off guard.

Must-do items:

• Implement 24/7 security monitoring capabilities
• Deploy intrusion detection and prevention systems (IDS/IPS)
• Establish Security Operations Center (SOC) or equivalent monitoring
• Create incident classification criteria (significant vs. non-significant)
• Define early warning indicators for potential incidents
• Document the 24-hour and 72-hour reporting timeline requirements
• Identify the relevant Computer Security Incident Response Team (CSIRT)
• Establish secure communication channels with authorities
• Train staff on incident identification and reporting procedures
• Maintain incident logs for at least 5 years

Key timeline: You have 24 hours for early warning, 72 hours for incident notification, and 1 month for the final report. Miss these windows and you’ve violated NIS2 regardless of your security posture.

Domain 3: Supply Chain Security

This is one of NIS2’s most significant changes. You’re responsible for your vendors’ security.

Must-do items:

• Create an inventory of all ICT third-party service providers
• Assess criticality and dependency on each third-party provider
• Implement due diligence procedures for vendor selection
• Include cybersecurity requirements in vendor contracts
• Establish security requirements for the entire supply chain
• Conduct regular security assessments of critical suppliers
• Define security audit rights in vendor agreements
• Plan for alternative providers for critical services
• Monitor provider security performance continuously
• Establish incident notification requirements for vendors

Practical tip: Start with your top 10 critical vendors. You can’t fix everything at once, but you need to demonstrate a systematic approach to supply chain risk.

Domain 4: Access Control & Identity Management

Strong access controls are one of the most effective ways to reduce risk quickly.

Must-do items:

• Implement multi-factor authentication (MFA) for all remote access
• Deploy MFA for privileged access accounts
• Establish role-based access control (RBAC) policies
• Implement least privilege principle across all systems
• Deploy unique user identification for all accounts
• Disable and remove unused accounts within 24 hours
• Implement privileged access management (PAM) solution
• Conduct regular review of access rights and permissions
• Enforce secure password policies and storage
• Implement session timeout and automatic lockout policies

MFA is mandatory under NIS2. If you haven’t deployed it yet, this should be your first priority.

Domain 5: Network Security

Network segmentation and monitoring provide critical defensive layers.

Must-do items:

• Segment networks to isolate critical systems
• Deploy next-generation firewalls at network boundaries
• Implement secure VPN for remote access
• Encrypt data in transit using TLS 1.3 or higher
• Deploy web application firewalls (WAF) for public-facing applications
• Implement DNS security and filtering
• Deploy network traffic analysis and anomaly detection
• Conduct regular vulnerability scanning of network infrastructure
• Document and review network architecture
• Implement zero-trust network access principles

Quick win: DNS filtering blocks a significant percentage of malware and phishing attempts with minimal effort.

Domain 6: Data Protection & Backup

Ransomware has made backup strategy existential for many organizations.

Must-do items:

• Implement data classification scheme
• Encrypt sensitive data at rest (AES-256 or equivalent)
• Establish regular backup procedures for all critical data
• Test backup restoration procedures quarterly
• Store backups in geographically separate locations
• Implement immutable backups for ransomware protection
• Define data retention policies per classification
• Establish secure data disposal and destruction procedures
• Deploy data loss prevention (DLP) controls
• Conduct regular integrity checks for critical data

The test that matters: When did you last actually restore from a backup? Untested backups are a compliance gap waiting to be discovered.

Domain 7: Security Operations & Monitoring

Continuous monitoring and rapid response capabilities are essential.

Must-do items:

• Implement centralized logging for all security-relevant events
• Deploy Security Information and Event Management (SIEM)
• Establish 24/7 monitoring capability or managed SOC service
• Configure automated alerting for critical security events
• Conduct regular log analysis and review procedures
• Integrate threat intelligence feeds
• Establish vulnerability management program
• Implement patch management process (critical patches within 48 hours)
• Document configuration management and baseline security
• Conduct regular penetration testing (at least annually)

Reality check: If you don’t have 24/7 monitoring, consider a managed SOC. NIS2 expects continuous security capability, not business-hours-only coverage.

Domain 8: Training & Awareness

Your people are both your greatest vulnerability and your best defense.

Must-do items:

• Implement mandatory cybersecurity awareness training for all employees
• Conduct regular phishing simulation exercises
• Provide role-specific security training for IT staff
• Train all staff on incident reporting procedures
• Deliver executive-level cybersecurity briefings
• Maintain documented training records and completion tracking
• Update training content based on emerging threats
• Provide secure coding training for developers
• Extend security awareness training to contractors
• Conduct regular refresher training (at least annually)

NIS2 requirement: Management bodies must approve and oversee cybersecurity measures, and they must receive regular training. This isn’t optional.

How to Use This Checklist

1. Assess your current state: Work through each domain and check off what you already have in place.

2. Identify gaps: Unchecked items represent compliance risks. Prioritize them based on your sector classification and the severity of potential penalties.

3. Create an implementation roadmap: You can’t fix everything at once. Create a realistic timeline that addresses critical gaps first.

4. Document everything: Regulators will want evidence of your compliance efforts. Maintain records of:

   • Risk assessments and findings
   • Security policies and approval dates
   • Training records
   • Incident response exercises
   • Supplier security assessments

5. Revisit regularly: NIS2 compliance isn’t a one-time project. Schedule quarterly reviews to track progress and address new requirements.

Get the Printable PDF Version

Want this checklist in a format you can use in workshops, share with your team, or present to management?

👉 Download the Free NIS2 Compliance Checklist PDF

The PDF includes:

• All 70+ checklist items formatted for printing
• Space to add notes and assign owners
• Progress tracking sections for each domain
• A summary page for executive reporting

Need help developing your NIS2 compliance program? Resiliently provides cyber risk assessment and compliance advisory services for organizations navigating complex regulatory requirements. Get in touch to discuss your specific needs.

Related NIS2 Resources

• NIS2 Penalties & Fines Explained: What Organizations Actually Face in 2026 — Penalty exposure by entity classification
• NIS2 Compliance Requirements: 10 Mandatory Security Controls — Article 21 mapped in detail
• NIS2 Incident Reporting: 24-Hour, 72-Hour, and 1-Month Requirements — Reporting timelines and procedures
• NIS2 Essential vs Important Entities: Classification Guide — Which entity tier applies to your organization