Your enterprise customer sent a security questionnaire. One of the questions asks about NIS2. You've seen the regulation mentioned everywhere but never had a clear picture of what it actually demands from a tech company like yours.
This checklist is for you.
Not a law firm summary. Not a 40-page PDF. A practical, step-by-step checklist that a technical founder or engineering lead can actually use to assess where they stand.
First: Do You Even Fall Under NIS2?
This is where most guides waste your time. They describe NIS2 in full before telling you whether it applies to you.
NIS2 (the EU's Network and Information Security Directive 2) applies to two categories of organisations operating in the EU:
- • Essential entities: energy, transport, banking, health, water, digital infrastructure, space, public administration
- • Important entities: postal services, waste management, chemicals, food production, manufacturing, digital providers, research institutions
If you're a SaaS company, cloud provider, managed service provider (MSP), or B2B tech company operating in Europe, you almost certainly fall under the "digital providers" or "important entities" category once you cross these thresholds:
- • 50+ employees, OR
- • €10 million+ in annual turnover
Under those thresholds? NIS2 does not legally apply to you. That said, your enterprise customers may still require NIS2 alignment as a procurement condition, regardless of your size.
Know which situation you're in before you spend a single hour on this.
The NIS2 Compliance Checklist
Work through this section by section. Each item includes what it actually means in practice, not just a regulatory citation.
Section 1: Governance and Accountability
1.1 Assign an information security owner
Someone at leadership level needs to be accountable for NIS2 compliance. In a startup, this is usually the CTO or Head of Engineering. In a larger company, it's a CISO or similar role. "Everyone is responsible" means no one is.
1.2 Approve a cybersecurity policy at board level
Your leadership team needs to formally approve a written information security policy. This does not have to be 80 pages. A clear, signed policy covering data protection, access control, incident response, and acceptable use is enough to start.
1.3 Document management training on cybersecurity risks
NIS2 explicitly requires that management bodies receive training and stay up to date on cybersecurity risks. This can be quarterly briefings, an annual security review session with your leadership team, or structured awareness training. Document it.
1.4 Establish a register of critical systems and services
List the systems your business depends on. For each one, identify what happens if it goes down for 24 hours. If the answer is "we can't operate," it's critical. This list becomes the backbone of your risk management approach.
Section 2: Risk Management
2.1 Conduct a formal risk assessment
You need a documented process for identifying, assessing, and treating security risks. This does not require a specialist consultant. A structured spreadsheet mapping threats, likelihood, impact, and mitigations is a valid starting point. What matters is that it exists, is reviewed regularly, and drives real decisions.
2.2 Define and document risk treatment decisions
For each identified risk: accept it, mitigate it, transfer it (insurance), or avoid it. Write down what you decided and why. Regulators and auditors want to see that you thought about risk deliberately, not that you chose only perfect outcomes.
2.3 Review your risk assessment at least annually
NIS2 requires ongoing risk management, not a one-time exercise. Put a recurring calendar item in your team's calendar. If a significant incident occurs or your tech stack changes substantially, review it sooner.
Section 3: Technical Security Controls
This is where the checklist gets specific. These are the controls NIS2 actually expects.
3.1 Multi-factor authentication (MFA) across all critical systems
Turn it on. Every admin account. Every cloud console. Every code repository. Every SaaS tool with access to production data. No exceptions. If a vendor doesn't support MFA, that is a vendor risk you need to document.
3.2 Encryption of data at rest and in transit
All customer data stored on your systems must be encrypted at rest. All data transmitted between systems must use TLS 1.2 or higher. Audit your storage configurations and your API traffic. Both matter.
3.3 Access control and least privilege
Every employee, contractor, and service account should have only the access they need for their current role. Conduct a quarterly access review. Remove accounts for departed employees within 24 hours. Revoke overprivileged access. This is one of the cheapest and most impactful controls you can implement.
3.4 Patch and vulnerability management
You need a process for tracking and applying security patches. For critical vulnerabilities (CVSS score 9.0+), your target should be patching within 72 hours. For high severity (7.0-8.9), within two weeks. Document your patching process and your exceptions.
3.5 Network segmentation
Production systems should be isolated from development and internal tooling. Your customer data should not be accessible from the same network segment as your office Slack. If you're on AWS, GCP, or Azure, this is achievable with VPCs and security groups. It does not require building a new data centre.
3.6 Endpoint security on company devices
All employee laptops and mobile devices accessing company systems need endpoint protection: MDM enrollment, disk encryption (FileVault or BitLocker), screen lock, and remote wipe capability. If you use BYOD, define a clear policy for minimum device standards.
3.7 Secure configuration baseline for your infrastructure
Cloud environments drift from secure configurations over time. Run a configuration audit against CIS Benchmarks or your cloud provider's security best practices. AWS Security Hub, Azure Defender, and GCP Security Command Center all offer automated scoring. Get your score above 80% before anything else.
3.8 Penetration testing
NIS2 does not mandate annual penetration tests by name, but regulators expect you to actively test your defenses. A penetration test from a qualified third party, covering your public-facing application and your cloud infrastructure, is the clearest way to demonstrate this. Budget: €5,000 to €20,000 depending on scope, annually.
Section 4: Supply Chain Security
This section catches most startups off guard.
4.1 Inventory your third-party vendors with system access
List every vendor, tool, or service that processes your customer data or has access to your systems. Include SaaS tools, cloud providers, contractors, subprocessors. Prioritise them by how much access they have and how critical they are.
4.2 Conduct security assessments of critical vendors
For your highest-risk vendors, review their security posture. This means requesting their SOC 2 report or ISO 27001 certificate, reviewing their data processing agreement, and checking their breach disclosure history. You don't need to audit every tool. Focus on the ones that would hurt you most if compromised.
4.3 Include security requirements in vendor contracts
Your contracts with vendors who process personal data or have system access should include: minimum security standards, breach notification timelines (NIS2 requires 24-hour notification to authorities), data handling obligations, and the right to audit.
4.4 Monitor vendor security posture on an ongoing basis
Quarterly is enough for most vendors. Annual is acceptable for low-risk tools. Critical vendors with production access warrant more frequent checks.
Section 5: Incident Response
5.1 Document an incident response plan
Write down what you do when something goes wrong. Who gets notified? Who decides whether it's a reportable incident? Who communicates with customers? Who talks to regulators? A two-page document covering these questions is enough to start.
5.2 Know your NIS2 notification obligations
This is the part that will trip you up if you don't know it.
Under NIS2, if you experience a significant incident affecting the security of your network and information systems, you must:
- • Notify the relevant national authority within 24 hours of becoming aware (early warning)
- • Submit a full incident notification within 72 hours (including initial assessment, severity, indicators of compromise)
- • Provide a final incident report within one month
A "significant incident" is one that has caused or is capable of causing severe operational disruption, financial loss, or material damage to others. If customer data was accessed without authorisation, it's significant.
5.3 Test your incident response plan
Run a tabletop exercise at least annually. Pick a realistic scenario ("we discovered an unauthorised access to our database three days ago"). Walk through your response. Find the gaps before an actual incident does.
5.4 Log and monitor your critical systems
You cannot detect an incident you're not logging for. At minimum: authentication events, privileged access, API calls to sensitive data, and system configuration changes. Centralise your logs. Set up alerts for anomalous behaviour. Retain logs for at least 12 months.
Section 6: Business Continuity
6.1 Maintain and test backups
Backups of critical systems and data must exist, must be encrypted, and must be tested. "We have backups" is not enough. The question is: how long does it take to restore from backup, and did you actually test it in the last six months?
6.2 Document recovery time objectives (RTOs)
For each critical service, define how long you can tolerate it being unavailable (RTO) and how much data loss is acceptable (RPO). Write it down. Verify that your backup and recovery processes can actually meet those targets.
6.3 Document a business continuity plan
What do you do if your primary cloud region goes down? What if your offices are inaccessible? What if a key employee is unavailable during a crisis? These scenarios don't need perfect answers. They need documented procedures that the rest of your team can follow without the person who "just knows."
Section 7: Reporting and Registration
7.1 Register with your national competent authority
Most EU member states have designated a national authority responsible for NIS2 oversight. In France, it's ANSSI. In Germany, BSI. In the Netherlands, NCSC-NL. In Ireland, the NCSC. If your business falls under NIS2, you are required to register with the relevant authority. Check whether your country has published a public register or registration process. Many did this through 2024 and 2025.
7.2 Understand which authority has jurisdiction over you
If you operate across multiple EU member states, jurisdiction is generally determined by your main establishment (where your EU headquarters or principal operations are). Get clarity on this before an incident forces the question.
7.3 Document evidence of compliance
NIS2 does not require a formal certification the way ISO 27001 does. But it does require that you can demonstrate compliance when asked. Maintain a compliance register: the controls you've implemented, the policies you've approved, the risk assessments you've conducted, and the incidents you've handled. This evidence file is your defence in a regulatory investigation.
NIS2 vs. ISO 27001: Do You Need Both?
Frequently asked question. Here's the direct answer.
ISO 27001 certification is not required by NIS2. But the two frameworks overlap substantially. If you're already ISO 27001 certified, you've addressed the majority of NIS2's technical and governance requirements. You'll still need to layer on the NIS2-specific obligations: the 24-hour incident notification timelines, the supply chain security requirements, and the registration with national authorities.
If you're starting from scratch and your customers are primarily European enterprise, consider getting ISO 27001 certified. It satisfies NIS2 alignment and gives you a globally recognised certification to put in front of procurement teams.
If you're a small team focused on a US market that also sells into Europe, NIS2 alignment without a formal certification is a reasonable intermediate position.
The Mistakes Most Tech Companies Make With NIS2
Treating it as a legal exercise, not a security one. The regulation exists because real organisations had catastrophic failures. The controls are there because they work. Build them to actually protect your systems, not just to check a box.
Waiting for a fine before starting. Penalties under NIS2 can reach €10 million or 2% of global annual turnover for important entities, and €20 million or 2% of global revenue for essential entities. The enforcement calendar across EU member states accelerated through 2025.
Ignoring supply chain requirements. Most breaches come through vendors, not direct attacks. NIS2's supply chain provisions exist for this reason. This is not a paperwork exercise.
Conflating NIS2 and GDPR. They're related but separate. GDPR governs personal data. NIS2 governs security of network and information systems. A breach can trigger obligations under both. Know the difference.
What to Do Next
If you're starting from zero, do these five things first:
- 1. Confirm whether NIS2 legally applies to you (size, sector, EU presence)
- 2. Assign a named owner for NIS2 compliance at your company
- 3. Conduct a risk assessment and map your critical systems
- 4. Turn on MFA across all critical systems (this week, not next quarter)
- 5. Document an incident response plan and the 24-72 hour notification procedure
Everything else can be phased over 6 to 12 months.
If you want to track progress against the full checklist, structure your evidence, and get audit-ready without spending hundreds of hours on documentation, Probo handles this for European tech companies. The platform maps NIS2 requirements to concrete tasks, tracks completion, and stores your evidence in one place. Most teams get through the initial setup in under 10 hours.
NIS2 is not the most complex regulation you'll ever deal with. But it does require deliberate, documented action. Start now. The frameworks are clear. The controls are achievable. The only thing missing is the work.
For more context, see our complete NIS2 guide and NIS2 for tech teams.
