NIS 2 compliance checklist: The ultimate 7-step approach for your organization

With NIS 2 becoming part of national laws, compliance has become mandatory for organizations within its scope.

‍

Although NIS 2 has addressed some of its predecessor’s shortcomings by expanding its scope and setting clearer security and reporting requirements, it remains demanding for security and compliance teams. Its prescriptive guidance and requirements are still limited in certain areas, which can leave teams uncertain about the exact steps to take.

‍

To help your organization navigate NIS 2 with confidence, we’ve outlined a checklist that clarifies key deliverables for your team to focus on.

‍

Navigating NIS 2 and its compliance requirements

NIS 2 is a successor to the original NIS or Network and Information Systems directive that aims to build and improve the resilience of essential and important entities against cyber threats. NIS 2 expands the scope of the original legislation, as well as tightens security requirements and enforcement measures. 

‍

The updated NIS 2 directive applies to organizations deemed critical to societal and economic stability. The legal text classifies 18 sectors that fall into two categories, as shown in the table below:

‍

While much of NIS 2 provisions focus on the obligations of EU Member States, affected organizations also have some broad requirements to follow. Still, the guidance for affected organizations is less prescriptive, leaving room for interpretation.

‍

The real challenge for most teams is to interpret and translate the requirements into actionable steps. Our structured NIS 2 compliance checklist can help fill potential gaps.

‍

Bonus reads: Explore our detailed guides for a deeper understanding of the updated NIS 2 directive:

• NIS vs. NIS 2: Key differences explained
• Who needs to comply with NIS 2?

‍

{{cta_withimage22="/cta-blocks"}}

‍

Your practical NIS 2 compliance checklist: 7 key steps

Our NIS 2 compliance checklist outlines seven foundational steps that will help your organization move closer to fulfilling the directive’s requirements: 

1. Outline your governance strategy
2. Develop a risk management program
3. Assess and update your technical controls
4. Implement relevant security policies
5. Develop business continuity and incident response plans
6. Ensure adequate training and support
7. Oversee documentation processes

‍

Step 1: Outline your governance strategy

Building a strong governance strategy is the first step towards NIS 2 compliance. Without clear leadership, compliance efforts can become scattered across departments, further complicating matters.

‍

To get started, create a dedicated compliance team led by a cybersecurity officer or someone in a similar role who will steer the process. This creates a central point for decision-making and streamlines communication between departments. It also establishes a clear point of accountability for achieving, maintaining, and updating compliance.

‍

You can further optimize the process by creating clearly defined roles and responsibilities for your team members. This helps you develop better-defined compliance timelines, allowing your teams to manage expectations and collaborate more efficiently.

‍

Implementing a NIS 2-informed governance framework will also benefit organizations that are in the process of maturing their information security program. This can help organizations practice cybersecurity governance aligned with NIS 2 standards early on.

‍

Step 2: Develop a risk management program

NIS 2 introduces a more encompassing approach to risk management and cybersecurity practices. The new procedures don’t apply solely to IT teams—all company levels are accountable for implementing risk-based and preventive measures. The directive also tackles third-party risks by placing a stronger emphasis on supply chain security.

‍

To set up an effective risk management program aligned with NIS 2, you should establish foundations by analyzing your organization’s risk appetite and defining appropriate responses. The goal is to align your program with both the directive’s requirements and your evolving risk landscape.

‍

This can be a multi-step process with activities like:

• Identifying threats and vulnerabilities 
• Creating and updating plans for risk mitigation or remediation
• Reviewing third-party risks

‍

NIS 2 places greater emphasis on third-party risks, recognizing the potential threats they can introduce to your organization’s security posture. To combat this, the directive requires you to adopt a comprehensive strategy that addresses supply chain security. This translates into several additional tasks, like mapping critical suppliers and services and reviewing access controls. 

‍

Step 3: Assess and update your technical controls

Aside from organizational and operational measures, NIS 2 also requires several technical security measures for in-scope entities, such as multi-factor authentication, encryption, network security, and several others.

‍

If you're preparing for NIS 2 compliance, it's good practice to review your current technical controls. This will ensure your company’s data security and privacy protection measures align with the directive’s requirements.

‍

Regularly conducting comprehensive security reviews, like vulnerability scans and penetration testing, enables you to proactively detect possible threats and vulnerabilities. This also helps you demonstrate a higher level of security posture, which can positively impact client trust. 

‍

While NIS 2 does clarify which requirements are required to achieve compliance, the directive does not provide specific guidance on technical implementation. The good news is that NIS 2 shares technical requirements with some industry-accepted standards, like ISO 27001, which you can leverage to streamline your compliance workflows.

‍

Step 4: Implement relevant security policies

NIS 2 requires in-scope entities to implement and maintain several security policies. These include but are not limited to:

• Access management policies: You’ll define user roles, permissions, and how access is granted and secured
• Cryptography policies: You’ll implement encryption algorithms, create guidelines on how and when to use encryption, and outline procedures for responding to compromised encryption systems
• Risk management policies: You’ll create guidelines for the administration, monitoring, and reporting of your organization’s risk management program
• Incident response policies: You’ll establish a program for security event and incident management, including specific response and reporting SLA requirements

‍

While NIS 2 doesn’t provide a granular outline of what these policies should include, it does require organizations to ensure their policies are effective in securing sensitive data. As a best practice, management should review and update these policies annually to stay up-to-date with risks and compliance requirements.

‍

Step 5: Develop business continuity and incident response plans

A business continuity plan (BCP) helps an organization maintain critical operations or quickly recover from disruptive events, such as natural disasters and system failures. Almost every cybersecurity regulation requires having a BCP to mitigate the risk of such events. NIS 2 mandates that essential and important entities adopt a proactive approach to risk management, making BCPs a fundamental requirement. 

‍

For this step, you may want to get your security team together and evaluate potential adverse scenarios. 

‍

Building an incident response plan (IRP) and setting up adequate reporting measures are also essential for NIS 2 implementation. For your IRP to be effective, you must define clear workflows for detecting, mitigating, and recovering from security incidents.

‍

The updated directive specifies strict reporting measures for incident reporting that you must add to your IRP. The outline defines four reports you need to submit to the CSIRT at predefined intervals:

1. First report: You must send it within 24 hours of the incident being discovered, including information on the possible cause. 
2. Follow-up report: You must submit it within 72 hours of the organization becoming aware of the incident. This report needs to provide updated information from the first report, a severity assessment of the incident, and what pointed to it.
3. Intermediate report: As needed or upon request by the CSIRT, you may need to submit an intermediate report on relevant status updates on the incident.
4. Final report: You must send it within 30 days of the follow-up. It should contain the details of the incident, taken or ongoing mitigation measures, and the cross-border impact of the incident, if any.

‍

If the incident is ongoing at the time of the final report submission, you are also required to provide a progress report and subsequently a final report within one month after handling the incident.

‍

{{cta_webinar9="/cta-blocks"}}  

‍

Step 6: Ensure adequate training and support

NIS 2's Article 20 on governance mandates cybersecurity training for employees of essential and important entities. Your training program should cover these key elements:

• Basic cybersecurity hygiene
• Role-based access control
• Protection from social engineering attacks
• Secure handling and disposal of sensitive data 
• Remote device security 
• Incident response awareness

‍

With this approach to training, you can ensure accountability at all levels of the organization. It will also allow you to demonstrate training efforts to authoritative bodies through role-specific manuals or completion certificates.

‍

While NIS 2 specifies the need for training, it doesn’t prescribe the frequency. As a rule of thumb, training should be conducted at least once a year and be mandatory after major incidents or changes to the organization’s security posture.

‍

Step 7: Oversee documentation processes

NIS 2 came into force for EU Member States EU Member States on October 17, 2024. As a result, impacted organizations will face more scrutiny from relevant authorities, which calls for maintaining thorough documentation as evidence for NIS 2 implementation.

‍

Some of the most essential records to maintain when gathering documentation include: 

• Risk assessments
• Security reports
• Incident response logs
• Security training records 
• Access point records

‍

Security teams often deal with disparate systems, such as spreadsheets and email threads, to gather and store this evidence. This increases the administrative burden and makes the compliance process time-consuming, as collecting documentation manually can be labor-intensive. 

‍

To streamline the entire process, you can eliminate much of the manual work by using an automated compliance solution. These are designed to make evidence collection and management easier, enabling better demonstrability of NIS 2 compliance at any scale.

‍

‍

Get—and stay—NIS 2 compliant with Vanta

NIS 2 compliance isn’t just a one-time effort. It requires ongoing visibility, governance, and action across your security program. Vanta’s all-in-one Trust Management Platform helps you stay ahead with automation, expert-built guidance, and cross-mapped frameworks so you can meet your next big business milestone faster. 

‍

As your NIS 2 compliance partner, Vanta: 

‍

• Automates up to 65% of NIS 2 requirements with 375+ integrations and pre-built control tests
• Leverages 100+ document and policy templates aligned to NIS 2 categories like incident response, third-party risk, business continuity, and governance
• Provides a dedicated NIS 2 compliance checklist to break down complex directives into actionable tasks, so your team always knows what to do next
• Cross-maps controls with frameworks like ISO 27001, SOC 2, and GDPR, surfacing work you’ve already done and eliminating duplication
• Streamlines vendor risk oversight and helps you detect, classify, and manage third-party vendors in line with NIS 2’s expanded requirements
• Supports real-time continuous monitoring and continuous evidence collection to reduce manual upkeep

‍

And it’s not just software—Vanta provides expert at support every step of the way, including:

‍

• A Customer Success Manager to guide your rollout and ongoing program
• Access to subject-matter experts who specialize in EU regulatory frameworks like NIS 2
• A global partner network of consultants and auditors for additional support if you need it
• The shared insight and scale of 12,000+ customers across industries and regions

‍

Get a tailored experience of how Vanta can help support your team by scheduling a NIS 2 demo.

‍

{{cta_simple30="/cta-blocks"}} 

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.