The NIS 2 Compliance Checklist

Written by

Reviewed by

Accelerating security solutions for small businesses
‍

Tagore offers strategic services to small businesses.

A partnership that can scale
‍

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors
‍

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

With NIS 2 becoming part of national laws, compliance has become mandatory for organizations within its scope.

‍

Although NIS 2 has addressed some of its predecessor’s shortcomings by expanding its scope and setting clearer security and reporting requirements, it remains demanding for security and compliance teams. Its prescriptive guidance and requirements are still limited in certain areas, which can leave teams uncertain about the exact steps to take.

‍

To help your organization navigate NIS 2 with confidence, we built this checklist that outlines key deliverables for your team to focus on.

‍

Navigating NIS 2 and its compliance requirements

NIS 2 is a successor to the original NIS or Network and Information Systems directive that aims to build and improve the resilience of essential and important entities against cyber threats. NIS 2 expands the scope of the original legislation, as well as tightens security requirements and enforcement measures.

‍

The updated NIS 2 directive applies to organizations deemed critical to societal and economic stability. The legal text classifies 18 sectors that fall into two categories, as shown in the table below:

‍

	Essential entities	Important entities
Definition	Organizations that provide critical services vital to economic stability, public safety, or national security	Organizations whose services are significant but pose a lower risk to overall societal functioning
In-scope sectors	Energy Transport Banking Financial market infrastructures Health Drinking water Waste water Digital infrastructure ICT service management Public administration Space	Postal and courier services Waste management Manufacture, production, and distribution of chemicals Production, processing, and distribution of food Manufacturing Digital providers Research

‍

While much of NIS 2 provisions focus on the obligations of EU Member States, affected organizations also have some broad requirements to follow. Still, the guidance for affected organizations is less prescriptive, leaving room for interpretation.

‍

The real challenge for most teams is to interpret and translate the requirements into actionable steps. Our structured NIS 2 compliance checklist can help fill potential gaps.

‍

Bonus reads: Explore our detailed guides for a deeper understanding of the updated NIS 2 directive:

‍

Your practical NIS 2 compliance checklist: 7 key steps

Access Review Stage	Content / Functionality
Across all stages	Easily create and save a new access review at a point in time View detailed audit evidence of historical access reviews
Setup access review procedures	Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems	Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta. Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS) Upload access files from non-integrated systems View and select systems in-scope for the review
Review, approve, and deny user access	Select the appropriate systems reviewer and due date Get automatic notifications and reminders to systems reviewer of deadlines Automatic flagging of “risky” employee accounts that have been terminated or switched departments Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section Track progress of individual systems access reviews and see accounts that need to be removed or have access modified Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners	Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access	Focused view of accounts flagged for access changes for easy tracking and management Automated evidence of remediation completion displayed for integrated systems Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results	Auditor can log into Vanta to see history of all completed access reviews Internals can see status of reviews in progress and also historical review detail