10 Things to Do for NIS2 Compliance

NIS2 — the EU's Network and Information Security Directive — replaced the original NIS Directive and significantly expanded its scope. Where the original directive covered a narrow set of operators, NIS2 applies to thousands of organisations across 18 sectors, including energy, transport, banking, health, water, digital infrastructure, manufacturing, food production, and public administration.

The transposition deadline was October 2024. National regulators across the EU are now enforcing. If you haven't determined whether NIS2 applies to your organisation, that determination needs to happen now.

1. Determine whether you are an essential or important entity

NIS2 distinguishes between essential entities and important entities. The classification is based on sector, employee count, and annual turnover. Essential entities face stricter obligations and supervisory regimes; important entities have somewhat lighter oversight but the same core security requirements.

Broadly:

• Essential entities: large organisations (250+ employees or EUR 50M+ turnover) in high-criticality sectors (energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, ICT service management, public administration, space)
• Important entities: medium-sized organisations (50+ employees or EUR 10M+ turnover) in high-criticality sectors, or large and medium organisations in "other critical sectors" (postal and courier services, waste management, chemicals, food, manufacturing, digital providers, research)

Some national implementations have extended NIS2 to additional organisations beyond the EU minimum. Check the transposition law in each member state where you operate.

2. Register with your national competent authority if required

Several EU member states require in-scope entities to register with the national competent authority for their sector. Missing this step puts you in breach before you've done anything else on the compliance checklist.

Check the registration requirements in each jurisdiction where your organisation operates. Registration deadlines vary by member state. Some registration portals are already open; others are being rolled out.

3. Conduct a cybersecurity risk assessment

NIS2 requires that in-scope organisations have a documented risk assessment covering all network and information systems used to deliver their services. This is not a standard IT audit. It is a structured risk assessment with documented findings, identified risk owners, and a clear link between the risks identified and the security measures implemented.

The risk assessment must be updated regularly — at minimum when significant changes occur to your environment or after a significant incident. It forms the basis for everything else in your cybersecurity programme.

4. Implement the 10 minimum security measures NIS2 requires

NIS2 specifies minimum security measures in Article 21. Every in-scope entity must implement:

1. Cybersecurity risk management policies — documented and approved by management
2. Incident handling — detection, response, and recovery processes
3. Business continuity — backup management and disaster recovery
4. Supply chain security — security in relationships with suppliers and service providers
5. Security in network and information systems acquisition, development, and maintenance — including vulnerability handling and disclosure
6. Policies and procedures to assess the effectiveness of security measures
7. Basic cyber hygiene practices — and cybersecurity training
8. Policies and procedures on the use of cryptography — and where appropriate, encryption
9. Human resources security, access control policies, and asset management
10. Multi-factor authentication (MFA) and secure communications

Document your implementation of each measure. Gaps in any of these 10 areas are compliance gaps.

5. Build an incident detection capability

NIS2's incident reporting obligations are only useful if you can detect incidents in the first place. Monitoring, alerting, and logging must be in place before an incident occurs.

What does this mean in practice? At minimum: centralised logging for critical systems, alerts on anomalous behaviour, and a defined process for what happens when an alert fires. For larger organisations, this means SIEM tooling and defined detection use cases. For smaller in-scope entities, it may mean leveraging managed security services.

You cannot report incidents you don't know about.

6. Create an incident response procedure with clear escalation paths and defined roles

When a significant incident occurs, there must be a documented procedure that your team can follow. The procedure should define:

• How an incident is declared (who makes the determination, based on what criteria)
• Who owns the incident response
• Who notifies the national CSIRT and the competent authority
• Who communicates to affected customers and other stakeholders
• Who manages external communications (media, regulators)

The procedure must be tested. A documented incident response procedure that has never been exercised will fail under real conditions.

7. Establish a 24-hour early warning process

For "significant incidents" (incidents that have or could have a significant impact on the provision of services), NIS2 requires:

• Early warning to national CSIRT: within 24 hours of becoming aware
• Incident notification: within 72 hours — including initial assessment, severity, indicators of compromise, and applied mitigations
• Final report: within one month — full description, root cause, mitigations, cross-border impact

This timeline is tighter than most organisations expect. The 24-hour early warning in particular requires that someone can make the classification decision quickly, without waiting for a full investigation.

Build the internal escalation process that enables this. Identify who has authority to classify an incident as "significant" and trigger the notification.

8. Assess the cybersecurity posture of your ICT supply chain

NIS2 explicitly extends security obligations into the supply chain. Every significant ICT supplier — cloud providers, managed service providers, software vendors, system integrators — that could affect the security of your services must be assessed.

This means: supplier questionnaires covering security practices, contractual clauses requiring security standards and incident notification, ongoing monitoring of supplier security posture, and a process for acting on adverse findings. The depth of assessment should be proportionate to the criticality of the supplier.

9. Document your business continuity, disaster recovery, and crisis management plans — and test them

NIS2 requires documented business continuity and disaster recovery plans specifically covering ICT disruptions. Documentation is the minimum. Regulators expect evidence that the plans work.

Run tabletop exercises at minimum annually. For critical systems, run actual recovery tests — simulate a system failure, a ransomware incident, or a key-person absence. Time the recovery. Document the gaps. Update the plans. The test record is part of your compliance evidence.

10. Ensure management is trained and accountable

NIS2 explicitly holds management bodies — boards, senior management teams — responsible for cybersecurity. This is a deliberate design choice: the regulation wants security decisions to be made at the level where strategic resources are allocated.

Management bodies must approve the cybersecurity risk management measures, oversee their implementation, and receive regular reporting on the organisation's security posture. They must also complete specific cybersecurity training to understand the risks and their obligations.

Board-level sign-off on your security programme is required. "The IT team handles this" is not an acceptable answer.

NIS2 transposition deadline was October 2024. National regulators are now enforcing. If you haven't started, you're already behind.

Knowing the 10 steps and having them documented, monitored, and auditable are two different things.

This article is for informational purposes only and does not constitute legal advice. For legal advice specific to your situation, consult a qualified attorney licensed in your jurisdiction.