NIS2 Compliance Checklist for 2026: What Brokers Need to Verify Before Coverage Placement

The most common NIS2 gap is not missing security controls — it is missing documentation. Supervisory authorities audit evidence, not attestations. A client who tells you “we have incident response procedures” is not the same as a client who can produce a board-reviewed, tested, and dated incident response procedure. That gap — between what exists and what can be demonstrated — is where NIS2 compliance fails. It is also where coverage disputes begin.

Brokers who verify compliance status before coverage placement avoid two problems: pricing surprises at renewal, and coverage disputes triggered by a claim where the insurer identifies a pre-existing compliance gap. Here are the 10 checkpoints that matter most.

The Documentation Gap — Why NIS2 Audits Fail

The NIS2 Directive (EU) 2022/2555 requires entities to implement specific risk management measures under Article 21. Supervisory authorities — BSI in Germany, ANSSI in France, INCIBE in Spain — do not take an entity’s word for it. They request documentation. They request evidence of review dates. They request evidence of testing. They request board minutes.

The most frequent failure mode in NIS2 audits is not the absence of a control. It is the absence of a document that proves the control exists, has been reviewed, and has been maintained. A risk assessment conducted two years ago and never updated is not a current risk assessment under NIS2, regardless of its quality when produced. An incident response plan that has never been tested is not a tested incident response plan — it is a document.

This is the critical distinction that brokers must understand when reviewing a client’s NIS2 posture. The documentation is the compliance. The attestation is not.

10 Compliance Checkpoints

Work through these 10 checkpoints at every renewal. Each one has a name, the key question to ask, a green flag indicating adequate documentation, and a red flag indicating a gap that needs to be addressed before coverage can be accurately priced.

1. Entity Classification Documentation What to ask: Can you produce the formal written determination of your entity classification — essential or important — and evidence that it was approved at board level? Green flag: Board-approved written determination, reviewed within the past 12 months, filed with the competent supervisory authority. Red flag: No written determination on file. Classification assumed without board review. Supervisory authority not notified.

2. Management Body Accountability What to ask: Who is the named security officer or DPO, and can you show board minutes reflecting active oversight of ICT risk in the past 12 months? Green flag: Named officer with documented reporting line to management body. Board minutes referencing ICT risk reviews within the last 12 months. Red flag: Security responsibilities delegated without board acknowledgment. No documented oversight in board minutes.

3. Risk Assessment What to ask: When was your last formal risk assessment completed, and has it been reviewed by the board? Green flag: Documented risk assessment, completed or reviewed within 12 months, covering all NIS2-relevant assets and threat scenarios, board-reviewed and signed. Red flag: Risk assessment older than 12 months. No evidence of board review. Covers only IT assets, excludes OT or IoT.

4. Asset Inventory What to ask: Can you produce a current inventory of all hardware, software, network components, and OT/IoT devices? Green flag: Complete inventory, maintained and dated within the past 6 months, covering all asset categories including OT and IoT. Red flag: Partial inventory. No OT or IoT coverage. Inventory has not been updated in over 12 months.

5. Incident Response Plan What to ask: When was your incident response plan last tested, and do you have a record of that test? Green flag: Documented incident response plan, with evidence of tabletop test within 24 months, post-test action items recorded and addressed. Red flag: Plan exists but has never been tested. No record of last test date. No post-action improvement documented.

6. Incident Notification Capability What to ask: Do you have a documented 24-hour early warning procedure, and has it been tested? Green flag: Early warning procedure documented, tested within 24 months, contact list current and reviewed within 12 months. Red flag: No documented early warning procedure. Procedure exists but has never been tested or communicated to responsible parties.

7. Supply Chain Security What to ask: Do you have a complete ICT third-party register, and have critical suppliers been assessed for security? Green flag: ICT third-party register complete. Critical suppliers identified. At minimum, security certifications or assessments on file for critical vendors. Red flag: No third-party register. Critical suppliers identified informally with no documentation. No evidence of supplier security assessment.

8. Cryptographic Controls What to ask: What cryptographic standards are in use for critical data at rest and in transit, and when were they last reviewed? Green flag: Encryption in transit (TLS 1.2 or higher) documented for critical systems. Encryption at rest for critical data stores. Standards reviewed against BSI TR-02102 or equivalent within 24 months. Red flag: No documented encryption standards. Use of deprecated protocols (TLS 1.0, SSL) still in production. No evidence of key management procedures.

9. Security Policies What to ask: Do you have documented security policies covering access control, patch management, and network monitoring? Green flag: Access control policy, patch management policy, and network monitoring procedures documented, approved at appropriate level, reviewed within 12 months. Red flag: Policies exist but are not reviewed within 24 months. No evidence of patch management testing. Network monitoring procedures absent.

10. CSIRT Registration What to ask: Have you registered with the competent authority as a NIS2 entity, and are your CSIRT contact procedures current? Green flag: Registered with competent authority. CSIRT contact procedures documented and tested within 24 months. Contact list reviewed within 12 months. Red flag: Not registered or registration status unknown. CSIRT contact list outdated. No registered contact point for incident notification.

How to Use This at Renewal

Walk this checklist at every renewal. The sequence matters: surface the gap before the underwriter does. A broker who identifies a gap and recommends remediation to the client before binding is adding value and protecting the client relationship. A broker who is unaware of the gap and binds coverage only to have the underwriter surface it at renewal is exposed.

For the full question set to use with clients during underwriting reviews, refer to the NIS2 Underwriting Questions guide. For a downloadable version of this checklist in PDF format, use the NIS2 Compliance Checklist.

The documentation gap is solvable. Every item on this checklist is a document that can be created, reviewed, and dated. The brokers who add the most value in the NIS2 era are the ones who help clients close it before it becomes a coverage problem.

Confirm your client’s entity status: NIS2 Entity Classifier

Download the full NIS2 Compliance Checklist: NIS2 Compliance Checklist PDF