NIS2 Compliance Checklist: 20-Point Assessment Guide
How to Use This Checklist
This checklist provides a structured approach to assessing your organisation's NIS2 readiness. Each item maps to a specific NIS2 article, allowing you to trace requirements back to the legislative text and prioritise implementation efforts.
The checklist is organised into five domains: Governance, Technical Measures, Incident Reporting, Supply Chain, and Compliance Operations. Work through each domain systematically — governance and risk analysis should be addressed first, as they inform the priorities and proportionality of all subsequent measures.
Your progress is saved locally in your browser. Use this as a living assessment tool: revisit periodically to track progress, identify gaps, and prepare for supervisory reviews. Each item represents a substantive compliance requirement — checking an item should reflect genuine implementation, not just documentation.
Assessment Approach
For each checklist item, assess whether your organisation has: (1) a documented policy or procedure, (2) implemented technical and organisational controls, (3) evidence of operation and effectiveness, and (4) management body awareness and approval where required.
A checklist item is only complete when all applicable dimensions are addressed. Having a policy without implementation is insufficient. Having implementation without evidence is a supervisory risk. Use the NIS2 proportionality principle — the depth of each measure should be appropriate to your entity's size, risk exposure, and classification (essential vs important).
For organisations starting their NIS2 journey, this checklist serves as a gap analysis tool. For those with mature cybersecurity programmes, it functions as a compliance mapping exercise — identifying where existing controls satisfy NIS2 requirements and where supplementary measures are needed.
Compliance Checklist
Frequently Asked Questions
Is this checklist sufficient for NIS2 compliance?
This checklist covers the primary obligations under NIS2 and provides a structured starting point for gap analysis. However, NIS2 compliance depends on the specific requirements of your member state's national transposition, your entity classification (essential vs important), and the proportionality assessment for your sector and risk profile. Use this as a framework for assessment, supplemented by national implementation guidance and, where appropriate, qualified legal and cybersecurity advisory support.
In what order should I tackle the checklist items?
Start with governance: management body approval and the risk management policy provide the foundation for all other measures. Then conduct risk analysis to prioritise technical measures based on your specific risk profile. Incident reporting readiness should be established early as reporting obligations apply immediately upon a significant incident. Supply chain and compliance operations items can then be addressed in parallel.
How does FortisEU automate NIS2 checklist tracking?
FortisEU maps each NIS2 obligation to actionable controls with evidence collection workflows. The platform tracks implementation status, stores evidence artifacts, automates assessment scheduling, and generates audit-ready reports — transforming this checklist from a static document into a living compliance programme with real-time visibility.
This content is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for compliance decisions.
Automate NIS2 Compliance with FortisEU
Turn regulatory obligations into actionable controls with evidence workflows, real-time dashboards, and EU-sovereign AI assistance.