NIS2 Deadline Has Passed — Are You Compliant?

Free NIS2 Compliance Checklist

The 15-point PDF checklist trusted by 2,400+ compliance officers to audit their organization's NIS2 readiness. Avoid fines up to €10M or 2% of global turnover.

Get Your Free PDF Now →

No credit card required · Instant download · Ready in 30 seconds

2,400+ downloads
Updated for 2026
GDPR compliant
4.9/5 from 180+ reviews

What is the NIS2 Directive?

The NIS2 Directive (EU) 2022/2555 is the EU's updated cybersecurity legislation that entered into force on October 17, 2024. It replaces the original NIS Directive and significantly expands the scope, requirements, and penalties for non-compliance.

NIS2 aims to strengthen cybersecurity across the EU by establishing common security requirements, improving incident reporting, and enhancing cooperation between Member States. Organizations that fall under NIS2 must implement comprehensive cybersecurity measures or face significant fines.

18
Sectors Covered
Energy, transport, banking, health, digital infrastructure, and more
24h
Incident Reporting
Early warning to CSIRT within 24 hours of significant incident
€10M+
Maximum Fines
Up to €10M or 2% of global annual turnover for essential entities

Who Needs to Comply?

NIS2 applies to organizations based on their sector and size. There are two main categories:

Essential Entities

Critical infrastructure providers with strict supervision

Sectors:
  • Energy, Transport, Banking
  • Financial Market Infrastructure
  • Healthcare, Drinking Water
  • Digital Infrastructure
  • ICT Service Management
  • Public Administration, Space
Size Threshold:
250+ employees OR
€50M turnover AND €43M balance sheet

Important Entities

Medium-sized organizations with proportionate oversight

Sectors:
  • All essential sectors (smaller entities)
  • Postal Services, Waste Management
  • Chemicals, Food, Medical Devices
  • Manufacturing (computers, electronics)
  • Digital Providers
Size Threshold:
50-249 employees OR
€10M-€50M turnover

Don't Assume You're Exempt

Even if you're an SME, national authorities can designate you as essential or important if deemed critical. Use our NIS2 Compliance Checker to assess your status.

15-Point NIS2 Compliance Checklist

Use this checklist to assess your organization's compliance with NIS2 requirements. Each item references the specific article in the NIS2 Directive.

Risk Management

1

Implement security policies and procedures

Document and maintain comprehensive information security policies covering risk assessment, access control, and incident response.

Article 21(2)(a)
2

Establish incident handling procedures

Create procedures for detection, analysis, containment, and recovery from cybersecurity incidents.

Article 21(2)(b)
3

Conduct regular risk assessments

Perform systematic cybersecurity risk assessments of networks, information systems, and physical environments.

Article 21(2)(a)

Incident Reporting

4

Set up 24-hour early warning process

Establish procedures to notify the CSIRT within 24 hours of becoming aware of a significant incident.

Article 23(2)(a)
5

Prepare 72-hour incident notification template

Document initial assessment, severity, cross-border impact, and indicators of compromise for submission within 72 hours.

Article 23(2)(b)
6

Define final report requirements

Create comprehensive reporting process to submit detailed incident description, threat type, root cause, and mitigation measures within 1 month.

Article 23(2)(c)

Security Governance

7

Assign board-level accountability

Ensure management bodies approve security measures, oversee implementation, and can be held liable for non-compliance.

Article 20(1)
8

Conduct mandatory security training

Provide regular cybersecurity training and awareness programs for all staff, with specialized training for management.

Article 20(2)(g)
9

Implement access control policies

Deploy multi-factor authentication, privileged access management, and role-based access controls across all systems.

Article 21(2)(d)

Supply Chain Security

10

Assess third-party security posture

Evaluate the cybersecurity practices of suppliers and service providers, particularly high-risk third parties.

Article 21(2)(d)
11

Include security clauses in contracts

Ensure vendor contracts include cybersecurity requirements, audit rights, and incident notification obligations.

Article 21(2)(d)
12

Monitor supply chain vulnerabilities

Track security patches, vulnerabilities, and incidents affecting your supply chain and third-party dependencies.

Article 21(2)(d)

Business Continuity

13

Develop backup and disaster recovery plans

Implement regular backup procedures, disaster recovery documentation, and tested restoration processes.

Article 21(2)(c)
14

Test crisis management procedures

Conduct regular exercises to test incident response, business continuity, and crisis communication plans.

Article 21(2)(b)
15

Ensure system redundancy and resilience

Design systems with redundancy, failover capabilities, and resilience to withstand cyber attacks and failures.

Article 21(2)(c)
Email Required

Get Your Free NIS2 Checklist PDF

Enter your email to download the complete 15-point checklist as a PDF. You'll also receive NIS2 compliance updates and deadline reminders.

No spam. Unsubscribe anytime.|Privacy Policy

Related NIS2 Resources

NIS2 Compliance Checker

Interactive tool to check if your organization falls under NIS2 and assess your security posture against requirements.

Check Compliance

Cyber Risk Calculator

Calculate your organization's cyber risk exposure and potential financial impact of a security breach.

Calculate Risk

Frequently Asked Questions

What is the NIS2 Directive?

The NIS2 Directive (EU) 2022/2555 is an EU-wide cybersecurity legislation that entered into force on October 17, 2024. It replaces the original NIS Directive and establishes comprehensive cybersecurity requirements for essential and important entities across 18 sectors, including energy, transport, banking, healthcare, and digital infrastructure.

Who needs to comply with NIS2?

NIS2 applies to two categories: Essential entities (large organizations in critical sectors like energy, transport, banking, health, drinking water, digital infrastructure, ICT service management, public administration, and space) and Important entities (medium-sized organizations in these sectors plus postal services, waste management, chemicals, food, medical devices, computers, electronics, machinery, motor vehicles, and digital providers). Size thresholds are 250+ employees OR €50M turnover + €43M balance sheet for essential, and 50-249 employees OR €10M-50M turnover for important entities.

When is the NIS2 compliance deadline?

EU Member States must transpose NIS2 into national law by October 17, 2024. Organizations should already be working toward compliance. Essential entities face direct supervision and significant fines up to €10M or 2% of global turnover, while important entities face proportionate enforcement measures.

What are the main NIS2 requirements?

NIS2 requires organizations to implement: (1) Risk management measures including security policies, incident handling, and business continuity, (2) Incident reporting within 24 hours (early warning), 72 hours (incident notification), and 1 month (final report), (3) Security governance with board-level accountability, (4) Supply chain security assessments, and (5) Regular testing and audits. Non-compliance can result in significant fines and personal liability for management.

How is NIS2 different from the original NIS Directive?

NIS2 expands scope from 7 to 18 sectors, removes the previous designation process (entities are automatically in scope based on size criteria), introduces stricter incident reporting deadlines (24h/72h/1 month vs 72h), adds personal liability for management bodies, strengthens supply chain security requirements, and increases maximum fines significantly (up to €10M or 2% of global turnover for essential entities).

Does NIS2 apply to SMEs?

Most SMEs are excluded from NIS2 if they have fewer than 50 employees AND either annual turnover ≤€10M OR balance sheet total ≤€10M. However, SMEs in critical sectors (energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, ICT service management, public administration, space) may still be designated as essential or important entities regardless of size if deemed critical by national authorities.

Ready to Automate Your NIS2 Compliance?

Join Resiliently as a founding member and get access to AI-powered compliance automation tools, ongoing regulatory updates, and personalized risk assessments.

€19
Founding Member Pricing (Limited Time)
Become a Founding Member