The NIS2 directive is the EU's latest cybersecurity legislation. This checklist will help you get started with your NIS2 compliance journey.

1 Introduction

Cyber attacks are on the rise, therefore there’s a need for concrete and effective cybersecurity controls and processes.

The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.

More info

The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive that came into force in 2023. It modernized the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape. Expanding the scope of the cybersecurity rules to new sectors and entities, further improves the resilience and incident response capacities of public and private entities, competent authorities, and the EU as a whole.

Businesses identified by the Member States as operators of essential services sectors such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure, will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.

The following is a non-exhaustive list of questions that will guide you toward cyber resiliency.

Additional security controls and questions will follow in other questionnaires/sections.

2 Governance and security management

Dedicating people and resources to achieve security hygiene and resiliency.


This person or team should have defined roles and responsibilities and be responsible for implementing and enforcing the organization's security policies and procedures.

The purpose of this question is to determine whether the organization has a structured approach to managing cybersecurity risks and is taking appropriate measures to comply with the security requirements of NIS2.

Having a dedicated security manager is important for ensuring that an organization is adequately prepared to prevent, detect, and respond to security incidents, and to comply with relevant regulations and standards.


Having an information security policy is a key requirement under NIS2 for operators of essential services and digital service providers.

Such a policy should cover a range of issues related to information security, including access controls, incident response, data protection, and security awareness training, among others.

The policy should be regularly reviewed and updated to ensure it remains effective in mitigating new and evolving threats.


Dedicated security committee meetings can help to ensure that information security is given adequate attention within an organization.

Such meetings may involve regular discussions around security incidents, risk assessments, security policy development, and implementation, as well as training and awareness programs for employees.

The committee may also be responsible for monitoring compliance with security standards and regulations, and for recommending changes to security policies and procedures as needed.

Click to select

Does top management undertake a periodic review of the information security program and policy?


Periodic reviews by top management are an essential component of an effective information security program.

Such reviews can help to ensure that the organization's security measures remain relevant and effective in the face of changing threats and that the organization is complying with relevant laws, regulations, and industry standards.

The review should consider factors such as the organization's risk profile, security incidents, and the effectiveness of the security controls in place.


Ongoing risk assessments are a key component of an effective information security program and are necessary to identify and mitigate potential threats to the organization's networks and systems.

Such assessments may involve identifying and assessing vulnerabilities, evaluating the likelihood and potential impact of security incidents, and developing mitigation strategies.


A risk register is a document or system that identifies, evaluates, and records risks that an organization may face, and may include information such as the likelihood of the risk occurring, its potential impact on the organization, and the mitigation strategies in place to address it.

A well-defined risk register can help an organization to better understand its risks and develop effective strategies for mitigating them.

3 Business continuity, disaster recovery and incident response.

Plan and test your business continuity policies and procedures, so you're ready when they’re really needed.


A business continuity plan is a set of documented procedures and strategies that an organization can use to recover from a significant disruption to its operations.

Such a plan typically outlines the critical business functions that must be maintained during a disruption, the steps required to restore those functions, and the roles and responsibilities of various individuals or teams involved in the recovery process.


Business continuity drills are simulated tests of an organization's business continuity plan, which are conducted to identify and address any gaps or weaknesses in the plan.

Such drills may involve testing specific components of the plan, such as communication protocols or data recovery procedures, or may simulate a complete business interruption to test the plan's overall effectiveness.

The frequency of business continuity drills may vary depending on the organization's risk profile, the complexity of its operations, and other factors.

Click to select


An incident response/crisis management playbook is a documented plan that outlines the steps to be taken in response to a security incident or crisis, and may include information such as the roles and responsibilities of various individuals or teams involved in the response, communication protocols, and recovery procedures.

Does your organization have a defined contacts list for external parties that are relevant to security and privacy? Legal, regulators, law enforcement, vendors - authorities and special interest groups.


Having a defined contacts list can help the organization quickly and efficiently communicate with relevant parties in the event of a security incident, as well as provide a means of staying up-to-date on relevant regulations and best practices.

4 Human resources and operational security

Control your assets, throughout the organization and business.

Are employees and personnel (internal, external) subject to screening/background checks, and do they have terms and conditions of employment defining their information security responsibilities?


Employee screening or background checks may include measures such as verifying references, checking for criminal records or other relevant background information, or assessing the individual's qualifications and experience.

Terms and conditions of employment defining information security responsibilities may include provisions such as confidentiality agreements, acceptable use policies, and security awareness training.

Does your organization manage an asset (systems, data) inventory list/directory? Which includes asset owners.


Managing an asset inventory list or directory is an important part of effective security management, as it can help the organization identify potential vulnerabilities or risks, assess the impact of a security incident, and prioritize security investments.

The inventory should include information such as asset types, locations, ownership, criticality, and dependencies.

Does your organization have backup systems for emergency communications? Backup email, phone and messaging channels.


Having backup systems for emergency communications can help ensure that the organization is able to continue operating and communicating effectively even in the event of an incident that affects its normal communication channels.

Backup systems may include alternative email, phone, and messaging channels that can be used to communicate, as well as processes for activating and using these channels in the event of an emergency.

Does your organization use enterprise-grade and secure voice, video, and text communication systems?


Using enterprise-grade and secure communication systems can help ensure that the organization's communications are reliable and protected against unauthorized access, interception, or manipulation.

Such systems may include secure messaging platforms, virtual private networks (VPNs), encrypted voice and video conferencing tools, and other secure communication technologies.

5 Vulnerability management, testing and central logging/auditing.

Ongoing measurement and having a feedback loop are key.


A vulnerability management program is an important component of effective security management, as it can help the organization identify and address vulnerabilities before they can be exploited by attackers.

Vulnerability management program may include processes for scanning systems and applications for vulnerabilities, prioritizing vulnerabilities based on severity and potential impact, and developing and implementing plans to address identified vulnerabilities.


Network and host vulnerability scanning is an important component of vulnerability management, as it can help the organization identify vulnerabilities in its systems and infrastructure that could be exploited by attackers.

Scanning may involve using automated tools to search for vulnerabilities in the organization's network and host systems, and then prioritizing and addressing the identified vulnerabilities.


Penetration testing is a type of security testing that involves attempting to exploit vulnerabilities in a system or network to identify potential weaknesses that could be exploited by attackers.

Internal and external penetration testing may involve testing from both inside and outside the organization's network to identify potential vulnerabilities that could be exploited by an attacker with either an internal or external presence.

Click to select


A public bug bounty program is a formalized process in which an organization invites independent security researchers to identify and report security vulnerabilities in exchange for a reward or bounty.

With having a public bug bounty program the organization can leverage the expertise of the security research community to identify potential security issues that may not have been identified through internal testing.

Does your organization document and manage all security vulnerabilities in a central location/system?


Managing security vulnerabilities in a central location or system can help ensure that vulnerabilities are tracked, prioritized, and addressed in a timely and systematic manner.

This can involve the use of tools such as vulnerability scanners or bug trackers, as well as the establishment of clear policies and procedures for identifying, documenting, and addressing security vulnerabilities.

Signup and start


Author 21RISK
Languages English
Length 38 Questions
Last modified Feb 17, 2023
Created Apr 07, 2023
Signup and start