Skip to content
AuditFront
NIS2 xlsx

NIS2 Compliance Checklist

The NIS2 Directive represents the most significant overhaul of EU cybersecurity regulation in years, dramatically expanding the scope of organizations that must meet strict cybersecurity requirements. With fines reaching EUR 10 million or 2% of global annual turnover for essential entities — and personal liability for management bodies — the stakes for non-compliance are higher than ever. This NIS2 compliance checklist provides a structured approach to evaluating your organization's readiness against the directive's requirements as transposed into national law across EU member states. The checklist is organized around NIS2's core requirement areas as defined in Article 21: cybersecurity risk management measures, incident handling, business continuity and crisis management, supply chain security, security in network and information systems acquisition and development, vulnerability handling and disclosure, cybersecurity risk assessment practices, cryptography and encryption, human resources security and access control, and multi-factor authentication. For each requirement area, the template provides a clear explanation of the obligation, practical guidance on what constitutes compliance, a status assessment field, and space to document your current implementation and planned remediation actions. Beyond the technical requirements, the checklist addresses NIS2's governance and reporting obligations: management body accountability and training requirements, incident reporting timelines (24-hour early warning, 72-hour notification, one-month final report), registration with national competent authorities, and cooperation with CSIRTs. These procedural requirements are often overlooked but are critical for compliance — having strong technical controls means little if you cannot demonstrate proper governance or meet reporting deadlines during an incident.

Download Free Template Free XLSX download -- no account needed
XLSX

NIS2 Compliance Checklist

Free template

What's Inside

Complete requirement checklist covering all NIS2 Article 21 cybersecurity risk management measures
Entity classification worksheet to determine if your organization qualifies as essential or important
Sector-specific applicability guide covering all 18 sectors identified in NIS2 Annexes I and II
Incident reporting timeline checklist with 24-hour, 72-hour, and 30-day milestone requirements
Management body accountability tracker covering approval, oversight, and training obligations
Supply chain security assessment framework for evaluating direct suppliers and service providers
National transposition tracker noting key differences across major EU member states (Germany, France, Netherlands, etc.)
ISO 27001 cross-reference mapping showing which ISO controls satisfy NIS2 requirements

Who It's For

CISOs and security managers at organizations classified as essential or important entities under NIS2 Board members and C-suite executives who face personal liability under NIS2's management accountability provisions Compliance officers responsible for implementing NIS2 requirements at the organizational level IT managers at mid-sized companies newly brought into scope by NIS2's expanded applicability Consultants and advisors helping clients prepare for NIS2 compliance

How It Works

1

Download free

Get your free XLSX template instantly. No account required.

2

Fill in assessment

Work through each section using the built-in guidance and examples.

3

Import to AuditFront

Upload your completed template to AuditFront for tracking, collaboration, and audit preparation.

Frequently Asked Questions

Does my organization fall under NIS2?
NIS2 applies to organizations in 18 specific sectors classified as either 'essential entities' (energy, transport, banking, health, digital infrastructure, etc.) or 'important entities' (postal services, waste management, chemicals, food, manufacturing, digital providers, etc.). Generally, organizations with 50+ employees or EUR 10M+ annual turnover in covered sectors are in scope. Some entities are covered regardless of size. This checklist includes a classification worksheet to help you determine your status.
When does NIS2 come into effect?
The NIS2 Directive required EU member states to transpose it into national law by October 17, 2024. Implementation timelines vary by country — some member states met the deadline while others are still finalizing their national legislation. Regardless of national transposition status, organizations should be preparing now, as enforcement will be retroactive to the transposition deadline in many jurisdictions.
How does this relate to ISO 27001?
This checklist includes an ISO 27001 cross-reference mapping throughout. If your organization already holds ISO 27001 certification, you will have a significant head start — approximately 70-80% of NIS2 requirements map to existing ISO 27001 controls. The checklist highlights the specific gaps you need to address, particularly around incident reporting timelines, management accountability, and supply chain security.
What are the penalties for NIS2 non-compliance?
Essential entities face fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher. Important entities face fines of up to EUR 7 million or 1.4% of global annual turnover. Additionally, NIS2 introduces personal liability for management bodies, meaning individual executives can be held responsible for compliance failures. These penalties make NIS2 compliance a board-level priority.

Ready to go beyond spreadsheets?

Import your completed template into AuditFront for real-time tracking, team collaboration, and automated audit preparation.

Start Free on AuditFront