NIS2 checklist

Cybersecurity is no longer just an IT issue—it’s a business necessity. The NIS2 Directive strengthens cybersecurity requirements for businesses operating in critical sectors across Europe. With stricter security measures, reporting obligations, and supply chain requirements, organizations must act now to ensure compliance.

We've created a checklist that breaks down NIS2 compliance into clear, actionable steps. From risk management and identity security to incident response and supply chain protection, this checklist helps businesses strengthen their cybersecurity posture, meet regulatory requirements, and stay competitive in an evolving digital landscape.

1. Understanding NIS2 Scope and Impact

• Confirm if your organization falls within the scope of NIS2 (50+ employees, €10M+ turnover, providing essential or important services).
• Identify whether your suppliers or partners are affected by NIS2 and how it impacts third-party risk management.
• Review the deadline for national implementation (17 October 2024) and align internal compliance plans.

2. Risk Management and Security Posture

• Conduct a risk assessment to identify potential vulnerabilities in your network and information systems.
• Implement proportionate technical and organizational measures to mitigate cybersecurity risks.
• Evaluate security posture through comprehensive security assessments and penetration testing.
• Strengthen ransomware defences using endpoint security, least privilege enforcement, and advanced detection tools.

3. Identity and Access Management

• Implement Multi-Factor Authentication (MFA) across all critical systems to prevent unauthorized access.
• Apply the least privilege access principles to limit administrator-level accounts and enforce continuous authentication.
• Regularly rotate administrative passwords and ensure secure management of privileged accounts.
• Monitor and audit access control policies to ensure compliance and prevent identity-based threats.

4. Incident Response and Reporting

• Develop a formal Incident Response Plan that aligns with NIS2 requirements.

• Ensure incidents are reported within the required timeline:
• Initial notification within 24 hours
• Technical report within 72 hours
• Final report within one month

• Establish clear procedures for incident tracking, forensic analysis, and response execution.
• Conduct regular incident response drills to test organizational preparedness.

5. Supply Chain Security

• Assess vendor security risks and verify supplier compliance with NIS2 regulations.
• Require third-party suppliers to provide industry-standard security reports (ISO 27001, penetration test results, etc.).
• Establish contractual agreements outlining specific security obligations for supply chain partners.
• Monitor suppliers continuously to ensure compliance with NIS2 cybersecurity standards.

6. Implementing a Zero Trust Security Framework

• Shift from perimeter-based security to a Zero Trust approach (validate all access attempts).
• Deploy continuous authentication and adaptive access control solutions.
• Secure cloud-based resources by enforcing least privilege access and monitoring user activity.

7. Compliance Monitoring and Auditing

• Establish audit logs and monitoring mechanisms to track security events and user activities.
• Align compliance efforts with ISO 27001 by mapping NIS2 requirements to existing security controls.
• Perform regular internal audits and security testing to validate cybersecurity measures.
• Document all compliance activities to demonstrate accountability to regulators.

8. Employee Education and Awareness

• Provide cybersecurity training for employees, contractors, and third-party vendors.
• Educate staff on phishing risks, social engineering threats, and cyber hygiene best practices.
• Ensure personnel understand their roles in maintaining compliance with NIS2 security measures.
• Promote a security-first culture to enhance overall organizational resilience.

9. Legal and Financial Compliance

Understand the financial penalties for non-compliance:

• Essential Entities: €10 million or 2% of global annual revenue (whichever is higher).
• Important Entities: €7 million or 1.4% of global annual revenue (whichever is higher).
• Ensure that leadership and management bodies are aware of legal responsibilities under NIS2.
• Review contractual obligations related to cybersecurity in third-party agreements.

Why UK businesses should care about NIS2

Ignoring the NIS2 Directive is not an option for UK businesses, as non-compliance carries significant risks, including financial penalties, reputational damage, and operational disruptions. The directive is designed to counteract the increasing sophistication of cyber threats, making it a crucial component of any comprehensive risk management strategy.

Compliance with NIS2 not only supports business continuity but also enhances trust with customers and partners, thereby strengthening a company's competitive edge in international markets. Additionally, the directive places a strong emphasis on supply chain security, underscoring the need for UK businesses to align with EU standards to ensure seamless operations and compliance across borders.

Key areas to address for compliance

To achieve compliance with the NIS2 Directive, UK businesses must focus on several core areas that are critical for meeting the directive's requirements and preparing for potential audits. A comprehensive approach to risk management is essential, which includes identifying and mitigating key vulnerabilities within the organization. This involves implementing robust cybersecurity risk management measures that are tailored to the specific needs and threats faced by the business.

Incident reporting is another crucial aspect of NIS2 compliance. Businesses must understand the notification timelines and protocols for reporting significant incidents. This ensures that any security incidents are managed effectively and that the necessary reporting obligations are met promptly. Additionally, organizational measures should be in place to assign responsibility to senior management, ensuring accountability and oversight in cybersecurity governance.

Updating security policies is vital, with a focus on incorporating multi-factor authentication and secure communication tools to protect sensitive data and communications. Regular cybersecurity training for employees is also imperative to minimize human error and enhance the overall security posture of the organization. By addressing these key areas, businesses can ensure they are well-prepared to meet the NIS2 compliance requirements.

NIS2 checklist summary for businesses

Governance and accountability

Effective governance and accountability are foundational to NIS2 compliance. Businesses should appoint responsible individuals, such as a Chief Information Security Officer, to oversee cybersecurity initiatives. Regular board-level reviews of cybersecurity performance are essential to ensure that the organization remains aligned with the directive's requirements and can swiftly address any emerging risks.

Risk assessment and management

Conducting a thorough risk assessment of current systems is crucial for identifying vulnerabilities and implementing appropriate risk management measures. This process should include evaluating the cybersecurity measures in place and determining any gaps that need to be addressed. By proactively managing risks, businesses can protect their critical services and maintain compliance with the NIS2 Directive.

Incident handling and reporting

Businesses must establish clear procedures for incident handling and reporting. This includes developing an incident management plan that outlines the steps to take in the event of a security incident, as well as the protocols for incident notification and reporting. Ensuring compliance with reporting obligations is critical to maintaining transparency and accountability in the face of significant incidents.

Security controls and measures

Implementing robust security controls and measures is vital for safeguarding organizational assets. This includes the use of multi-factor authentication and continuous authentication solutions to secure access to sensitive data and systems. Additionally, businesses should invest in secured emergency communication systems to ensure reliable and secure voice, video, and text communications during critical situations.

Training and continuous improvement

Regular cybersecurity training for employees is essential to enhance their awareness and ability to respond to potential threats. Continuous improvement should be a core component of the organization's cybersecurity strategy, with ongoing assessments and updates to security policies and procedures to ensure their effectiveness in mitigating risks.

Compliance and enforcement

Essential and important entities must meet the minimum requirements of the new directive, including robust security-related aspects like governance and cybersecurity measures, to comply with the legislation. Regular training, early warnings, and documented processes are vital to address new requirements and maintain capabilities. Authorities can enforce penalties, so trust service providers and others should take proactive steps to align with the directive, safeguarding their services and reputation.

Operational Considerations of NIS2 compliance

Essential and important entities must secure their digital assets through regular audits, robust access controls like secured voice and multi-factor authentication, and continuous software updates to meet the new directive's requirements. Regular training and collaboration with service providers and direct suppliers are crucial to align with the legislation, address security-related aspects, and manage risks effectively.